 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / July 2004Firewall for Java server - how tight?
We have a Java-based server that runs on W2K machine behind a firewall (Red Hat Linux 9 - iptables). Remote clients connect to the server via RMI, on a specific port. At this moment, the firewall is configured to accept connections only from known IP addresses; the packets are then forwarded to the W2K host where the server runs. Unfortunately, some of the clients have dynamic IP address, and the firewall configuration cannot keep up with the changes of the client address. I am thinking about opening the firewall for all incoming connections that are destined to the known port, and routing them to the server. Can anyone comment on possible security breaches that this approach may cause? The server host, in addition to running the Java app, also runs the Apache Web server (so the firewall routes all packets with the destination port 80 to that W2K machine). TIA for any input. Alex Molochnikov > We have a Java-based server that runs on W2K machine behind a firewall (Red > Hat Linux 9 - iptables). Remote clients connect to the server via RMI, on a [quoted text clipped - 13 lines] > Apache Web server (so the firewall routes all packets with the destination > port 80 to that W2K machine). Basically, you would be allowing unrestricted access to the RMI and web servers. You'd likely want to run RMI over SSL, with client and server authentication (as otherwise you run the risk of unauthenticated entities sending RMI invocations to your application server). One option might be to just open the firewall to specific address ranges (e.g. if the clients with dynamic IPs are all within the same subnet). An additional recommendation might be to put these boxes in a DMZ (basically add a second firewall between the Win2K box and the rest of your internal network restricting outbound connections from the Win2K server, so any successful breaches can't be used as a "launching point" to attack the rest of your network). Thank you for the response. I realize that access to the RMI methods will be open to everyone. But my question still stands: what are possible dangers of this approach? If an intruder tries to connect to the JVM using the remote methods, he will be out of luck due to the design of the server (e.g. the method parameters include a password). But is there anything in JVM outside of the application that can be exploited? Any vulnerability in the RMI, like a method that I did not think about, but hackers know of? Regards, AM > Basically, you would be allowing unrestricted access to the RMI and web > servers. You'd likely want to run RMI over SSL, with client and server [quoted text clipped - 8 lines] > server, so any successful breaches can't be used as a "launching point" > to attack the rest of your network). Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.