Re: [Zope] Important Security Concerns
On Tue, Sep 12, 2000 at 08:31:52AM -0400, Coleman, Bryan wrote: > That would cause another whole set of problems, unless apache is inherity > more secure than Medusa. I was really wondering what the risks are > associated with those two options. I think Zope behind apache is more secure than zope behind medusa, bacause of: 1. Finer grained control on access. One can add lines like the following: RewriteCond %{REMOTE_ADDR} !^10\.0\.0\.(.*) RewriteRule ^/Zope.*manage - [F] Which would mean that only users from 10.0.0.* can access managment interfaces. 2. Wider usage of apache (a lot more security auditing) this is heavily IMHO. > > > Option A: Poke a hole through our firewall on the primary http port or > > on > > > port 8080 to allow Zope pages through and then require authentication on > > the > > > first page. > > > Option B: Set up a DMZ off the firewall to allow the same as the above. I assume that you would firewall the DMZ as well. With a setup which allows maintainance to the ftp/ssh/whatever ports from your lan and only http traffic from elsewhere, this would be slightly more secure than having the server on your lan. Is it worth depends on how much you trust on the potential users, and how much time you hcope with the extra maintainance load of the DMZ. Assuming you don't already have a DMZ... If you have limited set of extranet users, you can tighten up by restricting access at firewall only from IP address ranges of your clients. -- Riku Voipio [EMAIL PROTECTED] 09-862 60764 ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Important Security Concerns
Since I do this type of thing for a living, I can tell you the best answer is Option B. If your company is that security paranoid, a DMZ is always a better idea than poking holes in end-to-end connections in the firewall. On 12-Sep-2000 Coleman, Bryan wrote: > I almost have my company convinced that Zope is the technology to use for > our Intranet/Extranet. However they are very concerned with security. I > have > proposed two security schemes that I would like zope community feed back > on > for potential holes. > > Option A: Poke a hole through our firewall on the primary http port or on > port 8080 to allow Zope pages through and then require authentication on > the > first page. > > Option B: Set up a DMZ off the firewall to allow the same as the above. > > Any feed back would be welcome. -- M. Adam Kendall | Got Linux? Internetworking & | We do. Security Architect | [EMAIL PROTECTED] | http://www.devis.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Important Security Concerns
I know not much about security because I don't have to worry about it, but out of your talk, it seems that your company finds apache secure. Then why don't you just run Zope behind Apache with a FASTCGI, or something else? Sorry if I'm completely missing the point of your problem. Regards, Tom. At 08:31 12/09/2000 -0400, you wrote: >That would cause another whole set of problems, unless apache is inherity >more secure than Medusa. I was really wondering what the risks are >associated with those two options. > >- Bryan Patrick Coleman > Questcon Technologies > (336)273-2428 ext-416 > [EMAIL PROTECTED] > >> -Original Message- >> From:Phil Harris [SMTP:[EMAIL PROTECTED]] >> Sent:Tuesday, September 12, 2000 5:15 AM >> To: Coleman, Bryan; [EMAIL PROTECTED] >> Subject: Re: [Zope] Important Security Concerns >> >> Another option might be to proxy the Zope server through Apache on port >> 80. >> >> >> - Original Message - >> From: "Coleman, Bryan" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Sent: Tuesday, September 12, 2000 12:43 PM >> Subject: [Zope] Important Security Concerns >> >> >> > I almost have my company convinced that Zope is the technology to use >> for >> > our Intranet/Extranet. However they are very concerned with security. I >> have >> > proposed two security schemes that I would like zope community feed back >> on >> > for potential holes. >> > >> > Option A: Poke a hole through our firewall on the primary http port or >> on >> > port 8080 to allow Zope pages through and then require authentication on >> the >> > first page. >> > >> > Option B: Set up a DMZ off the firewall to allow the same as the above. >> > >> > Any feed back would be welcome. >> > >> > - Bryan Patrick Coleman >> > Questcon Technologies >> > (336)273-2428 ext-416 >> > [EMAIL PROTECTED] >> > >> > >> > ___ >> > Zope maillist - [EMAIL PROTECTED] >> > http://lists.zope.org/mailman/listinfo/zope >> > ** No cross posts or HTML encoding! ** >> > (Related lists - >> > http://lists.zope.org/mailman/listinfo/zope-announce >> > http://lists.zope.org/mailman/listinfo/zope-dev ) > >___ >Zope maillist - [EMAIL PROTECTED] >http://lists.zope.org/mailman/listinfo/zope >** No cross posts or HTML encoding! ** >(Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) > > ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Important Security Concerns
That would cause another whole set of problems, unless apache is inherity more secure than Medusa. I was really wondering what the risks are associated with those two options. - Bryan Patrick Coleman Questcon Technologies (336)273-2428 ext-416 [EMAIL PROTECTED] > -Original Message- > From: Phil Harris [SMTP:[EMAIL PROTECTED]] > Sent: Tuesday, September 12, 2000 5:15 AM > To: Coleman, Bryan; [EMAIL PROTECTED] > Subject: Re: [Zope] Important Security Concerns > > Another option might be to proxy the Zope server through Apache on port > 80. > > > - Original Message - > From: "Coleman, Bryan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, September 12, 2000 12:43 PM > Subject: [Zope] Important Security Concerns > > > > I almost have my company convinced that Zope is the technology to use > for > > our Intranet/Extranet. However they are very concerned with security. I > have > > proposed two security schemes that I would like zope community feed back > on > > for potential holes. > > > > Option A: Poke a hole through our firewall on the primary http port or > on > > port 8080 to allow Zope pages through and then require authentication on > the > > first page. > > > > Option B: Set up a DMZ off the firewall to allow the same as the above. > > > > Any feed back would be welcome. > > > > - Bryan Patrick Coleman > > Questcon Technologies > > (336)273-2428 ext-416 > > [EMAIL PROTECTED] > > > > > > ___ > > Zope maillist - [EMAIL PROTECTED] > > http://lists.zope.org/mailman/listinfo/zope > > ** No cross posts or HTML encoding! ** > > (Related lists - > > http://lists.zope.org/mailman/listinfo/zope-announce > > http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Important Security Concerns
Another option might be to proxy the Zope server through Apache on port 80. - Original Message - From: "Coleman, Bryan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 12, 2000 12:43 PM Subject: [Zope] Important Security Concerns > I almost have my company convinced that Zope is the technology to use for > our Intranet/Extranet. However they are very concerned with security. I have > proposed two security schemes that I would like zope community feed back on > for potential holes. > > Option A: Poke a hole through our firewall on the primary http port or on > port 8080 to allow Zope pages through and then require authentication on the > first page. > > Option B: Set up a DMZ off the firewall to allow the same as the above. > > Any feed back would be welcome. > > - Bryan Patrick Coleman > Questcon Technologies > (336)273-2428 ext-416 > [EMAIL PROTECTED] > > > ___ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Important Security Concerns
I almost have my company convinced that Zope is the technology to use for our Intranet/Extranet. However they are very concerned with security. I have proposed two security schemes that I would like zope community feed back on for potential holes. Option A: Poke a hole through our firewall on the primary http port or on port 8080 to allow Zope pages through and then require authentication on the first page. Option B: Set up a DMZ off the firewall to allow the same as the above. Any feed back would be welcome. - Bryan Patrick Coleman Questcon Technologies (336)273-2428 ext-416 [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )