WebSphere IBM WebSphere Application Server용 DMZ 보안 프록시 서버

You can use the IBM® WebSphere® Application Server용 DMZ 보안 프록시 서버 to provide a secure platform for your proxy server.

제거된 기능 제거된 기능: The DMZ 보안 프록시 서버 is deprecated for WebSphere Application Server Traditional Version 9.0.depfeat
[z/OS]Important: The DMZ 보안 프록시 서버 is not available for use on the z/OS operating system for WebSphere Application Server Traditional Version 9.0.

With IBM WebSphere Application Server용 DMZ 보안 프록시 서버, you can install your proxy server in the demilitarized zone (DMZ), while you reduce the security risk that might occur if you install an application server in the DMZ to host a proxy server. The risk is reduced by removing any functions from the application server that is not required to host the proxy servers, but can pose a security risk. Installing the secure proxy server in the DMZ rather than the secured zone presents new security challenges, however, the secure proxy server is equipped with capabilities to protect from these challenges.

The following capabilities are available to harden the security of the DMZ 보안 프록시 서버 and to determine the level of security to assign:
Startup user permissions
The secure proxy server process can be changed to run as an unprivileged user after startup. Although the secure proxy server must be started as a privileged user, changing the server process to run as an unprivileged user provides additional protection for local operating resources.
Routing considerations
The secure proxy server can be configured to route requests to target servers based on static routing information or dynamic information. Static routing means that the server obtains the routing information from local flat files. Dynamic routing means that the server obtains the routing information from a Hypertext Transfer Protocol (HTTP) tunnel connection from the proxy server to a server in the secure zone. It is more secure to use static routing as the use of dynamic routing requires an additional connection through the inner firewall. Static routing is only applicable to HTTP requests.
Administration options
The secure proxy server does not contain a web container, and therefore is unable to host the administrative console. It is better to not have a web container on a DMZ 보안 프록시 서버 since hosting application artifacts is considered a security risk and adds an unnecessary footprint to the proxy server. The secure proxy server is installed separately and has several different administrative options that have security implications.
Error handling
Custom error pages can be used by the secure proxy server for specific error codes or groups of error codes. A custom error page application can be used to generate error messages or flat custom error page files can be stored locally on the file system and used during run time. Choosing to use flat custom error pages instead of a custom error application provides a higher level of security. Choosing this option limits the code path and eliminates the need for a potentially unauthorized application to be run when an error page is needed.
Denial of service protection
Denial of service protection is provided with the inclusion of two properties: Maximum request body buffer chunk size and Maximum response body buffer chunk size. These properties must be tuned to balance the level of protection with the performance overhead that might be experienced if these properties are set incorrectly.
When you create the DMZ 보안 프록시 서버, you can choose any of the default security levels: High, Medium, or Low.
  • Low DMZ security level
    Table 1. Low DMZ security level default values. This table describes the settings and default values for the low DMZ security level.
    Setting Default value
    Startup permissions Run as a privileged user
    Routing Dynamic routing
    Administration Remote Administration
    Error handling Local error page handling
  • Medium DMZ security level
    Table 2. Medium DMZ security level default values. This table describes the settings and default values for the medium DMZ security level.
    Setting Default value
    Startup permissions Run as an unprivileged user
    Routing Dynamic routing
    Administration Local Administration
    Error handling Local error page handling
  • High DMZ security level
    Table 3. High DMZ security level default values. This table describes the settings and default values for the high DMZ security level.
    Setting Default value
    Startup permissions Run as an unprivileged user
    Routing Static routing
    Administration Local Administration
    Error handling Local error page handling
Important: The High DMZ security level cannot be used for SIP proxy servers because static routing cannot be used for the SIP proxy server.

In addition to these predefined settings, you can customize the settings to better serve your requirements. If you choose to customize the settings, your DMZ 보안 프록시 서버 is assigned a qualitative categorization of your security level called the current security level. Each custom setting is assigned a value of High, Medium, or Low. The current security level is equal to the value of the least secure setting that is used. To achieve a current security level of High, only settings assigned the high value can be configured. To achieve a current security level of Medium, only settings with values of High or Medium can be used. A current security level of Low is used if any settings that are assigned the value of Low are set.

An additional change to enhance the protection for the DMZ 보안 프록시 서버 is the switch from a Java™ Development Kit (JDK) to a Java Runtime Environment (JRE). Switching from a JDK to a JRE removes the inclusion of a compiler on the installation. This change is beneficial because the compiler can possibly be used for malicious purposes if there is a security breach.

[IBM i]No JRE currently is available for i5/OS™ systems; therefore, a JDK is used. For protection against this type of threat, you can manually remove the tools.jar file from the JDK installation root.


주제 유형을 표시하는 아이콘 개념 주제



시간소인 아이콘 마지막 업데이트 날짜: July 9, 2016 6:05
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=cjpx_secpxdmz
파일 이름:cjpx_secpxdmz.html