bea.com | products | dev2dev | support | askBEA |
|
e-docs > WebLogic Server > Securing A WebLogic Server Deployment > Security Implications for WebLogic Server |
Securing A WebLogic Server Deployment |
Security Implications for WebLogic Server
This topic explains why security is important for WebLogic Server and lists questions you need to answer in order to determine the security needs of your WebLogic Server deployment. The topic includes the following sections:
Why Is Security Important for WebLogic Server?
An application server resides in the sensitive layer between end users and your valuable data and resources. WebLogic Server provides authentication, authorization, and encryption services with which you can guard your resources. These services cannot provide protection, however, from an intruder who gains access by discovering and exploiting a weakness in your deployment environment.
Whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements.
Another good strategy is to read as much as possible about security issues. For the latest information about securing Web servers, BEA recommends reading the Security Improvement Modules, Security Practices, and Technical Implementations information available from the CERTTM Coordination Center operated by Carnegie Mellon University.
BEA suggests that you apply the remedies recommended in our security advisories. In addition, you are advised to apply every Service Pack as they are released. Service Packs include a roll up of all bug fixes for each version of the product, as well as each of the previously released Service Packs. As a policy, if there are any security-related issues with any BEA product, BEA will distribute an advisory and instructions with the appropriate course of action. If you are reponsible for security related issues at your site, please register to receive future notifications BEA has established an e-mail address (security-report@bea.com) to which you can send reports of any possible security issues in BEA products.
There are partner products that can help you in your effort to secure the WebLogic Server production environment. For more information, see the BEA Partner's Page.
Tools to automate assement of security are available from the BEA Download Center. PentaSafe VigilEnt Security Agent can help assure the security of your application. For a quick assement of your application, download the free 30 day trial version.
Determine the Security Needs of Your WebLogic Server Deployment
Before securing your WebLogic Server deployment, it is important to understand the security needs of your WebLogic Server environment. To better understand the security needs, ask yourself the following questions:
There are many resources in the WebLogic Server environment that can be protected including information in the database accessed by WebLogic Server, the availability of the Web site, the performance of the Web site, and the integrity of the Web site. Consider the resources you want to protect when deciding the level of security you must provide.
For most Web sites, resources must be protected from everyone on the Internet. But should the Web site be protected from the employess on the intranet in your enterprise? Should your employees have access to all WebLogic Server resources? Should the system administrators have access to all WebLogic Server resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators to access to the data or resources.
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the Web site. Understanding the security ramifications of each resource will help you properly protect it.
As you read the suggestions in Security Best Practices, keep the answers to these questions in mind.