Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Alfresco Security Best 
Practices 
Toni de la Fuente! 
Principal Solutions Engineer 
toni.delafuente@alfresco.com 
@ToniBl...
“Some&mes, 
you 
have 
to 
demo 
a 
threat 
to 
spark 
a 
solu&on” 
Barnaby 
Jack, 
1977-­‐2013
How to solve all your problems: 
@ToniBlyx #AlfrescoSecurity 
UPGRADE!!
That’s all folks! 
THANKS 
@ToniBlyx #AlfrescoSecurity
Agenda 
• Demo 
• Alfresco Security Policy 
• Elements 
• External Threats 
• Vulnerabilities Assessment 
• Network and Op...
The Guide 
• Alfresco Security Best 
Practices Guide! 
• https://my.alfresco.com/ 
share/s/ 
85CnNsR0ROaSV0Bwm 
KWncg 
@To...
User Adoption 
Security!Open, Modern 
@ToniBlyx #AlfrescoSecurity 
Architecture! 
SIMPLE/CONNECTED 
Integral support for m...
Alfresco Security Policy 
• Issues Discovery! 
• Security Notifications! 
• Severity Levels! 
• High 
• Medium 
• Low 
• R...
Alfresco Security Components: 
Deployment 
• People! 
• Process! 
• Alfresco application:! 
• Patches, HF, 
Upgrades, 
Fea...
AWS Shared Security Model, 
A Good Reference 
@ToniBlyx #AlfrescoSecurity
Multiple External Threats 1 
Discovery, gathering 
information and 
information leaks:! 
• Search tools 
• Google, Bing, S...
Multiple External Threats 2 
Brute force user and 
password or dictionary 
attacks:! 
• Online tools 
• Hydra 
• Metasploi...
Multiple External Threats 3 
Man In the Middle Attacks: 
and DDoS/DoS:! 
• Multiple ways 
• Complex to protect 
@ToniBlyx ...
Source of Vulnerabilities 
Public Sources! 
• CVE-2014-0050: Apache 
Commons FileUpload 
• CVE-2014-0125: Moodle 
• Bugtra...
Hardening Network and 
Operating System 
@ToniBlyx #AlfrescoSecurity
Network and Operating System 
• Network! 
• Firewalls, IDS, IPS, APT, 
Web Application 
Firewalls, Antiviruses, 
DDoS/DoS ...
Firewall: 
Inbound 
ports 
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, 
HTTP, 8080# TCP# IN# Yes# WebDav#in...
Firewall: 
Outbound 
ports 
@ToniBlyx #AlfrescoSecurity 
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, 
SMTP,...
Alfresco Implementation Best 
Practices 
@ToniBlyx #AlfrescoSecurity
Best Practices 1 
• Stay current! 
• Service Packs, HF 
• Never run as root! 
• Switch to SSL! 
• HTTPS (Share, Webdav, 
A...
Best Practices 2 
• Audit! 
• Enable it if needed 
• Easy to query audit 
records with curl 
• Easier in RM 
• Alfresco Su...
Best Practices: content deletion 
• Node deletion lifecycle! 
• Why is important? 
@ToniBlyx #AlfrescoSecurity
More about node deletion 
• Delete content when it is deleted! 
• Trashcan cleaner! 
• Records Management! 
• Wipe content...
Alfresco Share Security 
• Cross-Site Request 
Fogery (CSRF) filters! 
• Clickjacking 
mitigation! 
• Iframes and phising ...
Architecture Best Practices 1 
• Frontends! 
• Protect URLs 
• Apache, Nginx, 
HAProxy 
• /alfresco/service 
• /share/serv...
Architecture 
Best 
Practices 2 
@ToniBlyx #AlfrescoSecurity
Architecture Best Practices 3 
@ToniBlyx #AlfrescoSecurity
@ToniBlyx #AlfrescoSecurity 
AWS sample
Backup and Disaster Recovery 
• White Paper! 
• http://slidesha.re/ 
1o1HUY9 
@ToniBlyx #AlfrescoSecurity
Mobile Security 
• File Protection! 
• Encryption when locked 
• HTTPS! 
• Certificate 
Authentication! 
• MDM! 
• Alfresc...
Security Compliance & Standards 
• DoD5015.2! 
• OWASP! 
• Top 10 
• HIPPA! 
• FISMA! 
• FedREMP! 
• ISO 27001! 
• PCI-DSS...
Finally, a review: 
@ToniBlyx #AlfrescoSecurity
Alfresco 
Security 
Checklist 
@ToniBlyx #AlfrescoSecurity
List of 
Alfresco 
third party 
components 
@ToniBlyx #AlfrescoSecurity
Now… Yes! 
That’s all folks! 
Questions? Suggestions? 
Complaints? Beers? 
@ToniBlyx #AlfrescoSecurity
Thanks 
@ToniBlyx #AlfrescoSecurity 
Toni de la Fuente! 
Principal Solutions Engineer 
toni.delafuente@alfresco.com 
@Toni...
Upcoming SlideShare
Loading in …5
×

Alfresco Security Best Practices 2014

14,743 views

Published on

Alfresco Security Best Practices given at Alfresco Summit 2014 (San Francisco and London)

Published in: Technology
  • Be the first to comment

Alfresco Security Best Practices 2014

  1. 1. Alfresco Security Best Practices Toni de la Fuente! Principal Solutions Engineer toni.delafuente@alfresco.com @ToniBlyx – blyx.com #AlfrescoSecurity
  2. 2. “Some&mes, you have to demo a threat to spark a solu&on” Barnaby Jack, 1977-­‐2013
  3. 3. How to solve all your problems: @ToniBlyx #AlfrescoSecurity UPGRADE!!
  4. 4. That’s all folks! THANKS @ToniBlyx #AlfrescoSecurity
  5. 5. Agenda • Demo • Alfresco Security Policy • Elements • External Threats • Vulnerabilities Assessment • Network and Operating System • Implementation Best Practices • Architecture • Mobile • Compliance and Standards
  6. 6. The Guide • Alfresco Security Best Practices Guide! • https://my.alfresco.com/ share/s/ 85CnNsR0ROaSV0Bwm KWncg @ToniBlyx #AlfrescoSecurity
  7. 7. User Adoption Security!Open, Modern @ToniBlyx #AlfrescoSecurity Architecture! SIMPLE/CONNECTED Integral support for mobile workers and external partners, interface built with the end user in mind vs. IT, seamlessly integrated with today’s most common productivity tools CONTROLLED Enterprise-grade security, easy compliance policy definition and enforcement, fully compliant SIMPLE/SMART/CONNECTED Enterprise-grade, hybrid, open-source, flexible architecture that meets today’s IT demands Open integration interface, ease of administration, allow IT org to integrate with other LOB applications, support for open standards Alfresco Value Pillars Content Encryption Records Mgmt. MDM Certification
  8. 8. Alfresco Security Policy • Issues Discovery! • Security Notifications! • Severity Levels! • High • Medium • Low • Reporting a Security Issue to us! • support@alfresco.com @ToniBlyx #AlfrescoSecurity
  9. 9. Alfresco Security Components: Deployment • People! • Process! • Alfresco application:! • Patches, HF, Upgrades, Features • JVM! • Operating System! • Firewall! @ToniBlyx #AlfrescoSecurity • Network configuration! • Virtualization infrastructure! • Network infrastructure! • Physical infrastructure! • Physical security! • Facilities!
  10. 10. AWS Shared Security Model, A Good Reference @ToniBlyx #AlfrescoSecurity
  11. 11. Multiple External Threats 1 Discovery, gathering information and information leaks:! • Search tools • Google, Bing, Shodan • Gathering info • FOCA, metagoofil, theharvester, maltego • Manual discovery • Nmap, others @ToniBlyx #AlfrescoSecurity Protection:! • IDS • Banner • Filter access to resources • Clean metadata
  12. 12. Multiple External Threats 2 Brute force user and password or dictionary attacks:! • Online tools • Hydra • Metasploit @ToniBlyx #AlfrescoSecurity Protection:! • IDS • Password rotation • Password strength policy • Error login threshold • Prevent DoS
  13. 13. Multiple External Threats 3 Man In the Middle Attacks: and DDoS/DoS:! • Multiple ways • Complex to protect @ToniBlyx #AlfrescoSecurity Protection:! • Architecture design • Encryption • Certificate strenght • Firewalls (network, host and application level) • IDS/IPS • AlfViral • Corporate-Network solutions – ATP • Monitoring Viruses:! • Content • All tiers
  14. 14. Source of Vulnerabilities Public Sources! • CVE-2014-0050: Apache Commons FileUpload • CVE-2014-0125: Moodle • Bugtraq ID 37578: Joomla @ToniBlyx #AlfrescoSecurity Internal Sources! • *MNT-11793: SSRF, port scanning • CVE-2014-2939: XSS • MNT-10540: Share remote execution • *MNT-10539: Xerces / POI
  15. 15. Hardening Network and Operating System @ToniBlyx #AlfrescoSecurity
  16. 16. Network and Operating System • Network! • Firewalls, IDS, IPS, APT, Web Application Firewalls, Antiviruses, DDoS/DoS protection devices. • OS! • RedHat, Ubuntu, Suse • Solaris • Windows Server @ToniBlyx #AlfrescoSecurity • File permissions! • alfresco-global. properties • dir_root/contentstore • dir_root/solr • dir_root/lucene-indexes • Minimum privileges! • Port redirect!
  17. 17. Firewall: Inbound ports Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, HTTP, 8080# TCP# IN# Yes# WebDav#included# FTP, 21# TCP# IN# Yes# Passive#mode# SMTP, 25# TCP# IN# No# # CIFS, 137,138# UDP# IN# Yes# # CIFS, 139,445# TCP# IN# Yes# # IMAP, 143# or# @ToniBlyx #AlfrescoSecurity 993# TCP# IN# No# # SharePoint,,Protocol, 7070# TCP# IN# Yes# # Tomcat,Admin, 8005# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# firewall# Tomcat,AJP, 8009# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# firewall# SOLR,Admin, 8443# TCP# IN# Yes# If#used#to#admin#Solr,#cert#has#to#be#installed#in# browser.#Otherwise#take#it#in#to#account#in#case# of# using# a# dedicated# Index# Server,# Alfresco# repository#server#must#have#access#to#this#port# IN#and#OUT# NFS, 111,2049# TCP/UDP# IN# No# This#is#the#repository#service#NFS#as#VFS# RMI, 50500S 50507# TCP# IN# Yes# Used#for#JMX#management.#Unless#is#necessary,# do#not#open#this#port#at#the#firewall# Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# between#cluster#nodes#from#4.2## JGroups, 7800# TCP# IN# No# Cluster#discovery#between#nodes#before#4.2# JGroups, 7801S 7802# TCP# IN# No# Traffic# Ehcache# RMI# between# cluster# nodes# before#4.2.# OpenOffice/JODconverter, 8100# TCP# IN# Yes# It# works# in# localhost,# do# not# open# it# at# the# firewall# #
  18. 18. Firewall: Outbound ports @ToniBlyx #AlfrescoSecurity Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, SMTP, 25# TCP# OUT# No# If# you# want# Alfresco# to# send# notifications,# invitations,#tasks,#etc.#Open#this#port#from#Alfresco# to#your#corporate#MTA# DB,–,PostgreSQL, 5432# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,MySQL, 3306# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,MS,SQL,Server, 1433# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,Oracle, 1521# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,DB2, 50000# TCP# OUT# Yes*# It#depends#on#the#DB# LDAP,or,AD, 396# TCP# OUT# No# If#needed#for#authentication#and#synchronization# LDAPS,or,AD, 636# TCP# OUT# No# If#needed#for#authentication#and#synchronization# docs.google.com, 443# TCP# OUT# No# # JGroups, 7800P 7802# TCP# OUT# No# If#clustered#before#4.2,#only#between#nodes.# Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# between# cluster# nodes# from# 4.2,# only# between# nodes.# Remote,storage,NFS,, 111,2049# TCP/UDP# OUT# No# If#a#remote#NFS#drive#is#used#as#contentstore# Remote,storage,CIFS, 137,138# 139,145# UDP# TCP# OUT# No# If#a#remote#CIFS#drive#is#used#as#contentstore# Amazon,S3, 443# TCP# OUT# No# In#case#Alfresco#is#deployed#in#AWS#and#Amazon#S3# is#used#as#contentstore## Alfresco,Transformation, Server, 80,443# or# 8080,844 3# TCP# OUT# No# In#case#a#remote#Alfresco#Transformation#Server#is# used# Alfresco,FSTR, 8080# TCP# OUT# No# In# case# of# using# a# remote# Alfresco# File# System# Transfer#Receiver# Alfresco,Remote,Server, 8080# or# 8443# TCP# OUT# No# In# case# of# using# Alfresco# Replication# Service# between#Alfresco#servers# Kerberos, 88# TCP/UDP# OUT# No# In#case#Kerberos#SSO#is#required# Third,Party,SSO, 443# TCP# OUT# No# Third#party#SSO#services# DNS, 53# UDP# OUT# Yes# Name#resolution#service# Facebook,,Twitter,, LinkedIn,,Slideshare,, Youtube,,Flickr,,Wordpress, or,Typepad, 80#or#443# TCP# OUT# No# In# case# of# using#Alfresco# Publishing# Framework# or# Site#blog#publishing# #
  19. 19. Alfresco Implementation Best Practices @ToniBlyx #AlfrescoSecurity
  20. 20. Best Practices 1 • Stay current! • Service Packs, HF • Never run as root! • Switch to SSL! • HTTPS (Share, Webdav, API, etc.) • App Server, Web Server, Appliance • SharePoint Protocol • IMAPS • SMTP Inbound TLS • SMTP Outbound TLS @ToniBlyx #AlfrescoSecurity • FTPs • LDAPS connection • Consider Hazelcast or Jgroups / DB Connection • Permissions inheritance ! • Custom roles! • Review your logs! • Change JMX default credentials!
  21. 21. Best Practices 2 • Audit! • Enable it if needed • Easy to query audit records with curl • Easier in RM • Alfresco Support Tools! • Get to know connected users besides other tools @ToniBlyx #AlfrescoSecurity • Get to know how to reset admin password! • Control ticket session duration! • Disable unneeded services! • Disable guest user!
  22. 22. Best Practices: content deletion • Node deletion lifecycle! • Why is important? @ToniBlyx #AlfrescoSecurity
  23. 23. More about node deletion • Delete content when it is deleted! • Trashcan cleaner! • Records Management! • Wipe content! @ToniBlyx #AlfrescoSecurity
  24. 24. Alfresco Share Security • Cross-Site Request Fogery (CSRF) filters! • Clickjacking mitigation! • Iframes and phising attack mitigation! • Share HTML processing black/ white list! • Site creation control! @ToniBlyx #AlfrescoSecurity • Filter document actions by user or role! • Filter workflow by user or role! • Change default Share session timeout!
  25. 25. Architecture Best Practices 1 • Frontends! • Protect URLs • Apache, Nginx, HAProxy • /alfresco/service • /share/service • /alfresco/proxy • /alfresco/cmisbrowser @ToniBlyx #AlfrescoSecurity
  26. 26. Architecture Best Practices 2 @ToniBlyx #AlfrescoSecurity
  27. 27. Architecture Best Practices 3 @ToniBlyx #AlfrescoSecurity
  28. 28. @ToniBlyx #AlfrescoSecurity AWS sample
  29. 29. Backup and Disaster Recovery • White Paper! • http://slidesha.re/ 1o1HUY9 @ToniBlyx #AlfrescoSecurity
  30. 30. Mobile Security • File Protection! • Encryption when locked • HTTPS! • Certificate Authentication! • MDM! • Alfresco for Good (iOS) • MobileIron (Android) @ToniBlyx #AlfrescoSecurity • MDM next version! • Symantec Sealed (Android) • Citrix Worx • MobileIron (iOS)
  31. 31. Security Compliance & Standards • DoD5015.2! • OWASP! • Top 10 • HIPPA! • FISMA! • FedREMP! • ISO 27001! • PCI-DSS! @ToniBlyx #AlfrescoSecurity
  32. 32. Finally, a review: @ToniBlyx #AlfrescoSecurity
  33. 33. Alfresco Security Checklist @ToniBlyx #AlfrescoSecurity
  34. 34. List of Alfresco third party components @ToniBlyx #AlfrescoSecurity
  35. 35. Now… Yes! That’s all folks! Questions? Suggestions? Complaints? Beers? @ToniBlyx #AlfrescoSecurity
  36. 36. Thanks @ToniBlyx #AlfrescoSecurity Toni de la Fuente! Principal Solutions Engineer toni.delafuente@alfresco.com @ToniBlyx – blyx.com

×