Hi, Just add a private IP address to the Mac/PC and reverse proxy to this address. No chance from the outside world to access it directly.
Greetings, Peter _____ From: Perkins, Bradley D [mailto:[email protected]] To: Active4D Developer Discussion List [mailto:[email protected]] Sent: Tue, 25 Feb 2014 22:48:19 +0100 Subject: Re: [Active4d-dev] 3 Tier Architecture? Jason, If you do proxy, one additional recommendation is to only allow Apache to proxy to Active4D. IIRC this was easy to do if you were running an NTK-based web server, but more difficult with 4D's built-in web server. That may have changed though. If 4D/Active4D is serving on port 8080 you don't want an end user to be able to go to http://mysite.com:8080/somepage.a4d. Ideally they'd like for your Web Server (Apache, nginx, etc) to be running on a different server than 4D/Active4D, but doubt very few people do that in practice. - Brad Perkins On 2/25/14 2:28 PM, "Mehboob Alam" <[email protected]> wrote: >Jason, > >Apache proxying is very easy. Let me know if you need some hints. > >For intrusion testing, try playing with Snort >http://en.wikipedia.org/wiki/Snort_(software) > > > > >On Tue, Feb 25, 2014 at 4:20 PM, Jason Hect <[email protected]> wrote: > >> >> Last year we had a large customer (a bank) perform a security audit. >> They have come back with their list of recommendations. Most deal >>with >> documenting our processes, which is fine, several have to do with >> separation of duties, which will be awkward at best (I'm the only >> developer), and then there are these two points that deal directly with >> our website. On the website, the bank's customers can request >>supplies, >> and we collect their shipping address and account number used for >>payment. >> >> >> >>------------------------------------------------------------------------- >>--- >> >> The website is hosted on server side and is not designed with a 3 tier >> architecture, separating the web presentation, business logic and >>database >> layers onto separate servers and network zones. Remediation Plan: >> Implement 3 tier architecture, separating the web presentation, >>business >> logic and database layers onto separate servers and network zones. >> >> >> No penetration and vulnerability tests are conducted against the >>website >> used for processing JPMC confidential data. Remediation Plan: Perform >> penetration tests for the website and remediate any issues found. >> >> >>------------------------------------------------------------------------- >>--- >> >> For the first point, how would that work, or is it even possible with an >> Active4D / 4D hosted website? I'm thinking this means hosting the >>website >> with Apache (or similar) and proxying the requests as needed back to 4D. >> I've glossed over those posts in the past, as I wasn't interested in >> adding the complexity. If that's the route I need to go, I'll start >>doing >> some more searching, but a high level, "this is how it would work" is >>what >> I need now. >> >> For the second point, any recommendations for penetration testing? I'd >> probably like to do something quick and dirty and cheap/free now, just >>to >> see if there are any glaring issues, and then pay for a more robust test >> later to satisfy the customer? >> >> Thanks, >> Jason >> _______________________________________________ >> Active4D-dev mailing list >> [email protected] >> http://list.aparajitaworld.com/listinfo/active4d-dev >> Archives: http://active4d-nabble.aparajitaworld.com/ >> > > > >-- > >m|a >_______________________________________________ >Active4D-dev mailing list >[email protected] >http://list.aparajitaworld.com/listinfo/active4d-dev >Archives: http://active4d-nabble.aparajitaworld.com/ > _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/ _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
