© Copyright 2015. Apps Associates LLC. 1

Demilitarized Zone in 12.2

© Copyright 2015. Apps Associates LLC. 2

KaliKishore Gomattam

Lead DBA Consultant – IMS @ Apps Associates

@kgomattam

© Copyright 2015. Apps Associates LLC. 3

Performance. Growth. Excellence.

• Global Reach, Broad Service Profile

• Founded in 2002, 600+ employees

• US, Europe, India, Middle East

• Service Offerings: Applications, CRM, Analytics, EPM, Cloud, Middleware, Application Development, App & Infrastructure Managed Services

• Significant Investment in R&D

• Cloud (IaaS, PaaS, SaaS)

• Business Process & System Integration

• Analytics & Big Data

• Strategic Partnerships, Certifications, Credentials

• Oracle Platinum Partner, Oracle Specialized Across Our Portfolio of Services

• AWS Advanced Consulting Partner, Certified Managed Services Provider

• Microsoft Certified

• CMMI Level 3 & SSAE 16

© Copyright 2015. Apps Associates LLC. 4

Agenda

Overview

What is DMZ

Why DMZ

Different Ways to Setup

High Level Steps to enable DMZ

How does it defer from 12.1

Best Practices

© Copyright 2015. Apps Associates LLC. 5

Question !!!

Why do we need to Expose Applications to Public

???

© Copyright 2015. Apps Associates LLC. 6

© Copyright 2015. Apps Associates LLC. 7

© Copyright 2015. Apps Associates LLC. 8

© Copyright 2015. Apps Associates LLC. 9

Risks

As Organizations, expose their Oracle Application out of private network, via

HTTP/HTTPS, which will expose Oracle Application via public network, which has following risks. Entry point for attackers

Security information can be hacked

Expose internal Domain/network to external users.

Application Vulnerability

© Copyright 2015. Apps Associates LLC. 10

Solution is DMZ

DMZ will serve the purpose by restricting the access to application biased on

type of users login (Internal/External)

DMZ, which stands for Demilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions.

The main benefit of a properly-configured DMZ is better security: in the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected.

© Copyright 2015. Apps Associates LLC. 11

DMZ with Oracle EBS

When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are

deployed at various levels to ensure that only authorized traffic is allowed to cross the firewall boundaries.

The firewalls ensure that if interruption attempts against machines in the DMZ are successful, the intrusion is contained within the DMZ, leaving the machines in the intranet unaffected.

© Copyright 2015. Apps Associates LLC. 12

DMZ Architecture

Oracle Provides four different types of architectures as follows.

DMZ Configuration With an External and Internal Application Tier

DMZ Configuration With a Reverse Proxy and an External Application Tier

DMZ Configuration With Internal and External Application Tiers in the Intranet

Sharing the Application Tier File System

DMZ configuration with multiple Internal/External application tiers in the Intranet and DMZ

© Copyright 2015. Apps Associates LLC. 13

DMZ Architecture (Type 1)

DMZ Configuration With an External and

Internal Application Tier

Internet

Internal users

Intranet

External users

HTTPS – 443

HTTP – 8000

WLS – 7001 / 7002

Node Manager – 5556 / 5557

ICMP

SSH – 22

SQLNET – 1521

HTTPS

HTTP

WLS

Node Manager

ICMP

SSH

SQLNET

SQLNET

Internal External

DMZ External

Firewall

© Copyright 2015. Apps Associates LLC. 14

DMZ Architecture (Type 1)

Pros: Simple Configuration with external application tier configured in DMZ for external

users Internal users access internal application via intranet Restrict access to a limited set of Oracle Application Responsibilities for users

logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be

deployed for Internet access

Cons:

Need to expose complete EBS Suite to external world Cannot share application tier file system between external and internal application

tier nodes.

© Copyright 2015. Apps Associates LLC. 15

DMZ Architecture (Type 2)

DMZ Configuration With a Reverse Proxy and

an External Application Tier

Internet

Internal

users

Intranet

External

users

HTTPS

HTTP

WLS

Node Manager

ICMP

SSH

SQLNET

SQLNET

Internal External

DMZ Internal

Firewall DMZ External

Firewall

Reverse

Proxy

HTTPS – 443

HTTP – 8000

WLS – 7001 / 7002

Node Manager – 5556 / 5557

ICMP

SSH – 22

SQLNET – 1521

© Copyright 2015. Apps Associates LLC. 16

DMZ Architecture (Type 2)

Pros: Restrict access to a limited set of Oracle Application Responsibilities for users

logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be

deployed for Internet access Mask external application tier details from external users with the use of reverse

proxy server Terminate SSL connections at the reverse proxy if required Implement URL firewall on the reverse proxy server to restrict access.

Cons:

Additional Server is required for reverse proxy Cannot share application tier file system between external and internal application

tier nodes.

© Copyright 2015. Apps Associates LLC. 17

DMZ Architecture (Type 3)

DMZ Configuration With Internal and External Application Tiers

in the Intranet Sharing the Application Tier File System

Internet

Internal

users

Intranet

External

users

HTTPS

HTTP

SQLNET

DMZ Internal

Firewall

DMZ External

Firewall

External Load Balancer

WLS

Node Manager

ICMP

SSH

SQLNET

Internal External

Internal

Load Balancer

HTTPS – 443

HTTP – 8000

WLS – 7001 / 7002

Node Manager – 5556 / 5557

ICMP

SSH – 22

SQLNET – 1521

© Copyright 2015. Apps Associates LLC. 18

DMZ Architecture (Type 3)

Pros: Restrict access to a limited set of Oracle Application Responsibilities for users

logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be

deployed for Internet access Application file system can be shared among all nodes. Not required to open ports on firewall Load is balanced across multiple nodes

Cons:

Load Balancer is exposed to external world.

© Copyright 2015. Apps Associates LLC. 19

DMZ Architecture (Type 4)

DMZ configuration with multiple Internal/External application

tiers in the Intranet and DMZ

Internet

Internal

users

Intranet

External

users

HTTPS

HTTP

SQLNET

DMZ Internal

Firewall

DMZ External

Firewall

External Load Balancer

WLS

Node Manager

ICMP

SSH

SQLNET

Internal External

Internal

Load Balancer

HTTPS – 443

HTTP – 8000

WLS – 7001 / 7002

Node Manager – 5556 / 5557

ICMP

SSH – 22

SQLNET – 1521

© Copyright 2015. Apps Associates LLC. 20

DMZ Architecture (Type 4)

Pros: Restrict access to a limited set of Oracle Application Responsibilities for users

logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be

deployed for Internet access Application file system can be shared among all nodes. Load is balanced across multiple nodes

Cons:

Load Balancer is exposed to external world Application tier file system between external and internal application tier nodes are

not Shared.

© Copyright 2015. Apps Associates LLC. 21

Application Access Flow

http://internal.mydomain.com

Private Network

EBS Instance

10.1.1.100

© Copyright 2015. Apps Associates LLC. 22

Application Access Flow

http://external.mydomain.com

Private Network Public Network

Proxy Server EBS Instance 10.1.1.100

54.100.200.100

© Copyright 2015. Apps Associates LLC. 23

Application Access Flow

Global DNS

54.100.200.100 external.mydomain.com

© Copyright 2015. Apps Associates LLC. 24

Application Access Flow

http://external.mydomain.com

Private Network Public Network

Proxy Server EBS Instance

10.1.1.100

54.100.200.100

© Copyright 2015. Apps Associates LLC. 25

Application Access Flow

Local DNS

10.1.1.100 external.mydomain.com

Global DNS

54.100.200.100 external.mydomain.com

© Copyright 2015. Apps Associates LLC. 26

Application Access Flow

http://external.mydomain.com

Private Network Public Network

Proxy Server EBS Instance

10.1.1.100

54.100.200.100

© Copyright 2015. Apps Associates LLC. 27

Steps to enable DMZ

To enable DMZ using any of the four prototypes, we need to perform some/all of the below steps biased on which architecture we selected. Patches required for DMZ Configuration

Clone External node using adcfgclone.pl (Run & Patch)

Update Hierarchy TypeUpdate Node/Responsibility Trust Level

Configure Reverse/Load Balancer Proxy (Conditional)

Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x)

© Copyright 2015. Apps Associates LLC. 28

Steps to enable DMZ

1. Patches required for DMZ Configuration R12.AD.C.Delta.4 and R12.TXK.C.Delta.4

Note: MOS Note 1617461.1 to apply the required patches. If an update patch for AD/TXK is

available, apply those instead of the minimum code level mentioned under Patch Number/Min Code Level.

© Copyright 2015. Apps Associates LLC. 29

Steps to enable DMZ

2. Clone External node using adcfgclone.pl (Run & Patch) When prompted say “Yes” to add node Enable “Web Entry Point” and “Web Application Services”. Don’t enable “Batch Processing Services”

© Copyright 2015. Apps Associates LLC. 30

Steps to enable DMZ

3. Update Hierarchy Type Following user profiles are used to construct various URL’s in EBS

© Copyright 2015. Apps Associates LLC. 31

Steps to enable DMZ

3. Update Hierarchy Type By default hierarchy type value for the profiles option is “Server type”

© Copyright 2015. Apps Associates LLC. 32

Steps to enable DMZ

3. Update Hierarchy Type E-Biz environment for DMZ requires these profiles hierarchy set to “SERVRESP” Run “$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP” on run FileSystem

as apps user.

© Copyright 2015. Apps Associates LLC. 33

Steps to enable DMZ

4. Update Node/Responsibility Trust Level Oracle E-Biz has the capability to restrict access to a predefined set of

responsibilities base on the application tier server from which the user logs in. This capability is achieved by tagging application server with a trust level indicated

by the Node Trust Level (NODE_TRUST_LEVEL) server profile option.

Option: Administrative: These servers are considered secure and provide access to

any and all Ebiz functions. Normal: Users logging in from normal servers have access to only a limited set

of responsibilities. External: These servers have access to an even smaller set of responsibilities.

© Copyright 2015. Apps Associates LLC. 34

Steps to enable DMZ

4. Update Node/Responsibility Trust Level

© Copyright 2015. Apps Associates LLC. 35

Steps to enable DMZ

5. Configure Reverse/Load Balancer Proxy (Conditional) Reverse Proxy server is configured in the front of the external application tier node

and it requires the Oracle E-Biz application tier nodes to be aware of the presence of the reverse proxy server.

Modify following parameters in the application tier context file for both run and patch file system.

© Copyright 2015. Apps Associates LLC. 36

Steps to enable DMZ

6. Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x) When node is added to an existing Ebiz instance, mod_wl_ohs.conf will have

references to both primary and secondary nodes. We need to remove these references to make sure, external nodes will not refer to

internal managed servers.

© Copyright 2015. Apps Associates LLC. 37

12.1.x Vs 12.2.x

12.1.x 12.2.x

Virtual Host Can Set while running adcfgcloneCannot be set using adcfgclone,

need to configre OHS

SSL Supports till SHA-1 Supports SHA-2

SSH Does not require User Equivalence Requires User Equivalence

Apache No configuration Change required

Need to remove access to Internal

Node(s) in mod_wl_ohs.conf

© Copyright 2015. Apps Associates LLC. 38

Best Practices

Identify the network flow

Preserve isolation as much as possible

Practice good vulnerability management

Make sure there is no way to directly request your web server, bypassing security filtering layers

Audit your equipment's

Follow security best practices

Monitor, monitor, monitor

© Copyright 2015. Apps Associates LLC. 39

Connect with Us

Web: www.appsassociates.com

Email: kalikishore.gomattam@appsassociates.com

YouTube: www.youtube.com/user/AppsAssociates

LinkedIn: www.us.linkedin.com/company/apps-associates

Twitter: @AppsAssociates

Facebook: www.facebook.com/AppsAssociatesGlobal

Thank You! @kgomattam