|
Before installing LiveCycle, you can apply security solutions
to the network layer and operating system. This section describes
some issues and makes recommendations for reducing security vulnerabilities
in these areas.
Installation and configuration on UNIX and LinuxYou should not install
or configure LiveCycle using a root shell. By default, files are installed
under the /opt directory, and the user who performs the installation needs
all file permissions under /opt. Alternatively, an installation
can be performed under an individual user’s /user directory where
they already have all file permissions.
Installation and configuration on WindowsYou should perform the installation
on Windows as an administrator if you are installing LiveCycle on
JBoss by using the turnkey method or if you are installing PDF Generator.
Also, when installing PDF Generator on Windows with native application
support, you must run the installation as the same Windows user who
installed Microsoft Office. For more information about installation
privileges, see the Installing and Deploying LiveCycle document
for your application server.
3.1.1 Network layer securityNetwork security vulnerabilities are among the first threats
to any Internet-facing or intranet-facing application server. This
section describes the process of hardening hosts on the network
against these vulnerabilities. It addresses network segmentation,
Transmission Control Protocol/Internet Protocol (TCP/IP) stack hardening,
and the use of firewalls for host protection.
The following table describes common processes that reduce network
security vulnerabilities.
Issue
|
Description
|
|---|
Demilitarized zones (DMZs)
|
Deploy LiveCycle servers within a demilitarized
zone (DMZ). Segmentation should exist in at least two levels with
the application server used to run LiveCycle placed behind the inner
firewall. Separate the external network from the DMZ that contains
the web servers, which in turn must be separated from the internal
network. Use firewalls to implement the layers of separation. Categorize
and control the traffic that passes through each network layer to
ensure that only the absolute minimum of required data is allowed.
|
Private IP addresses
|
Use Network Address Translation (NAT) with
RFC 1918 private IP addresses on LiveCycle application servers.
Assign private IP addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16)
to make it more difficult for an attacker to route traffic to and
from a NAT'd internal host through the Internet.
|
Firewalls
|
Use the following criteria to select a firewall
solution:
Implement firewalls that support proxy
servers and/or stateful inspection instead of simple packet-filtering
solutions.
Use a firewall that supports a deny all services except those explicitly permitted security paradigm.
Implement a firewall solution that is dual-homed or multihomed.
This architecture provides the greatest level of security and helps
to prevent unauthorized users from bypassing the firewall security.
|
Database ports
|
Do not use default listening ports for databases
(MySQL - 3306, Oracle - 1521, MS SQL - 1433). For information about
changing database ports, see your database documentation.
Using a different database port affects
the overall LiveCycle configuration. If you change default ports,
you must make corresponding modifications in other areas of configuration,
such as the data sources for LiveCycle.
For
information about configuring data sources in LiveCycle, see Installing andDeploying LiveCycle or Upgrading to LiveCyclefor
your application server, at LiveCycle Documentation Set.
|
3.1.2 Operating system securityThe following table describes some potential approaches
to minimizing security vulnerabilities found in the operating system.
Issue
|
Description
|
|---|
Security patches
|
There is an increased risk that an unauthorized
user may gain access to the application server if vendor security
patches and upgrades are not applied in a timely fashion. Test security
patches before you apply them to production servers.
Also,
create policies and procedures to check for and install patches
on a regular basis.
|
Virus protection software
|
Virus scanners can identify infected files
by scanning for a signature or watching for unusual behavior. Scanners
keep their virus signatures in a file, which is usually stored on
the local hard drive. Because new viruses are discovered often,
you should frequently update this file for the virus scanner to
identify all current viruses.
|
Network Time Protocol (NTP)
|
For forensic analysis, keep accurate time
on the LiveCycle servers. Use NTP to synchronize the time on all
systems that are connected directly to the Internet.
|
For additional security information for your operating system,
see 2.1.1 Operating system security information .
|
|
|
