Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TTL Alfresco Product Security and Best Practices 2017

325 views

Published on

Slide deck used during Tech Talk Live #110 in October 2017. Phil Meadows and myself discussed about Alfresco products security and I went through Alfresco CS security best practices.

Published in: Technology
  • Be the first to comment

TTL Alfresco Product Security and Best Practices 2017

  1. 1. Best Practices around Alfresco Security Phil Meadows & Toni de la Fuente 11th October 2017 - Tech Talk Live #110
  2. 2. Topics ● Who We Are ● Responsible Disclosure ● Product Security Processes and Policies ● Security Deployment Best Practices ● Hardening ● Backup and Disaster Recovery
  3. 3. Phil Meadows - Security Director • 20 years experience in the field of software engineering and operations in a mixture of technical and leadership roles. • Joined Alfresco in 2014 working in the DevOps team. • Security Director since July 2017
  4. 4. Toni de la Fuente - Lead Security Operations - Senior Cloud Security Architect • Old timer Alfrescan • Senior Solutions Engineer -> Principal Solutions Engineer -> Senior Cloud Security Architect -> Lead Security Operations • Alfresco Security Best Practices Guide • Alfresco Backup and Disaster Recovery Whitepaper • Alfresco BART • Prowler • phpRADmin • Blyx.com • …
  5. 5. Responsible Disclosure • What is it? • Why we need one? • Status Vulnerability Reporting
  6. 6. Product Security 1 People Security aware Engineers 2 Tools Automated and Manual Security Analysis 3 Processes and Policies Response, Classification, Standards
  7. 7. People • Secure Coding Workshop. – Hosted by 3rd Party – 4 day course – Covers basics of Web Application Security – OWASP Top 10 (2017 edition on its way!) • Regular Updates – Brown Bag Sessions – Lightning talks in Engineering meetups • Virtual Secure Coding Expert Team • Architectural Decision Records
  8. 8. Product Development - Security Touchpoints Architecture Engineers IDE Source Code Repository Build Pipeline Release Process
  9. 9. Architecture • Relies on People • Security Concerns considered up front • Architectural Decision Records • Secure Coding Experts
  10. 10. Engineers IDE • No company wide agreed tools/solutions yet. • Sooner found, sooner fixed. • Good training tool.
  11. 11. Source Code Repository • Pull Request Integration. • No solution found yet, investigating LGTM https://lgtm.com/ • Free for open source projects. – GitHub integration – Currently no GitLab integration • Security scan at pull request • Historical security metrics
  12. 12. Build Pipeline • SonarQube https://www.sonarqube.org/ • Triggered by Maven goal • Code Quality good for Security • OWASP plugin - Security Dashboard
  13. 13. Release Process • VeraCode https://www.veracode.com/ – Scan Binaries – Extensive Reports – Heavyweight • Third Party Penetration Testing – Manual and Automated security scans – Against a cloud hosted running environment
  14. 14. Security Issue Classification • CVSS - Common Vulnerability Scoring System – https://www.first.org/cvss/ – https://www.first.org/cvss/calculator/3.0 • Gives a numeric score that we convert to a security level against which the engineering teams have agreed response targets. • Three security levels –High - Patch or hotfix –Medium - Hotfix or service pack depending on support level –Low - Included in next scheduled release
  15. 15. Security Deployment Best Practices
  16. 16. What to do? • Keep security triad in mind: – Confidentiality – Integrity – Availability
  17. 17. Solution also matters • Single tier or multi-tier • On-prem or in a cloud provider?
  18. 18. Alfresco CS Security Checklist
  19. 19. Hardening
  20. 20. • Network • Firewalls, IDS, IPS, APT, Web Application Firewalls, Antiviruses, DDoS/DoS protection devices. • OS • RedHat, Ubuntu, Suse • Solaris • Windows Server • File permissions • alfresco- global.properties • dir_root/contentstore • dir_root/solr • dir_root/lucene- indexes • Minimum privileges • Port redirect Network and Operating System
  21. 21. Protocol/Service Port TCP/UDP IN/OUT Active Comments HTTP 8080 TCP IN Yes WebDav included FTP 21 TCP IN Yes Passive mode SMTP 25 TCP IN No CIFS 137,138 UDP IN Yes CIFS 139,445 TCP IN Yes IMAP 143 or 993 TCP IN No SharePoint Protocol 7070 TCP IN Yes Tomcat Admin 8005 TCP IN Yes Unless is necessary, do not open this port at the firewall Tomcat AJP 8009 TCP IN Yes Unless is necessary, do not open this port at the firewall SOLR Admin 8443 TCP IN Yes If used to admin Solr, cert has to be installed in browser. Otherwise take it in to account in case of using a dedicated Index Server, Alfresco repository server must have access to this port IN and OUT NFS 111,2049 TCP/UDP IN No This is the repository service NFS as VFS RMI 50500- 50507 TCP IN Yes Used for JMX management. Unless is necessary, do not open this port at the firewall Hazelcast 5701 TCP IN No Used by hazelcast to exchange information between cluster nodes from 4.2 JGroups 7800 TCP IN No Cluster discovery between nodes before 4.2 JGroups 7801- 7802 TCP IN No Traffic Ehcache RMI between cluster nodes before 4.2. OpenOffice/JODconverter 8100 TCP IN Yes It works in localhost, do not open it at the firewall Firewall: Inbound ports
  22. 22. Protocol/Service Port TCP/UDP IN/OUT Active Comments SMTP 25 TCP OUT No If you want Alfresco to send notifications, invitations, tasks, etc. Open this port from Alfresco to your corporate MTA DB – PostgreSQL 5432 TCP OUT Yes* It depends on the DB DB – MySQL 3306 TCP OUT Yes* It depends on the DB DB – MS SQL Server 1433 TCP OUT Yes* It depends on the DB DB – Oracle 1521 TCP OUT Yes* It depends on the DB DB – DB2 50000 TCP OUT Yes* It depends on the DB LDAP or AD 396 TCP OUT No If needed for authentication and synchronization LDAPS or AD 636 TCP OUT No If needed for authentication and synchronization docs.google.com 443 TCP OUT No JGroups 7800- 7802 TCP OUT No If clustered before 4.2, only between nodes. Hazelcast 5701 TCP IN No Used by hazelcast to exchange information between cluster nodes from 4.2, only between nodes. Remote storage NFS 111,2049 TCP/UDP OUT No If a remote NFS drive is used as contentstore Remote storage CIFS 137,138 139,145 UDP TCP OUT No If a remote CIFS drive is used as contentstore Amazon S3 443 TCP OUT No In case Alfresco is deployed in AWS and Amazon S3 is used as contentstore Alfresco Transformation Server 80,443 or 8080,844 3 TCP OUT No In case a remote Alfresco Transformation Server is used Alfresco FSTR 8080 TCP OUT No In case of using a remote Alfresco File System Transfer Receiver Alfresco Remote Server 8080 or 8443 TCP OUT No In case of using Alfresco Replication Service between Alfresco servers Kerberos 88 TCP/UDP OUT No In case Kerberos SSO is required Third Party SSO 443 TCP OUT No Third party SSO services DNS 53 UDP OUT Yes Name resolution service Firewall: Outbound ports
  23. 23. Alfresco Implementation Best Practices
  24. 24. • Stay current • Service Packs, HF • Never run as root • Switch to SSL • HTTPS (Share, Webdav, API, etc.) • App Server, Web Server, Appliance • SharePoint Protocol • IMAPS • SMTP Inbound TLS • SMTP Outbound TLS • FTPs • LDAPS connection • DB Connection • Permissions inheritance • Custom roles • Review your logs • Change JMX default credentials • Change keystore password Best Practices 1
  25. 25. • Audit • Enable it if needed • Easy to query audit records with curl • Easier in RM • Alfresco Support Tools • Get to know connected users besides other tools • Get to know how to reset admin password • Control ticket session duration • Disable unneeded services • Disable guest user Best Practices 2
  26. 26. • Encrypt configuration properties if needed • Mitigating brute force attack on user passwords • Use bcrypt • Third party auth system / Federated Best Practices 3
  27. 27. • Cross-Site Request Fogery (CSRF) filters • Clickjacking mitigation • Iframes and phising attack mitigation • Share HTML processing black/white list • Site creation control • Filter document actions by user or role • Filter workflow by user or role • Change default Share session timeout Alfresco Share Security
  28. 28. Backup and Disaster Recovery
  29. 29. Backup and Disaster Recovery • Backup, Archiving, Disaster Recovery • Why? • Business impact • RPO (time between backups) and RTO (time taken to restore)
  30. 30. Backup Procedure and Methods + Install + Config + Custom • What to backup? • Static / Dynamic • Order • Types • Cold • Warm • Hot 1. Index (index+cache) 3. Content Store 2. DB What about Zero-Downtime?
  31. 31. Restore Procedure 1. Installation 2. Configuration 3. Customization 4. DB 5. Content Store 6. Indexes
  32. 32. Best Practices: content deletion • Node deletion lifecycle • Why is important?
  33. 33. • Delete content when it is deleted • Trashcan cleaner • Records Management • Wipe contentMore about node deletion
  34. 34. Thanks! Toni de la Fuente @ToniBlyx Phil Meadows @meadowsp99

×