This tool recommends the configuration that would assist in secure deployment of Integration Server. However, these recommendations, does not ensure the complete security of the Integration Server.
Submitted by: Surendra Chaudhary, May, 2022;
Applicable version:
Introduction
Security is a critical part of Software AG product suite . Multiple layers of protectionsare one aspect of security: using firewalls to keep attackers out, passwords or other authentication mechanisms to prevent unauthorized users, and access controls to limit authorized users. Multiple layers of protections are one aspect of security: using firewalls to keep attackers out, passwords or other authentication mechanisms to prevent unauthorized users, and access controls to limit authorized users.
The SAG Security Best Practices document recommends some changes to the default Integration Server (IS) configuration. To ease the configuration process, the Integration Server Security Configuration Checker tool was developed to compare the configuration of a Integration Server with the best practices configuration. The tool makes specific recommendations when it discovers a potential problem and makes general configuration recommendations otherwise. This tech note describes how to use the tool and its limitations.
This tool recommends the configuration that would assist in secure deployment of Integration Server. However, these recommendations, does not ensure the complete security of the Integration Server.
1.1. Who Should Use the Security Configuration Checker
The Software AG‘s Integration Server Security Configuration Checker (SCC) is a useful tool for the 10.x versions of Integration Servers. It should be run on all Integration Servers before they enter production and periodically thereafter to verify that any changes which might have been made, have not adversely affected the security of the system. In addition, it is a good practice to run the SCC against Integration Servers even while they are being developed, so problems can be detected before the inevitable push to production begins. Finally, using SCC in a development environment reduces the risk of attacks from users who may have access to the system before it begins production.
SCC can be used by the Developers, Administrators and people responsible for deployment and security. SCC can also be used at different stages to verify the security level of the Integration Server.
Use of SCC is not a substitute for a thorough security audit, but is rather a tool to be used as part of an assessment of the security characteristics of a site.
1.2.Background and Limitations
Integration Server, like most other products, has many configuration options. The concept behind a security configuration checker is to review the configurations settings and provide a report as to which settings should be modified to improve security. Such checkers exist for operating systems and database systems, but do not generally exist for applications.
For operating systems, the best known tools of this type are:
- Internet Security Systems. Internet Scanner (www.iss.net)
- McAfee CyberCop ASap (www.nai.com)
- Nessus (www.nessus.org)
In contrast, the SCC looks for configuration errors in the Integration Server only. It does not look for configuration errors in the underlying operating system. Additionally, it cannot detect all configuration errors in the Integration Server.
Examples of things that are potential security configuration errors in Integration Server, but are not currently detected by the SCC which includes:
-
Poor choice of passwords. SCC will detect if you have not changed the default passwords in your Integration Server, but will not determine if you have selected poor quality passwords.
-
Inappropriate operating system protection of Software AG software or other files that might allow an attacker to compromise the system without going through the Integration Server.
-
Incorrectly configured adapters.
Examples of things that are beyond the scope of the SCC are:
-
Vulnerabilities in other products running on the same computer which could be exploited, thus giving an attacker a method for undermining the Integration Server without attacking it directly
-
Security flaws in the underlying operating system or JVM including poor choices of passwords, improper operating system configuration, etc.
-
An operating system or JVM that does not have the latest patches installed from the vendor.
-
Inappropriate accessibility of the Integration Server from the Internet (e.g., a method of accessing the Integration Server that bypasses any firewalls or filtering routers in place).
-
Physical, personnel, or other non-technical security.
1.3.Feedback
Please drop an email to security@softwareag.com to request for the license file, to report bugs or provide suggestions.
2. Find out more
SCC.zip (10.2 MB)