Tuesday, May 24, 2011

Securing your GlassFish. Hardening Guide.


If you are seriously thinking about running a GlassFish in a production environment your are looking for some kind of information about securing it.  Most basically you would do, what sounds right for your and start with a secure installation, think about firewalls and secure applications. And this basically is right. But have you ever thought about the why? I did. And further on I checked back with GlassFish and here is the ultimate hardening guide for your GlassFish installation. I don't have any special version in mind, so most of it should work beginning with v3.

IT-Security Guidelines
Picture CC BY-NC 2.0, annamagal
Work and business processes are increasingly based on IT solutions. For this reason, the security and reliability of information and communications technology gains more and more importance. You simply have to look at what happened to the playstation network lately and you get a feeling about what IT-Security could mean to your business. I always thought of it as a comprehensive checklist of things to do to ensure a secure environment. Simple and boring stuff. And this is, why I was on the hunt for the most comprehensive list I can get to make my own GlassFish installations as secure as possible. Call me innocent and you are right. But: Hey, I'm a simple developer. Let's start with the basics. IT-Security is a lot more than simple checklists. It's a complete bunch of methods, processes, procedures, approaches and measures relating to information security. The most comprehensive standard work is the German Federal Office for Information Security (BSI) IT-Grundschutz. The aim of IT-Grundschutz is to achieve an appropriate security level for all types of information of an organisation. It uses a holistic approach to this process. Through proper application of well-proven technical, organisational, personnel, and infrastructural safeguards. I highly recommend reading a bit about this. What I quickly want to dive into are the so called "IT-Grundschutz Catalogues" as they contain the essential security safeguards which support a systematic approach to IT-Security. Don't get me wrong. This is the "simple" part of it. Dealing with standard threads and catalogues are basics. For a complete BSI solution overview get a coffee and talk to your security officer.

The net and the fish
First important part to notice is that you have to take some time to consider your security needs. There are many screws to tighten and you should make sure to use the right ones. A picture came to my mind if I thought about this: The fishing net could be a symbol for your infrastructure. It keeps your GlassFishes in place and prevents them from shark attacks. And your GlassFish takes care of your Java application, running within it. So first and obvious thing to check is the infrastructure. A typical GlassFish does not swim in the wild. He's hidden behind a reverse proxy which itself sits inside a DMZ. If I am talking about "system hardening" here, it's the most basic security process you should apply to your GlassFishes living in similar situations. Depending on your security needs, you should extend the list to your needs.

Prerequisites
Hardening a single GlassFish instance is useless, if you are running it somewhere. The weakest point of your infrastructure defines your overall security level. So the first thing to check is, if your Hardware is up to date (yes, I'm talking about BIOS and stuff here) and if the operating system you are using is hardened at all. Don't forget about the network (Firewalls, Switches, and so on). If not. Stop reading and check back with the guys that are responsible for that.

Thoughts about password strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. (Source: wikipedia.org) Whenever I talk about changing a password, think about unsing a strong password!

Hardening basics with GlassFish
Before you start doing anything you should think about a security concept. Yes. The documentation stuff. You need to write down, what you are going to do and why. "Which resources am I protecting?" and "From whom am I protecting the resources?". Done? Fine. Let's start.

Install an up-to-date and completely patched version of Java
There are many ways to do this. Get the latest bits, compare the checksums and apply all patches.

Setting up the environment
Very important from security point of view is not to run your Glassfish server as root. This means you need to create a user with restricted rights which you can use for running Glassfish. A good idea is to have a "gfish" user belonging to a "gfishadm" group. This group is the only one allowed to administrate the complete GlassFish installation including files. Note, that you are not going to run GlassFish on port 80 as a non-root user. But this is not too bad at all. As a principle for system hardening you could assume, that all "defaults" are bad. So you don't want to run it there anyway :)

Install an up-to-date and completely patched version of GlassFish
Don't start over with one of the old archives downloaded weeks ago. Visit glassfish.org or oracle.com/goto/glassfish to grep the lates bits. Check the md5 hashes and make sure you really get the right ones. Check back with the critical patch updates website and make sure you have the latest security patches in place.

Configure your ports
As I said before: Try to avoid default settings. Whatever ports are assigned with your basic installation; change them. Even if you find a lot of tools around to query system ports it's still considered good practice to shuffle the ports around.

Restrict access to the http/https ports
Check back with your network guys, to restrict access to your GlassFish server to the http/https port only. All other ports (admin-listener) should be blocked and accessible from the localhost or the cluster nodes only. You can rely on the external firewall product or configure your systems firewall (e.g. iptables) accordingly.

Securing the admin console
If you decide not to protect the admin-listener on network level you need to enable the secure administration feature. The secure administration feature allows an administrator to secure all administrative communication between the domain administration server (DAS), any remote instances, and administration clients such as the asadmin utility, the administration console, and REST clients. In addition, secure administration helps to prevent DAS-to-DAS and instance-to-instance traffic, and carefully restricts administration-client-to-instance traffic.

Change the master password
Glassfish uses the master password to protect the domain-encrypted files from unauthorized access, i.e. the certificate store which contains the certificates for https communication. Every asadmin action needs it to execute successfully. You have to decide if you put your installation in interactive or non-interactive way for the master password challenge. Running it as an autostart demon probably needs a saved master password.

Change the administration password
Same with the administration password. You also have the chance to put this into a password file for an "automatic login". Depending on your network configuration, your thread analysis (from whom do I protect the system) this could be ok. But I advise you to not use any automatic login features available.

Aliasing Passwords
You should change your resource passwords to aliased ones. Use the asadmin create-password-alias cmd to change clear-text passwords in domain.xml to ${ALIAS=xxxx} entries.

A word about certificates
Normally you do not configure SSL certificates with your GlassFish instance. This is done by a reverse proxy and has several advantages. You have some lower load on your instance, you don't have to deal with configuring ssl and certificates. If you are directly terminating your ssl connections with the GlassFish, you have to change the keystore entries accordingly. And certainly you should change the keystore password.

Hiding your identity
As many servers, GlassFish is a bit chatty. The response headers contain some information which should not be disclosed to the public to prevent targeted attacks.
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
You can disable this by turning off the "XPowered By:" header with your http-listener and by adding a JVM-Option -Dproduct.name="".

Preventing System.gc()
Set an additional JVM Option -XX:-DisableExplicitGC . This will disable calls to System.gc() even if the JVM still performs garbage collection when necessary.

Extended Hardening
If you have accomplished the most basic parts of the hardening, you could also start over and take care for the following points.

Remove unused components/services
Minimize the GlassFish Server installation by removing components that you are not using and do not intend to use. Every component you uninstall reduces the risk for somebody to break into. This needs a whole lot of knowledge about the stuff you are running with your GlassFish.

Define working with update and pkg tools
Think about a small process for working with the update and pkg tools. You should disable the update checks for the admin console ( -Dcom.sun.enterprise.tools.admingui.NO_NETWORK=true) or probably completely remove it from your distribution.

Admin server and instances
Beginning with 3.1 you can have instances beside your admin server. It's considered best practice not to run any application on your admin server at all. So you should have a concept about running your applications on instances and clusters. You could also think about completely shutting down the admin server except for the duration you need it.

Enable authentication and authorization auditing.
Auditing is the process of recording key security events in your GlassFish Server environment. You use audit modules to develop an audit trail of all authentication and authorization decisions. You should track all relevant events via the Audit Logging features.

Check file integrity
There are some tools out there to check the integrity of your installation. Starting with simple rootkit hunters you also find some commercial solutions out there (e.g. tripwire). Think about using such a tool to protect the integrity of your installation.

Bottom Line
This is a very unintuitive topic. You have to have very detailed knowledge about the product you are trying to secure and the complete infrastructure. If you are called to harden GlassFish make sure to understand the security needs and make an assessment about the risks you have to take care of. And it's a team play. A single hardened GlassFish is by far not enough.

Links and Literature
BSI-Standards
IT Security Guidelines (PDF)
Oracle GlassFish Server 3.1 Security Guide
Installing Glassfish 3.0.1 on Ubuntu
Installing Glassfish 3.1 on Ubuntu 10.04 LTS