Tomcat security

dokihara
New Contributor

In order to manage iOS devices outside the internal network, we must open up port 8443. This also means outside attackers could possibly attempt to break in to the JSS admin console.

Either through a dictionary attack, or maybe a zero-day Tomcat vulnerability. Is there a way to still allow our enrolled devices to be managed, but somehow lock down just access to the Admin console via IP range?

I looked at some of the Tomcat configuration options, such as Remote Address Filter http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote%20Address%20Filter

Could this possibly be configured?

5 REPLIES 5

mm2270
Legendary Contributor III

Take a look here. I think this may do what you want-

https://jamfnation.jamfsoftware.com/article.html?id=174

dokihara
New Contributor

It does, as you can limit the 2nd JSS instance to just management (no admin) but would require me to have 2 JSS instances. If a solution could be found without 2 instances, such as via a Tomcat configuration, I would love to see if that's possible as well.

Thanks!

jarednichols
Honored Contributor

You may be able to kludge something together by putting a second NIC in your JSS and putting that NIC in the DMZ. Then you'd be able to use firewall rules to limit what ports traffic from that port could hit.

I'm just thinking out loud here and wouldn't really attempt it myself. You don't want your database anywhere near the outside world, IMHO.

There's a reason you'd set up this "micro-instance" on a box that is separate from your crown jewels.

dokihara
New Contributor

That is a good point Jared, but even for the DMZ, nothing is open to the JSS server except ports 8443, 2195, and 5223.

Any tomcat configuration wizards? Otherwise I'll look at bringing up a 2nd JSS instance.

mm2270
Legendary Contributor III

I'd have to agree with Jared here. Following the kb article would be best practice for this if there is a concern about exposing your JSS to the outside. And its not really 2 JSS instances, but really a Tomcat instance that acts like a traffic cop, routing external traffic to your internal server over the MySQL port. it doesn't have to be some full blown server. A Mac mini or an Ubuntu VM or the like would generally suffice. Keeping them on separate boxes or instances provides better protection in the event that the DMZ server gets compromised in some manner.