Bitrix Software Security Bitrix Intranet Portal Bitrix Site Manager

Site. Portal. Image. Reputation. Your web site is a part of the Corporate Infrastructure. More than 50% of attacks are done through the Web . Corporate site hacks hit the reputation and image of a company. What is more, the loss of data and client information leads to sheer material losses . The more solid and famous the name and products of a company, the more substantial can be the risks and losses caused by a corporate site hack. Which to choose?

Security at All Stages Security policy – set of rules restricting user authorization in order to ensure a certain level of security Unified authorization system – all permissions in the system are distributed among user groups only Unified user account for all modules Two-level system of access permission distribution Access control system and page business logic independency Strong password rules Stored authorization Site u pdate s y stem System event log My Site is My Castle During the development of the Bitrix Site Manager software particular attention is paid to the security issues at all stages of developing and testing.

Security policy – set of rules restricting user authorization in order to ensure a certain level of security

Unified authorization system – all permissions in the system are distributed among user groups only

Unified user account for all modules

Two-level system of access permission distribution

Access control system and page business logic independency

Strong password rules

Stored authorization

Site u pdate s y stem

System event log

New Approach to Security Highlights: Security Panel with security levels Web Application FireWall One-time Password Technology (OTP) Authorized Sessions Protection Activity Control Intrusion Log IP-based Control Panel pages Stop Lists Script Integrity Monitor Phishing Protection Proactive Protection is the latest security technology combining technical and organizational measures that allow combating malicious programs that have undergone modifications and those that are still unknown ! Proactive Protection Armed Castle

Highlights:

Security Panel with security levels

Web Application FireWall

One-time Password Technology (OTP)

Authorized Sessions Protection

Activity Control

Intrusion Log

IP-based Control Panel pages

Stop Lists

Script Integrity Monitor

Phishing Protection

Security Panel with Security Levels With the Proactive Protection module, you can significantly improve the security of your site . You need only to select and configure one of the module security levels. Security Levels: Basic - assigned to all web projects running without the Proactive Protection module Standard: Web application Fire Wall (for the entire site) Weekly Intrusion log Activity Control High security level for Administrators CAPTCHA protected registration procedure Errors logging (errors only) High – Standard plus: Kernel module event logging Control Panel protection Storing sessions in the database Session ID change Highest – High plus: One-time password technology Control script integrity verification

Security Levels:

Basic - assigned to all web projects running without the Proactive Protection module

Standard:

Web application Fire Wall (for the entire site)

Weekly Intrusion log

Activity Control

High security level for Administrators

CAPTCHA protected registration procedure

Errors logging (errors only)

High – Standard plus:

Kernel module event logging

Control Panel protection

Storing sessions in the database

Session ID change

Highest – High plus:

One-time password technology

Control script integrity verification

Web Application FireWall (Proactive Filter) The Proactive Filter is the most effective way to protect sites against possible security defects in the web project implementation ( XSS , SQL Injection , PHP Including, and others). Protection against most known Web attacks Application s creening from the most importunate attacks Filter exclusion list (with wildcards) Recognition of most dangerous threats Blocking of site intrusions Protecting from possible security errors Keeping of attacks log Informing the administrator of invasions Configuring options of the firewall reaction to intrusion attempts: Make data safe Wipe unsafe data T emporarily add attakers’ IP address es to the stop lis t

Protection against most known Web attacks

Application s creening from the most importunate attacks

Filter exclusion list (with wildcards)

Recognition of most dangerous threats

Blocking of site intrusions

Protecting from possible security errors

Keeping of attacks log

Informing the administrator of invasions

Configuring options of the firewall reaction to intrusion attempts:

Make data safe

Wipe unsafe data

T emporarily add attakers’ IP address es to the stop lis t

One-time Password Technology (OTP) The concept of one-time passwords empowers the standard authorization scheme and significantly reinforces web project security. The one-time password system requires a physical hardware token (device) (e.g., Aladdin eToken PASS) or special OTP software. What OTP gives you? Confidence that only a user to whom a token was issued can authorize on the site. Password interception loses meaning in this case, as a password * can be used only once. A token is a hardware physical device that generates unique passwords only when a token button is being clicked. It means that a token owner is unable to tell the password to a third party to allow them authorize as well. * the password = your password + unique numerical combination

Authorized Session Protection Most web attacks are purposed to steal the authorized user session data. Enabling Authorized Session Protection makes session hijacking senseless. Session protection methods: Limited session lifetime (minutes) Recurring session ID relay Network mask to associate a session with a specific IP Storing session data in the module database Eliminate errors in: Virtual hosting and OS configuring Temporary folder permissions settings And more…

Session protection methods:

Limited session lifetime (minutes)

Recurring session ID relay

Network mask to associate a session with a specific IP

Storing session data in the module database

Eliminate errors in:

Virtual hosting and OS configuring

Temporary folder permissions settings

And more…

Activity Control Protection from profusely active users Protection from bots Protection from DDoS-attacks Preventing password brute force attempts Setting the maximum possible visitor (human) activity quota Registering an excess of activity rate in the intrusion log Blocking visitors exceeding the activity quota Showing a special information page to a blocked visitor You can set maximum user activity for your site (for example, number of queries per second).

Protection from profusely active users

Protection from bots

Protection from DDoS-attacks

Preventing password brute force attempts

Setting the maximum possible visitor (human) activity quota

Registering an excess of activity rate in the intrusion log

Blocking visitors exceeding the activity quota

Showing a special information page to a blocked visitor

Intrusion Log All events occurring in the system, including the unusual or malicious, are logged . You can view entries in the log immediately after they are generated. The log is updated in real time so you can view the events as soon as they have been registered. This feature enables you to discover attacks and intrusion attempts while they occur, so you can riposte immediately and even prevent attacks . Immediate registration all system events Filter for malicious events Real-time viewing and analyzing of events Immediate reaction to malicious events

Immediate registration all system events

Filter for malicious events

Real-time viewing and analyzing of events

Immediate reaction to malicious events

IP-based Control Panel Pages This type of protection strictly regulates secure networks from which the users are allowed to access Control Panel. All you have to do is specify the legal IP addresses (or a range). No need to worry about not adding yourself to this list: the system will check your IP automatically. What effect would this protection produce? Any XSS/CSS attacks become ineffective, interception of authorization data – absolutely useless.

Stop Lists The stop list contains parameters used to restrict access to a site and possibly redirect to a specified page. Any visitor matching the stop list criteria (e.g. an IP address), will be blocked. Redirects visitors matching the stop list entries Blocks visitors by their IP addresses Manages stop list entry Collects the statistics on visitors matching the stop list criteria Allows you to specify the ban duration for users, IP addresses, network masks, UserAgent’s, and the referrer links Shows a customizable message to a blocked visitor.

Redirects visitors matching the stop list entries

Blocks visitors by their IP addresses

Manages stop list entry

Collects the statistics on visitors matching the stop list criteria

Allows you to specify the ban duration for users, IP addresses, network masks, UserAgent’s, and the referrer links

Shows a customizable message to a blocked visitor.

Script Integrity Monitor File integrity control Verification of the file integrity control script Tracks file system changes Verifies kernel integrity Verifies system area integrity Verifies public files integrity Verifies the file integrity control script for changes Protects the script using the keyword and password pair

Tracks file system changes

Verifies kernel integrity

Verifies system area integrity

Verifies public files integrity

Verifies the file integrity control script for changes

Protects the script using the keyword and password pair

Phishing Protection Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords , and credit card details by masquerading as a trustworthy entity in an electronic communication. Two methods exist to prevent redirect phishing: D etect malicious redirects by the lack of the referring page in the HTTP header S ign links with a digital signature and verify them upon redirect attempt The following can be used as protection: Show a redirection warning to a visitor Unconditionally redirect a visitor s to a surely safe site

Two methods exist to prevent redirect phishing:

D etect malicious redirects by the lack of the referring page

in the HTTP header

S ign links with a digital signature and verify them upon redirect attempt

The following can be used as protection:

Show a redirection warning to a visitor

Unconditionally redirect a visitor s to a surely safe site

Under Development In the nearest future Transmission channel encryption using SSL Recommendations on configuration Update monitor

Permanent Updates Audit Bitrix has assigned a treaty of permanent update security audits with Positive Technologies. Each time a new set of updates is released through the SiteUpdate system, minute security work is done by the Positive Technologies company. Thanks to this work, the level of product security is always high .

The Proactive Protection module is included in all the Bitrix Software: Bitrix Site Manager (except for the Start Edition) Bitrix Intranet Portal

The Proactive Protection module is included in all the Bitrix Software:

Bitrix Site Manager (except for the Start Edition)

Bitrix Intranet Portal

Have a question? E-mail to: [email_address] [email_address]

Download the Free 30-Day Trial: http:// www.b itrixsoft.com/products/cms/ Test Online: http:// www.b itrixsoft.com/products/cms/

USA Toll Free Number (US only) +1-888-5BITRIX (+1-888-524-8749) Telephone Number: +1.703.740.8301 Postal address 901 N. Pitt str, Suite 325 Alexandria, VA 22314 Sales Department: [email_address] ; [email_address] Web Site : http:// www.bitrixsoft.com Contact Information