subject:"Re\: \[Zope\] Important Security Concerns"

Re: [Zope] Important Security Concerns

2000-09-12 Thread Phil Harris

Another option might be to proxy the Zope server through Apache on port 80.

- Original Message -
From: "Coleman, Bryan" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 12, 2000 12:43 PM
Subject: [Zope] Important Security Concerns

 I almost have my company convinced that Zope is the technology to use for
 our Intranet/Extranet. However they are very concerned with security. I
have
 proposed two security schemes that I would like zope community feed back
on
 for potential holes.

 Option A: Poke a hole through our firewall on the primary http port or on
 port 8080 to allow Zope pages through and then require authentication on
the
 first page.

 Option B: Set up a DMZ off the firewall to allow the same as the above.

 Any feed back would be welcome.

 - Bryan Patrick Coleman
   Questcon Technologies
   (336)273-2428 ext-416
   [EMAIL PROTECTED]

 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Important Security Concerns

2000-09-12 Thread Coleman, Bryan


That would cause another whole set of problems, unless apache is inherity
more secure than Medusa. I was really wondering what the risks are
associated with those two options.

- Bryan Patrick Coleman
  Questcon Technologies
  (336)273-2428 ext-416
  [EMAIL PROTECTED]

 -Original Message-
 From: Phil Harris [SMTP:[EMAIL PROTECTED]]
 Sent: Tuesday, September 12, 2000 5:15 AM
 To:   Coleman, Bryan; [EMAIL PROTECTED]
 Subject:  Re: [Zope] Important Security Concerns
 
 Another option might be to proxy the Zope server through Apache on port
 80.
 
 
 - Original Message -
 From: "Coleman, Bryan" [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, September 12, 2000 12:43 PM
 Subject: [Zope] Important Security Concerns
 
 
  I almost have my company convinced that Zope is the technology to use
 for
  our Intranet/Extranet. However they are very concerned with security. I
 have
  proposed two security schemes that I would like zope community feed back
 on
  for potential holes.
 
  Option A: Poke a hole through our firewall on the primary http port or
 on
  port 8080 to allow Zope pages through and then require authentication on
 the
  first page.
 
  Option B: Set up a DMZ off the firewall to allow the same as the above.
 
  Any feed back would be welcome.
 
  - Bryan Patrick Coleman
Questcon Technologies
(336)273-2428 ext-416
[EMAIL PROTECTED]
 
 
  ___
  Zope maillist  -  [EMAIL PROTECTED]
  http://lists.zope.org/mailman/listinfo/zope
  **   No cross posts or HTML encoding!  **
  (Related lists -
   http://lists.zope.org/mailman/listinfo/zope-announce
   http://lists.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Important Security Concerns

2000-09-12 Thread Tom Deprez


I know not much about security because I don't have to worry about it, but
out of your talk, it seems that your company finds apache secure. Then why
don't you just run Zope behind Apache with a FASTCGI, or something else?

Sorry if I'm completely missing the point of your problem.

Regards, Tom.

At 08:31 12/09/2000 -0400, you wrote:
That would cause another whole set of problems, unless apache is inherity
more secure than Medusa. I was really wondering what the risks are
associated with those two options.

- Bryan Patrick Coleman
  Questcon Technologies
  (336)273-2428 ext-416
  [EMAIL PROTECTED]

 -Original Message-
 From:Phil Harris [SMTP:[EMAIL PROTECTED]]
 Sent:Tuesday, September 12, 2000 5:15 AM
 To:  Coleman, Bryan; [EMAIL PROTECTED]
 Subject: Re: [Zope] Important Security Concerns
 
 Another option might be to proxy the Zope server through Apache on port
 80.
 
 
 - Original Message -
 From: "Coleman, Bryan" [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, September 12, 2000 12:43 PM
 Subject: [Zope] Important Security Concerns
 
 
  I almost have my company convinced that Zope is the technology to use
 for
  our Intranet/Extranet. However they are very concerned with security. I
 have
  proposed two security schemes that I would like zope community feed back
 on
  for potential holes.
 
  Option A: Poke a hole through our firewall on the primary http port or
 on
  port 8080 to allow Zope pages through and then require authentication on
 the
  first page.
 
  Option B: Set up a DMZ off the firewall to allow the same as the above.
 
  Any feed back would be welcome.
 
  - Bryan Patrick Coleman
Questcon Technologies
(336)273-2428 ext-416
[EMAIL PROTECTED]
 
 
  ___
  Zope maillist  -  [EMAIL PROTECTED]
  http://lists.zope.org/mailman/listinfo/zope
  **   No cross posts or HTML encoding!  **
  (Related lists -
   http://lists.zope.org/mailman/listinfo/zope-announce
   http://lists.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Important Security Concerns

2000-09-12 Thread M. Adam Kendall


Since I do this type of thing for a living, I can tell
you the best answer is Option B.  If your company is that
security paranoid, a DMZ is always a better idea than
poking holes in end-to-end connections in the firewall.

On 12-Sep-2000 Coleman, Bryan wrote:
 I almost have my company convinced that Zope is the technology to use for
 our Intranet/Extranet. However they are very concerned with security. I
 have
 proposed two security schemes that I would like zope community feed back
 on
 for potential holes.
 
 Option A: Poke a hole through our firewall on the primary http port or on
 port 8080 to allow Zope pages through and then require authentication on
 the
 first page.
 
 Option B: Set up a DMZ off the firewall to allow the same as the above.
 
 Any feed back would be welcome.

--
M. Adam Kendall |   Got Linux?
Internetworking| We do.
 Security Architect |
[EMAIL PROTECTED]  |  http://www.devis.com


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Important Security Concerns

2000-09-12 Thread Riku Voipio


On Tue, Sep 12, 2000 at 08:31:52AM -0400, Coleman, Bryan wrote:
 That would cause another whole set of problems, unless apache is inherity
 more secure than Medusa. I was really wondering what the risks are
 associated with those two options.

I think Zope behind apache is more secure than zope behind medusa, 
bacause of:

1. Finer grained control on access. 

One can add lines like the following:

RewriteCond %{REMOTE_ADDR} !^10\.0\.0\.(.*)
RewriteRule ^/Zope.*manage - [F]

Which would mean that only users from 10.0.0.* can 
access managment interfaces.

2. Wider usage of apache (a lot more security auditing) 

this is heavily IMHO.

   Option A: Poke a hole through our firewall on the primary http port or
  on
   port 8080 to allow Zope pages through and then require authentication on
  the
   first page.

   Option B: Set up a DMZ off the firewall to allow the same as the above.

I assume that you would firewall the DMZ as well. With a setup which 
allows maintainance to the ftp/ssh/whatever ports from your lan and 
only http traffic from elsewhere, this would be slightly more secure
than having the server on your lan. 

Is it worth depends on how much you trust on the potential users, and 
how much time you hcope with the extra maintainance load of the DMZ. 
Assuming you don't already have a DMZ...

If you have limited set of extranet users, you can tighten up by restricting 
access at firewall only from IP address ranges of your clients.

-- 
Riku Voipio
[EMAIL PROTECTED]
09-862 60764






___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Important Security Concerns

RE: [Zope] Important Security Concerns

RE: [Zope] Important Security Concerns

RE: [Zope] Important Security Concerns

Re: [Zope] Important Security Concerns

5 matches

Site Navigation

Mail list logo

Footer information