| Oracle® Collaboration Suite Security Guide 10g Release 1 (10.1.2) Part Number B25494-10 |
|
|
View PDF |
| Oracle® Collaboration Suite Security Guide 10g Release 1 (10.1.2) Part Number B25494-10 |
|
|
View PDF |
Security is a system issue and not a single product issue. Each component of your computer application affects the security of the entire system. Proper security requires careful configuration of the following non-Oracle system components:
In the overall system security picture, the Web browser is the component over which e-business sites have least control. For example, when you run a Web storefront, you may not be able to control the browser that customers use. The customer's browser impacts the security of your system, and must be taken into consideration. To securely implement Web transactions, your application must support specific communications and security technologies, including HTTP, LDAP, SSL, X.509v3 certificates, and Java.
Most commercially available Web browsers support several of these security-related features. However, you must configure the browser properly to take advantage of its security capabilities.
By default, information sent to and from a Web browser is transmitted in the clear. Any intermediate site can read the data and potentially alter it in midstream. Web browsers and servers partially address this problem by using the Secure Sockets Layer (SSL) protocol to encrypt HTTP transmissions. This ensures the security of data transmitted between the client to the server. However, because commercially available Web browsers do not ship with client certificates, most HTTP/SSL transmissions are authenticated in only one direction, from the server to the client. In this case, the client does not authenticate itself to the server.
Because the HTTP protocol does not support sessions, many e-commerce applications use cookies to store session data for individual customers. These cookies are transmitted as cleartext. This means that the data can be intercepted by a third party. For this reason, the application should encrypt or obfuscate information that is stored in cookies.
|
Note: The W3C has a useful discussion of cookie security issues athttp://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q10. |
Firewalls control access between the Internet and the internal network of a corporation. A firewall defines which type of Internet communications will be permitted into the corporate network, and which will be blocked. A well-designed firewall can foil many common Internet-based security attacks. However, a firewall is only as secure as its maintenance. New Internet-based attacks are constantly being designed, and firewall configurations must constantly be updated to keep abreast of these attacks.
Firewalls monitor communications methods, not communications content. So, firewalls cannot protect your application against misuse of permitted communications channels. For example, to permit the use of the Web, a firewall must permit HTTP communication. Because firewalls do not monitor content, a firewall cannot protect against security attacks transmitted within valid HTTP messages. Similarly, because a firewall does not monitor the content of e-mail messages, it cannot prevent the transmission of e-mail viruses.
Load balancing distributes an application's load over many identically configured servers. This distribution ensures consistent application availability, even when one or more servers fail. Load balancing has a significant impact on security design, especially on encryption issues. For example, in many installations, SSL keys are unique to a particular server in a cluster, and are not necessarily shared with other servers. This sharing complicates moving an SSL session from one server to another.
A Virtual Private Network (VPN) allows applications to use the Internet to communicate securely with the corporate LAN. All IP communications between the application and the corporate LAN are encrypted so that they cannot be read or altered by intermediate sites. A VPN prevents a third party from monitoring or altering communications. Similar to other network-based security solutions, VPNs cannot prevent the transmission of viruses, nor can they control the content of the information being transmitted.
