Contact Us 1-800-596-4880

Hardening your Mule Installation

As distinct from Security, hardening refers to the steps one must perform in order to bring an application from development into production. These are elaborate procedures one must go through in order to deploy something in the IT space after you complete the development cycle.

Normally, an IT organization already has control of keeping open ports to a minimum, restricting access to administrative applications, minimizing the number of applications, and other measures to ensure quality. We recommend using secure files to configure Mule, as well as using secure configuration files.

Hardening Checklist

To begin hardening the Mule installation itself, see a simple list of steps:

  • Run Mule as a Non-privileged User

  • Install Mule as a Service

  • Make sure to configure Mule to write logs or temporary files within appropriate locations. Configure logs, passwords, and keystore files

  • In some situations, you need to configure usernames, passwords, and keystores on Mule. Usually, these settings are made available externally, so that dev/ops can change these settings.

  • Manage certificates in a keystore file

  • Use a separate property file to store usernames and passwords and secure it using file system permissions

  • If you using Mule 3.9.3 or earlier and you are not using Mule Management Console (MMC), which reached its end of life in 2019, disable the MMC agent by adding mule.agent.enabled=false to wrapper.conf.

About Running Mule as a Non-Privileged User

On XinX, you can run Mule as any user with the following caveats:

  • You need write permissions to logs directory

  • Without root you cannot use ports below 1024

On Windows, you need to be in admin user’s group to run Mule.

Hardening in Layers

By its nature, you can situate Mule in a variety of configurations. The suggested approach to hardening involves hardening in layers beginning with the operating system, then working up the stack. The Center for Internet Security (CIS) publishes configuration benchmarks that are widely used in whole or in part as system hardening guides. Mule TCat Server also offers added security options.

Commercial configuration management and integrity management tools can help you automate management to the CIS benchmarks. Also, Mule documentation includes a good deal of information on configuring security. If your application deals in sensitive data, consider using SSL Transport (HTTPS) to protect it.

On the network security side, security experts recommend using a good stateful inspection network firewall with a default-deny rule set and exceptions only for justified business needs. Also, any internet facing server belongs in a DMZ with strong default-deny egress rules on the firewall to prevent data exfiltration. Furthermore, you can use a network IDS/IPS to monitor and prevent known attacks. Putting the database on an internal network - not the DMZ - also helps to harden your installation.

Be sure your software developers are familiar with secure web application coding techniques. At the very least, they should be familiar with best practices to avoid common web app pitfalls, such as those listed in OWASP’s top 10 Project.