Best practice for secure zone various access

Similar Messages

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Best Practice for Security Point-Multipoint 802.11a Bridge Connection

  I am trying to get the best practice for securing a point to multi-point wireless bridge link. Link point A to B, C, & D; and B, C, & D back to A. What authenication is the best and configuration is best that is included in the Aironet 1410 IOS. Thanks for your assistance.
  Greg

  The following document on the types of authentication available on 1400 should help you
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/aero1400/br1410/brscg/p11auth.htm

• Best practice for securing confidential legal documents in DMS?

  We have a requirement to store confidential legal documents in DMS and are looking at options to secure access to those documents.  We are curious to know.  What is the best practice?  And how are other companies doing it?
  TIA,
  Margie
  Perrigo Co.

  Hi,
  The standard practice for such scenarios is to use 'authorization' concept.You can give every user to use authorization to create,change or display these confidential documents. In this way, you can control access authorization.SAP DMS system monitors how you work, and prevents you from displaying or changing originals if you do not have the required authorization.
  The below link will provide you with an improved understanding of authorization concept and its application in DMS
  http://help.sap.com/erp2005_ehp_04/helpdata/en/c1/1c24ac43c711d1893e0000e8323c4f/frameset.htm
  Regards,
  Pradeepkumar Haragoldavar

• Best practices for Reusable methods that access DBTransaction object

  Hi All,
  In our application, there are reusable methods that has DBTransaction object as parameter, eg :
  public static String postingToGL(DBTransaction dbTran, String pProceName, Number pDocId)
  This method could be called both from : Entity Object or Application Module (AM).
  I have two options about where to implement it :
  (1) put it in a Utils / helper class, so that I can call it both from Entity class and AM. But I have to pass DBTransaction object as parameter (I am not convenient with this)
  or...
  (2) put it in Entity object base class, but the problem is what if application module also nede to call that method ?
  WHat is the best practice in this situation ?
  Thank you,
  xtanto

  Hi,
  what about putting it into an AM base class ? I don't know what you worries are for passing the DBTransaction around.
  Frank

• Best Practices for securing VTY lines?

  Hi all,
  The thread title makes this sound like a big post but it's not. 
  If my router has say., 193 VTY lines as a maximum, but by default running-config has only a portion of those mentioned, should I set any configs I do on all lines, or just on the lines sh run shows?  Example: 
  sh run on a router I have with default config has: :
  line vty 0 4
  access-class 23 in
  privilege level 15
  login local
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  login local
  transport input telnet ssh
  Yet, I have the option of configuring up to 193 VTY lines:
  Router(config)#line vty ?
    <0-193>  First Line number
  It seems lines 16-193 still exist in memory, so my concern is that they are potentially exposed somehow to exploits or what not.  So my practice is to do any configs I do using VTY 0 193 to ensure universal configuration.  But, my "enabling" the extra lines, am I using more memory, and, how secure is this against somebody trying to say, connect 193 times to my router simtaneously?  Does it increase the likelihood of success on DoS attack for example. 

  Hi guys, thanks for the replies and excellent information.  I'm excited to look at the IOS Hardending doc and the other stuff too. 
  Just to clarify, I don't actually use the default config, I only pasted it from a new router just to illustrate the default VTY line count. 
  I never use telnet from inside or outside, anyting snooping a line will pick up the cleartext as ou both know of course.  SSH is always version 2 etc. 
  I was considering doing a console server from the insidde as the only access method - which I do have set up but I have to remote to it It's just that with power outages at times, the console PC won't come back up (no BIOS setting to return to previous state, no WOL solution in place) so now I have both that plus the SSH access.  I have an ACL on both the VTY lines themselves as well as a ZBFW ACL governing SSH - perhaps a bit redundant in some ways but oh well if there's a zero-day ou thtere for turning off the zbfw I might still be protected  
  Regretfully I havne't learned about AAA yet - that I believe is in my CCNA Security book but first I need to get other things learned. 
  And with regard to logging in general, both enabling the right kind and monitoring it properly, that's a subject I need to work on big time.  I still get prot 25 outbound sometimes from a spam bot, but by the time I manually do my sh logging | i :25 I have missed it (due to cyclic logging with a buffer at 102400).  Probably this woud be part of that CCNA Security book as well. 
  So back to the # of VTY lines.  I will see what I can do to reduce the line count.  I suppose something like "no line vty 16 193" might work, if not it'll take some research. 
  But if an attacker wants to jam up my vty lines so I can't connect in, once they've fingerprinted the unit a bit to find out that I don't have an IPS running for example, wouldn't it be better that they have to jam up 193 lines simultaneously (with I presume 193 source IPs) instaed of 16?  Or am I just theorizing too much here.  I'ts not that this matters much, anybody who cares enough to hack this router will get a surprise when they find out there's nothing worth the effort on the other side But this is more so I can be better armed for future deployments.  Anyway, I will bookmark the info from this thread and am looking forward to reading it. 

• Best Practice For Secure File Sharing?

  I'm a newbie to both OX X Server and File Sharing protocols, so please excuse my ignorance...
  My client would like to share folders in the most secure way possible; I was considering that what might be the best way would be for them to VPN into the server and then view the files through the VPN tunnel; my only issue with this is that I have no idea how to open up File Sharing to ONLY allow users who are connecting from the VPN (i.e. from inside of the internal network)... I don't see any options in Server Admin to restrict users in that way....
  I'm not afraid of the command line, FYI, I just don't know if this is:
  1. Possible!
  And 2. The best way to ensure secure AND encrypted file sharing via the server...
  Thanks for any suggestions!

  my only issue with this is that I have no idea how to open up File Sharing to ONLY allow users who are connecting from the VPN
  Simple - don't expose your server to the outside world.
  As long as you're running on a NAT network behind some firewall or router that's filtering traffic, no external traffic can get to your server unless you setup port forwarding - this is the method used to run, say, a public web server where you tell the router/firewall to allow incoming traffic on port 80 to get to your server.
  If you don't setup any port forwarding, no external traffic can get in.
  There are additional steps you can take - such as running the software firewall built into Mac OS X to tell it to only accept network connections from the local network, but that's not necessary in most cases.
  And 2. The best way to ensure secure AND encrypted file sharing via the server...
  VPN should take care of most of your concerns - at least as far as the file server is concerned. I'd be more worried about what happens to the files once they leave the network - for example have you ensured that the remote user's local system is sufficiently secured so that no one can get the documents off his machine once they're downloaded?

• Best Practices for Securing Oracle e-Business Suite -Metalink Note 189367.1

  Ok we have reviewed our financials setup against the title metalink document. But we want to focus on security and configuration specific to the Accounts Payable module of Oracle Financialos. Can you point me in the direction of any useful documents for this or give me some pointers??

  Ok we have reviewed our financials setup against the title metalink document. But we want to focus on security and configuration specific to the Accounts Payable module of Oracle Financialos. Can you point me in the direction of any useful documents for this or give me some pointers??

• Best practices for securely storing environment properties

  Hi All,
  We have a legacy security module that is included in many
  different applications. Historically the settings (such as
  database/ldap username and password) was stored directly in the
  files that use them. I'm trying to move towards a more centralized
  and secure method of storing this information, but need some help.
  First of all, i'm struggling a little bit with proper scoping
  of these variables. If another application does a cfinclude on one
  of the assets in this module, these environment settings must be
  visible to the asset, but preferrably not visible to the 'calling'
  application.
  Second i'm struggling with the proper way to initialize these
  settings. If other applications run a cfinclude on these assets,
  the application.cfm in the local directory of the script that's
  included does not get processed. I'm left with running an include
  statement in every file, which i would prefer to avoid if at all
  possible.
  There are a ton (>50) applications using this code, so i
  can't really change the external interface. Should i create a
  component that returns the private settings and then set the
  'public' settings with Server scope? Right now i'm using
  application scope for everything because of a basic
  misunderstanding of how the application.cfm's are processed, and
  that's a mess.
  We're on ColdFusion 7.
  Thanks!

  Hi,
  Thank you for posting in Windows Server Forum.
  As per my research, we can create some script for patching the server and you have 2 servers for each role. If this is primary and backup server respectively then you can manage to update each server separately and bypass the traffic to other server. After
  completing once for 1 server you can just perform the same step for other server. Because as I know we need to restart the server once for successful patching update to the server.
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Best practices for securing communication to internet based SCCM clients ?

  What type of SSL certs does the community think should be used to secure traffic from internet based SCCM clients ?  should 3rd party SSL certs be used ?  When doing an inventory for example of the clients configuration in order to run reports
  later how the  data be protected during transit ?

  From a technical perspective, it doesn't matter where the certs come from as there is no difference whatsoever. A cert is a cert is a cert. The certs are *not* what provide the protection, they simply enable the use of SSL to protect the data in transit
  and also provide an authentication mechanism.
  From a logistics and cost perspective though, there is a huge difference. You may not be aware, but *every* client in IBCM requires its own unique client authentication certificate. This will get very expensive very quickly and is a recurring cost because
  certs expire (most commercial cert vendors rarely offer certs valid for more than 3 years). Also, deploying certs from a 3rd party is not a trivial endeavor -- you more less run into chicken and egg issues here. With an internal Microsoft PKI, if designed
  properly, there is zero recurring cost and deployment to internal systems is trivial. There is still certainly some cost and overhead involved, but it is dwarfed by that that comes with using with a third party CA for IBCM certs.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Enterpise Best Practices for iPad

  Is anyone aware of any documentation idnetifying best practices for securely deploying iPads in an enterprise environment?

  There is some information out there, though not as much as I think we are typically used to for enterprise environments. (It is a consumer device, and Apple is a consumer-driven company, and I don't fault them for that one bit.)
  Here is some documentation from Apple:
  http://www.apple.com/support/ipad/enterprise/
  Also, Jamf Software has some information regarding their Casper suite.
  We don't use it yet at my workplace, but I have heard good things about them.
  http://www.jamfsoftware.com/solutions/mobile-device-management
  Edit:
  And welcome to the forums!
  Message was edited by: tibor.moldovan

• Best practice for external but secure access to internal data?

  We need external customers/vendors/partners to access some of our company data (view/add/edit).  It’s not so easy as to segment out those databases/tables/records from other existing (and put separate database(s) in the DMZ where our server is).  Our
  current solution is to have a 1433 hole from web server into our database server.  The user credentials are not in any sort of web.config but rather compiled in our DLLs, and that SQL login has read/write access to a very limited number of databases.
  Our security group says this is still not secure, but how else are we to do it?  Even if a web service, there still has to be a hole in somewhere.  Any standard best practice for this?
  Thanks.

  Security is mainly about mitigation rather than 100% secure, "We have unknown unknowns". The component needs to talk to SQL Server. You could continue to use http to talk to SQL Server, perhaps even get SOAP Transactions working but personally
  I'd have more worries about using such a 'less trodden' path since that is exactly the areas where more security problems are discovered. I don't know about your specific design issues so there might be even more ways to mitigate the risk but in general you're
  using a DMZ as a decent way to mitigate risk. I would recommend asking your security team what they'd deem acceptable.
  http://pauliom.wordpress.com

• Best practice for select access to users

  Not sure if this is the correct forum to post, if not then let me know where should I post.
  From my understanding this is the best forum to ask this questions.
  Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
  From time to time user want more and more access to different tables so that they can do investigation properly.
  Let me know if there exists a best practice document around this space.
  Asked in this forum as this is related to PL/SQL access.

  Welcome to the forum!
  Whenever you post provide your 4 digit Oracle version.
  >
  Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
  From time to time user want more and more access to different tables so that they can do investigation properly.
  Let me know if there exists a best practice document around this space.
  >
  There are many best practices documents about various aspects of security for Oracle DBs but none are specific to developers doing invenstigation.
  Here is the main page for Oracles' OPAC white papers about security.
  http://www.oracletechnetwork-ap.com/topics/201207-Security/resources_whitepaper.cfm
  Take a look at the ones on 'Oracle Identity Management' and on 'Developers and Identity Services'.
  http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
  This paper by Database Specialists shows how to use Oracle Identity Management to limit access to users such as developers through the use of roles. It shows some examples of users using their own account but having limited privileges based on the role they are given.
  http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
  And this Oracle White Paper, 'Oracle Database Security Checklist', is a more basic security doc that discusses the entire range of security issues that should be considered for an Oracle Database.
  http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf
  You don't mention what environment (PROD/QA/TEST/DEV) you are even talking about or whether the access is to deal with emergency issues or general reproduction and fixing of bugs.
  Many sites create special READONLY roles, eg. READ_ONLY_APP1, and then grant privileges to those roles for tables/objects that application uses. Then that role can be granted to users that need privileges for that application and can be revoked when they no longer need it.
  Some sites prefer creating special READONLY users that have those read only roles. If a user needs access the DBA changes the password and provides the account info to the user. When the user has completed their duties the DBA resets the password to something no one else knows.
  Those special users have auditing on them and the user using them is responsible for all activity recorded in the logs during the time the user has access to that account.
  In general you grant the minimum privileges needed and revoke them when they are no longer needed; generally through the use of roles.
  >
  Asked in this forum as this is related to PL/SQL access.
  >
  Please explain that. Your question was about 'access to different tables'. How does PL/SQL access fit into that?
  The important reason for the difference is that access is easily controlled thru the use of roles but in named PL/SQL blocks roles are disabled. So those special roles and accounts mentioned above are well-suited to allowing developers to query data but are not well-suited if the user needs to execute PL/SQL code belonging to another schema (the app schema).

• Best practices to secure out of bound management access

  What are the best practices to secure Out Of Bound Management (OOBM) access?
  I planning to put in an DSL link for OOBM. I have a console switch which supports SSH and VPN based on IPSec with NAT traversal. My questions are -
  Is it secure enough?
  Do I need to have a router/firewall in front of the console switch?
  Im planing to put a Cisco 1841 router as an edge router. What do you think?
  Any suggestions would be greatly appreciated.

  Hi,
  You're going to have an OOB access via VPN?
  This is pretty secure (if talking about IPsec)
  An 1841 should work fine.
  You can check the design recommendations here:
  www.cisco.com/go/srnd
  Chose the security section...
  Hope it helps.
  Federico.

• Best Practices for Accessing the Configuration data Modelled as XML File in

  Hi,
  I refer the couple of blof posts/Forum threads on How to model and access the Configuration data as XML inside OSB.
  One of the easiest and way is to
  Re: OSB: What is best practice for reading configuration information
  Another could be
  Uploading XML data as .xq file (Creating .xq file copy paste all the Configuration as XML )
  I need expert answers for following.
  1] I have .xsd file which is representing the Configuration data. Structure of XSD is
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue</Config>
  <FrameworkConfig>
  2] As my project will move from one env to another the property-value will change according to the Environment...
  For Dev:
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Dev</Config>
  <FrameworkConfig>
  For Stage :
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Stage</Config>
  <FrameworkConfig>
  3] Let say I create the following Folder structure to store the Configuration file specific for dev/stage/prod instance
  OSB Project Folder
  |
  |---Dev
  |
  |--Dev_Config_file.xml
  |
  |---Stage
  |
  |--Stahe_Config_file.xml
  |
  |---Prod
  |
  |-Prod_Config_file.xml
  4] I need a way to load these property file as xml element/variable inside OSb message flow.?? I can't use XPath function fn:doc("URL") coz I don't know exact path of XMl on deployed server.
  5] Also I need to lookup/model the value which will specify the current server type(Dev/Stage/prod) on which OSB MF is running. Let say any construct which will act as a Global configuration and can be acccessible inside the OSb message flow. If I get the vaalue for the Global variable as Dev means I will load the xml config file under the Dev Directory @runtime containing key value pair for Dev environment.
  6] This Re: OSB: What is best practice for reading configuration information
  suggest the designing of the web application which will serve the xml file over the http protocol and getting the contents into variable (which in turn can be used in OSB message flow). Can we address this problem without creating the extra Project and adding the Dependencies? I read configuration file approach too..but the sample configuration file doesn't show entry of .xml file as resources
  Hope I am clear...I really appreciate your comments and suggestion..
  Sushil
  Edited by: Sushil Deshpande on Jan 24, 2011 10:56 AM

  If you can enforce some sort of naming convention for the transport endpoint for this proxy service across the environments, where the environment name is part of the endpoint you may able to retrieve it from $inbound in the message pipeline.
  eg. http://osb_host/service/prod/service1 ==> Prod and http://osb_host/service/prod/service2 ==> stage , then i think $inbound/ctx:transport/ctx:uri can give you /service/prod/service1 or /service/stage/service1 and applying appropriate xpath functions you will be able to extract the environment name.
  Chk this link for details on $inbound/ctx:transport : http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/context.html#wp1080822