Contact Us 1-800-596-4880

Hardening your Mule Installation

This version of Mule reached its End of Life on May 2, 2023, when Extended Support ended.

Deployments of new applications to CloudHub that use this version of Mule are no longer allowed. Only in-place updates to applications are permitted.

MuleSoft recommends that you upgrade to the latest version of Mule 4 that is in Standard Support so that your applications run with the latest fixes and security enhancements.

As distinct from Security, hardening refers to the steps one must perform in order to bring an application from development into production. These are elaborate procedures one must go through in order to deploy something in the IT space after you complete the development cycle.

Normally, an IT organization already has control of keeping open ports to a minimum, restricting access to administrative applications, minimizing the number of applications, and other measures to ensure quality. We recommend using secure files to configure Mule, as well as using secure configuration files.

Hardening Checklist

To begin hardening a Mule installation that you are hosting on premises:

  • Run Mule as a non-privileged User.

  • Install Mule as a Service.

  • Configure Mule to write logs or temporary files within appropriate locations. Configure logs, passwords, and keystore files.

  • In some situations, you must configure usernames, passwords, and keystores on Mule. Usually, these settings are made available externally, so that DevOps can change these settings.

  • Manage certificates in a keystore file.

  • Use a separate property file to store usernames and passwords, and secure it using file system permissions.

For instructions specific to Runtime Fabric, see Hardening Mule Runtime on Runtime Fabric.

About Running Mule as a Non-Privileged User

On Linux and Unix, you can run Mule as any user with the following caveats:

  • You need write permissions to logs directory

  • Without root you cannot use ports below 1024

On Windows, you need to be in admin user’s group to run Mule.

Hardening in Layers

By its nature, you can situate Mule in a variety of configurations. The suggested approach to hardening involves hardening in layers beginning with the operating system, then working up the stack. The Center for Internet Security (CIS) publishes configuration benchmarks that are widely used in whole or in part as system hardening guides.

Commercial configuration management and integrity management tools can help you automate management to the CIS benchmarks. Also, Mule documentation includes a good deal of information on configuring security. If your application deals in sensitive data, consider using SSL Transport (HTTPS) to protect it.

On the network security side, security experts recommend using a good stateful inspection network firewall with a default-deny rule set and exceptions only for justified business needs. Also, any internet facing server belongs in a DMZ with strong default-deny egress rules on the firewall to prevent data exfiltration. Furthermore, you can use a network IDS/IPS to monitor and prevent known attacks. Putting the database on an internal network - not the DMZ - also helps to harden your installation.

Be sure your software developers are familiar with secure web application coding techniques. At the very least, they should be familiar with best practices to avoid common web app pitfalls, such as those listed in OWASP’s top 10 Project.

See Also