Securing a Production Environment

Determining Your Security Needs

Before you deploy WebLogic Server and your J2EE applications into a production environment, determine your security needs and make sure that you have taken the appropriate security measures, as described in he following sections:

• Understand Your Environment

• Hire Security Consultants or Use Diagnostic Software

• Read Security Publications

Understand Your Environment

To better understand your security needs, ask yourself the following questions:

• Which resources am I protecting?

  There are many resources in the production environment that can be protected including information in databases accessed by WebLogic Server and the availability, performance, and the integrity of the Web site. Consider the resources you want to protect when deciding the level of security you must provide.

• From whom am I protecting the Web-site resources?

  For most Web sites, resources must be protected from everyone on the Internet. But should the Web site be protected from the employees on the intranet in your enterprise? Should your employees have access to all resources within the WebLogic Server environment? Should the system administrators have access to all WebLogic resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators to access to the data or resources.

• What will happen if the protections on strategic resources fail?

  In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the Web site. Understanding the security ramifications of each resource will help you protect it properly.

Hire Security Consultants or Use Diagnostic Software

Whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements. BEA partners offer services and products that can help you to secure a WebLogic Server production environment. See the BEA Partner's Page at http://www.bea.com/partners.

In addition to the BEA Partners's Page, the BEA dev2dev Web site offers software that assesses the security of your environment. For example, PentaSafe VigilEnt Security Agent provides an in-depth security audit of your WebLogic Server applications and proactively identifies configuration, access and CGI-bin vulnerabilities. For a quick assessment of your application, download the free 30-day trial version from http://dev2dev.bea.com/resourcelibrary/utilitiestools/security.jsp.

Read Security Publications

Read about security issues:

• For the latest information about securing Web servers, BEA recommends the "Security Improvement Modules, Security Practices, and Technical Implementations" information available from the CERT^TM Coordination Center operated by Carnegie Mellon University.

• For BEA security advisories, refer to the BEA Advisories & Notifications page on the dev2dev Web site at http://dev2dev.bea.com/advisories. Here, you can download security-related patches and register to receive notifications of newly available security advisories.

  Report possible security issues in BEA products to secalert@bea.com.