Alfresco Tech Talk Live 106
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Similar to Alfresco Security Best Practices 2014 (20)
More from Toni de la Fuente (20)
Recently uploaded (20)
Alfresco Security Best Practices 2014
- 1. Alfresco Security Best Practices Toni de la Fuente! Principal Solutions Engineer toni.delafuente@alfresco.com @ToniBlyx – blyx.com #AlfrescoSecurity
- 2. “Some&mes, you have to demo a threat to spark a solu&on” Barnaby Jack, 1977-‐2013
- 3. How to solve all your problems: @ToniBlyx #AlfrescoSecurity UPGRADE!!
- 4. That’s all folks! THANKS @ToniBlyx #AlfrescoSecurity
- 5. Agenda • Demo • Alfresco Security Policy • Elements • External Threats • Vulnerabilities Assessment • Network and Operating System • Implementation Best Practices • Architecture • Mobile • Compliance and Standards
- 6. The Guide • Alfresco Security Best Practices Guide! • https://my.alfresco.com/ share/s/ 85CnNsR0ROaSV0Bwm KWncg @ToniBlyx #AlfrescoSecurity
- 7. User Adoption Security!Open, Modern @ToniBlyx #AlfrescoSecurity Architecture! SIMPLE/CONNECTED Integral support for mobile workers and external partners, interface built with the end user in mind vs. IT, seamlessly integrated with today’s most common productivity tools CONTROLLED Enterprise-grade security, easy compliance policy definition and enforcement, fully compliant SIMPLE/SMART/CONNECTED Enterprise-grade, hybrid, open-source, flexible architecture that meets today’s IT demands Open integration interface, ease of administration, allow IT org to integrate with other LOB applications, support for open standards Alfresco Value Pillars Content Encryption Records Mgmt. MDM Certification
- 8. Alfresco Security Policy • Issues Discovery! • Security Notifications! • Severity Levels! • High • Medium • Low • Reporting a Security Issue to us! • support@alfresco.com @ToniBlyx #AlfrescoSecurity
- 9. Alfresco Security Components: Deployment • People! • Process! • Alfresco application:! • Patches, HF, Upgrades, Features • JVM! • Operating System! • Firewall! @ToniBlyx #AlfrescoSecurity • Network configuration! • Virtualization infrastructure! • Network infrastructure! • Physical infrastructure! • Physical security! • Facilities!
- 10. AWS Shared Security Model, A Good Reference @ToniBlyx #AlfrescoSecurity
- 11. Multiple External Threats 1 Discovery, gathering information and information leaks:! • Search tools • Google, Bing, Shodan • Gathering info • FOCA, metagoofil, theharvester, maltego • Manual discovery • Nmap, others @ToniBlyx #AlfrescoSecurity Protection:! • IDS • Banner • Filter access to resources • Clean metadata
- 12. Multiple External Threats 2 Brute force user and password or dictionary attacks:! • Online tools • Hydra • Metasploit @ToniBlyx #AlfrescoSecurity Protection:! • IDS • Password rotation • Password strength policy • Error login threshold • Prevent DoS
- 13. Multiple External Threats 3 Man In the Middle Attacks: and DDoS/DoS:! • Multiple ways • Complex to protect @ToniBlyx #AlfrescoSecurity Protection:! • Architecture design • Encryption • Certificate strenght • Firewalls (network, host and application level) • IDS/IPS • AlfViral • Corporate-Network solutions – ATP • Monitoring Viruses:! • Content • All tiers
- 14. Source of Vulnerabilities Public Sources! • CVE-2014-0050: Apache Commons FileUpload • CVE-2014-0125: Moodle • Bugtraq ID 37578: Joomla @ToniBlyx #AlfrescoSecurity Internal Sources! • *MNT-11793: SSRF, port scanning • CVE-2014-2939: XSS • MNT-10540: Share remote execution • *MNT-10539: Xerces / POI
- 15. Hardening Network and Operating System @ToniBlyx #AlfrescoSecurity
- 16. Network and Operating System • Network! • Firewalls, IDS, IPS, APT, Web Application Firewalls, Antiviruses, DDoS/DoS protection devices. • OS! • RedHat, Ubuntu, Suse • Solaris • Windows Server @ToniBlyx #AlfrescoSecurity • File permissions! • alfresco-global. properties • dir_root/contentstore • dir_root/solr • dir_root/lucene-indexes • Minimum privileges! • Port redirect!
- 17. Firewall: Inbound ports Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, HTTP, 8080# TCP# IN# Yes# WebDav#included# FTP, 21# TCP# IN# Yes# Passive#mode# SMTP, 25# TCP# IN# No# # CIFS, 137,138# UDP# IN# Yes# # CIFS, 139,445# TCP# IN# Yes# # IMAP, 143# or# @ToniBlyx #AlfrescoSecurity 993# TCP# IN# No# # SharePoint,,Protocol, 7070# TCP# IN# Yes# # Tomcat,Admin, 8005# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# firewall# Tomcat,AJP, 8009# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the# firewall# SOLR,Admin, 8443# TCP# IN# Yes# If#used#to#admin#Solr,#cert#has#to#be#installed#in# browser.#Otherwise#take#it#in#to#account#in#case# of# using# a# dedicated# Index# Server,# Alfresco# repository#server#must#have#access#to#this#port# IN#and#OUT# NFS, 111,2049# TCP/UDP# IN# No# This#is#the#repository#service#NFS#as#VFS# RMI, 50500S 50507# TCP# IN# Yes# Used#for#JMX#management.#Unless#is#necessary,# do#not#open#this#port#at#the#firewall# Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# between#cluster#nodes#from#4.2## JGroups, 7800# TCP# IN# No# Cluster#discovery#between#nodes#before#4.2# JGroups, 7801S 7802# TCP# IN# No# Traffic# Ehcache# RMI# between# cluster# nodes# before#4.2.# OpenOffice/JODconverter, 8100# TCP# IN# Yes# It# works# in# localhost,# do# not# open# it# at# the# firewall# #
- 18. Firewall: Outbound ports @ToniBlyx #AlfrescoSecurity Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments, SMTP, 25# TCP# OUT# No# If# you# want# Alfresco# to# send# notifications,# invitations,#tasks,#etc.#Open#this#port#from#Alfresco# to#your#corporate#MTA# DB,–,PostgreSQL, 5432# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,MySQL, 3306# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,MS,SQL,Server, 1433# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,Oracle, 1521# TCP# OUT# Yes*# It#depends#on#the#DB# DB,–,DB2, 50000# TCP# OUT# Yes*# It#depends#on#the#DB# LDAP,or,AD, 396# TCP# OUT# No# If#needed#for#authentication#and#synchronization# LDAPS,or,AD, 636# TCP# OUT# No# If#needed#for#authentication#and#synchronization# docs.google.com, 443# TCP# OUT# No# # JGroups, 7800P 7802# TCP# OUT# No# If#clustered#before#4.2,#only#between#nodes.# Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information# between# cluster# nodes# from# 4.2,# only# between# nodes.# Remote,storage,NFS,, 111,2049# TCP/UDP# OUT# No# If#a#remote#NFS#drive#is#used#as#contentstore# Remote,storage,CIFS, 137,138# 139,145# UDP# TCP# OUT# No# If#a#remote#CIFS#drive#is#used#as#contentstore# Amazon,S3, 443# TCP# OUT# No# In#case#Alfresco#is#deployed#in#AWS#and#Amazon#S3# is#used#as#contentstore## Alfresco,Transformation, Server, 80,443# or# 8080,844 3# TCP# OUT# No# In#case#a#remote#Alfresco#Transformation#Server#is# used# Alfresco,FSTR, 8080# TCP# OUT# No# In# case# of# using# a# remote# Alfresco# File# System# Transfer#Receiver# Alfresco,Remote,Server, 8080# or# 8443# TCP# OUT# No# In# case# of# using# Alfresco# Replication# Service# between#Alfresco#servers# Kerberos, 88# TCP/UDP# OUT# No# In#case#Kerberos#SSO#is#required# Third,Party,SSO, 443# TCP# OUT# No# Third#party#SSO#services# DNS, 53# UDP# OUT# Yes# Name#resolution#service# Facebook,,Twitter,, LinkedIn,,Slideshare,, Youtube,,Flickr,,Wordpress, or,Typepad, 80#or#443# TCP# OUT# No# In# case# of# using#Alfresco# Publishing# Framework# or# Site#blog#publishing# #
- 19. Alfresco Implementation Best Practices @ToniBlyx #AlfrescoSecurity
- 20. Best Practices 1 • Stay current! • Service Packs, HF • Never run as root! • Switch to SSL! • HTTPS (Share, Webdav, API, etc.) • App Server, Web Server, Appliance • SharePoint Protocol • IMAPS • SMTP Inbound TLS • SMTP Outbound TLS @ToniBlyx #AlfrescoSecurity • FTPs • LDAPS connection • Consider Hazelcast or Jgroups / DB Connection • Permissions inheritance ! • Custom roles! • Review your logs! • Change JMX default credentials!
- 21. Best Practices 2 • Audit! • Enable it if needed • Easy to query audit records with curl • Easier in RM • Alfresco Support Tools! • Get to know connected users besides other tools @ToniBlyx #AlfrescoSecurity • Get to know how to reset admin password! • Control ticket session duration! • Disable unneeded services! • Disable guest user!
- 22. Best Practices: content deletion • Node deletion lifecycle! • Why is important? @ToniBlyx #AlfrescoSecurity
- 23. More about node deletion • Delete content when it is deleted! • Trashcan cleaner! • Records Management! • Wipe content! @ToniBlyx #AlfrescoSecurity
- 24. Alfresco Share Security • Cross-Site Request Fogery (CSRF) filters! • Clickjacking mitigation! • Iframes and phising attack mitigation! • Share HTML processing black/ white list! • Site creation control! @ToniBlyx #AlfrescoSecurity • Filter document actions by user or role! • Filter workflow by user or role! • Change default Share session timeout!
- 25. Architecture Best Practices 1 • Frontends! • Protect URLs • Apache, Nginx, HAProxy • /alfresco/service • /share/service • /alfresco/proxy • /alfresco/cmisbrowser @ToniBlyx #AlfrescoSecurity
- 26. Architecture Best Practices 2 @ToniBlyx #AlfrescoSecurity
- 27. Architecture Best Practices 3 @ToniBlyx #AlfrescoSecurity
- 28. @ToniBlyx #AlfrescoSecurity AWS sample
- 29. Backup and Disaster Recovery • White Paper! • http://slidesha.re/ 1o1HUY9 @ToniBlyx #AlfrescoSecurity
- 30. Mobile Security • File Protection! • Encryption when locked • HTTPS! • Certificate Authentication! • MDM! • Alfresco for Good (iOS) • MobileIron (Android) @ToniBlyx #AlfrescoSecurity • MDM next version! • Symantec Sealed (Android) • Citrix Worx • MobileIron (iOS)
- 31. Security Compliance & Standards • DoD5015.2! • OWASP! • Top 10 • HIPPA! • FISMA! • FedREMP! • ISO 27001! • PCI-DSS! @ToniBlyx #AlfrescoSecurity
- 32. Finally, a review: @ToniBlyx #AlfrescoSecurity
- 33. Alfresco Security Checklist @ToniBlyx #AlfrescoSecurity
- 34. List of Alfresco third party components @ToniBlyx #AlfrescoSecurity
- 35. Now… Yes! That’s all folks! Questions? Suggestions? Complaints? Beers? @ToniBlyx #AlfrescoSecurity
- 36. Thanks @ToniBlyx #AlfrescoSecurity Toni de la Fuente! Principal Solutions Engineer toni.delafuente@alfresco.com @ToniBlyx – blyx.com
