alfresco security best practices 2014
DESCRIPTION
Alfresco Security Best Practices given at Alfresco Summit 2014 (San Francisco and London)TRANSCRIPT
Alfresco Security Best Practices Toni de la Fuente!Principal Solutions Engineer [email protected] @ToniBlyx – blyx.com #AlfrescoSecurity
“Some&mes, you have to demo a threat to spark a solu&on”
Barnaby Jack, 1977-‐2013
@ToniBlyx #AlfrescoSecurity
How to solve all your problems:
UPGRADE!!
@ToniBlyx #AlfrescoSecurity
That’s all folks!
THANKS
Agenda • Demo • Alfresco Security Policy • Elements • External Threats • Vulnerabilities Assessment • Network and Operating System • Implementation Best Practices • Architecture • Mobile • Compliance and Standards
@ToniBlyx #AlfrescoSecurity
The Guide
• Alfresco Security Best Practices Guide!• https://my.alfresco.com/
share/s/85CnNsR0ROaSV0BwmKWncg
@ToniBlyx #AlfrescoSecurity
Security!User Adoption Open, Modern Architecture!
SIMPLE/CONNECTED
Integral support for mobile workers and external partners,
interface built with the end user in mind vs. IT, seamlessly integrated
with today’s most common productivity tools
CONTROLLED
Enterprise-grade security, easy compliance policy definition and
enforcement, fully compliant
SIMPLE/SMART/CONNECTED
Enterprise-grade, hybrid, open-source, flexible architecture that
meets today’s IT demands Open integration interface, ease of
administration, allow IT org to integrate with other LOB applications,
support for open standards
Alfresco Value Pillars
Content Encryption Records Mgmt.
MDM Certification
@ToniBlyx #AlfrescoSecurity
Alfresco Security Policy • Issues Discovery!• Security Notifications!• Severity Levels!• High • Medium • Low
• Reporting a Security Issue to us!• [email protected]
@ToniBlyx #AlfrescoSecurity
Alfresco Security Components: Deployment • People!• Process!• Alfresco application:!• Patches, HF,
Upgrades, Features
• JVM!• Operating System!• Firewall!
• Network configuration!• Virtualization
infrastructure!• Network infrastructure!• Physical infrastructure!• Physical security!• Facilities!
@ToniBlyx #AlfrescoSecurity
AWS Shared Security Model, A Good Reference
@ToniBlyx #AlfrescoSecurity
Multiple External Threats 1
Discovery, gathering information and information leaks:!• Search tools
• Google, Bing, Shodan
• Gathering info • FOCA, metagoofil,
theharvester, maltego • Manual discovery
• Nmap, others
Protection:!• IDS • Banner • Filter access to
resources • Clean metadata
@ToniBlyx #AlfrescoSecurity
Multiple External Threats 2
Brute force user and password or dictionary attacks:!• Online tools
• Hydra • Metasploit
Protection:!• IDS • Password rotation • Password strength policy • Error login threshold
• Prevent DoS
@ToniBlyx #AlfrescoSecurity
Multiple External Threats 3
Man In the Middle Attacks: and DDoS/DoS:!
• Multiple ways • Complex to protect
Protection:!• Architecture design • Encryption • Certificate strenght • Firewalls (network, host
and application level) • IDS/IPS • AlfViral • Corporate-Network
solutions – ATP • Monitoring
Viruses:!• Content • All tiers
@ToniBlyx #AlfrescoSecurity
Source of Vulnerabilities
Public Sources!• CVE-2014-0050: Apache
Commons FileUpload • CVE-2014-0125: Moodle • Bugtraq ID 37578: Joomla
Internal Sources!• *MNT-11793: SSRF, port
scanning • CVE-2014-2939: XSS • MNT-10540: Share remote
execution • *MNT-10539: Xerces / POI
@ToniBlyx #AlfrescoSecurity
Hardening Network and Operating System
@ToniBlyx #AlfrescoSecurity
Network and Operating System
• Network!• Firewalls, IDS, IPS, APT,
Web Application Firewalls, Antiviruses, DDoS/DoS protection devices.
• OS!• RedHat, Ubuntu, Suse • Solaris • Windows Server
• File permissions!• alfresco-
global.properties • dir_root/contentstore • dir_root/solr • dir_root/lucene-indexes
• Minimum privileges!• Port redirect!
@ToniBlyx #AlfrescoSecurity
Firewall: Inbound ports
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments,
HTTP, 8080# TCP# IN# Yes# WebDav#included#
FTP, 21# TCP# IN# Yes# Passive#mode#
SMTP, 25# TCP# IN# No# #
CIFS, 137,138# UDP# IN# Yes# #
CIFS, 139,445# TCP# IN# Yes# #
IMAP, 143# or#993#
TCP# IN# No# #
SharePoint,,Protocol, 7070# TCP# IN# Yes# #
Tomcat,Admin, 8005# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the#firewall#
Tomcat,AJP, 8009# TCP# IN# Yes# Unless#is#necessary,#do#not#open#this#port#at#the#firewall#
SOLR,Admin, 8443# TCP# IN# Yes# If#used#to#admin#Solr,#cert#has#to#be#installed#in#browser.#Otherwise#take#it#in#to#account#in#case#of# using# a# dedicated# Index# Server,# Alfresco#repository#server#must#have#access# to# this#port#IN#and#OUT#
NFS, 111,2049# TCP/UDP# IN# No# This#is#the#repository#service#NFS#as#VFS#
RMI, 50500S50507#
TCP# IN# Yes# Used#for#JMX#management.#Unless#is#necessary,#do#not#open#this#port#at#the#firewall#
Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information#between#cluster#nodes#from#4.2##
JGroups, 7800# TCP# IN# No# Cluster#discovery#between#nodes#before#4.2#
JGroups, 7801S7802#
TCP# IN# No# Traffic# Ehcache# RMI# between# cluster# nodes#before#4.2.#
OpenOffice/JODconverter, 8100# TCP# IN# Yes# It# works# in# localhost,# do# not# open# it# at# the#firewall#
#
@ToniBlyx #AlfrescoSecurity
Firewall: Outbound ports
Protocol/Service, Port, TCP/UDP, IN/OUT, Active, Comments,
SMTP, 25# TCP# OUT# No# If# you# want# Alfresco# to# send# notifications,#invitations,#tasks,#etc.#Open#this#port#from#Alfresco#to#your#corporate#MTA#
DB,–,PostgreSQL, 5432# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,MySQL, 3306# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,MS,SQL,Server, 1433# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,Oracle, 1521# TCP# OUT# Yes*# It#depends#on#the#DB#
DB,–,DB2, 50000# TCP# OUT# Yes*# It#depends#on#the#DB#
LDAP,or,AD, 396# TCP# OUT# No# If#needed#for#authentication#and#synchronization#
LDAPS,or,AD, 636# TCP# OUT# No# If#needed#for#authentication#and#synchronization#
docs.google.com, 443# TCP# OUT# No# #
JGroups, 7800P7802#
TCP# OUT# No# If#clustered#before#4.2,#only#between#nodes.#
Hazelcast, 5701# TCP# IN# No# Used# by# hazelcast# to# exchange# information#between# cluster# nodes# from# 4.2,# only# between#nodes.#
Remote,storage,NFS,, 111,2049# TCP/UDP# OUT# No# If#a#remote#NFS#drive#is#used#as#contentstore#
Remote,storage,CIFS, 137,138#
139,145#
UDP#
TCP#
OUT# No# If#a#remote#CIFS#drive#is#used#as#contentstore#
Amazon,S3, 443# TCP# OUT# No# In#case#Alfresco#is#deployed#in#AWS#and#Amazon#S3#is#used#as#contentstore##
Alfresco,Transformation,Server,
80,443# or#8080,8443#
TCP# OUT# No# In#case#a#remote#Alfresco#Transformation#Server# is#used#
Alfresco,FSTR, 8080# TCP# OUT# No# In# case# of# using# a# remote# Alfresco# File# System#Transfer#Receiver#
Alfresco,Remote,Server, 8080# or#8443#
TCP# OUT# No# In# case# of# using# Alfresco# Replication# Service#between#Alfresco#servers#
Kerberos, 88# TCP/UDP# OUT# No# In#case#Kerberos#SSO#is#required#
Third,Party,SSO, 443# TCP# OUT# No# Third#party#SSO#services#
DNS, 53# UDP# OUT# Yes# Name#resolution#service#
Facebook,,Twitter,,LinkedIn,,Slideshare,,Youtube,,Flickr,,Wordpress,or,Typepad,
80#or#443# TCP# OUT# No# In# case# of# using# Alfresco# Publishing# Framework# or#Site#blog#publishing#
#
@ToniBlyx #AlfrescoSecurity
Alfresco Implementation Best Practices
@ToniBlyx #AlfrescoSecurity
Best Practices 1 • Stay current!• Service Packs, HF
• Never run as root!• Switch to SSL!• HTTPS (Share, Webdav,
API, etc.) • App Server, Web Server, Appliance
• SharePoint Protocol • IMAPS • SMTP Inbound TLS • SMTP Outbound TLS
• FTPs • LDAPS connection • Consider Hazelcast or
Jgroups / DB Connection
• Permissions inheritance !
• Custom roles!• Review your logs!• Change JMX
default credentials!
@ToniBlyx #AlfrescoSecurity
Best Practices 2
• Audit!• Enable it if needed • Easy to query audit
records with curl • Easier in RM
• Alfresco Support Tools!• Get to know
connected users besides other tools
• Get to know how to reset admin password!
• Control ticket session duration!
• Disable unneeded services!
• Disable guest user!
@ToniBlyx #AlfrescoSecurity
Best Practices: content deletion
• Node deletion lifecycle!• Why is important?
@ToniBlyx #AlfrescoSecurity
More about node deletion
• Delete content when it is deleted!• Trashcan cleaner!• Records Management!• Wipe content!
@ToniBlyx #AlfrescoSecurity
Alfresco Share Security • Cross-Site Request
Fogery (CSRF) filters!• Clickjacking
mitigation!• Iframes and phising
attack mitigation!• Share HTML
processing black/white list!
• Site creation control!
• Filter document actions by user or role!
• Filter workflow by user or role!
• Change default Share session timeout!
@ToniBlyx #AlfrescoSecurity
Architecture Best Practices 1 • Frontends!• Protect URLs • Apache, Nginx,
HAProxy • /alfresco/service • /share/service • /alfresco/proxy • /alfresco/cmisbrowser
@ToniBlyx #AlfrescoSecurity
Architecture Best Practices 2
@ToniBlyx #AlfrescoSecurity
Architecture Best Practices 3
@ToniBlyx #AlfrescoSecurity
AWS sample
@ToniBlyx #AlfrescoSecurity
Backup and Disaster Recovery • White Paper!• http://slidesha.re/
1o1HUY9
@ToniBlyx #AlfrescoSecurity
Mobile Security • File Protection!• Encryption when locked
• HTTPS!• Certificate
Authentication!• MDM!• Alfresco for Good (iOS) • MobileIron (Android)
• MDM next version!• Symantec Sealed
(Android) • Citrix Worx • MobileIron (iOS)
@ToniBlyx #AlfrescoSecurity
Security Compliance & Standards • DoD5015.2!• OWASP!• Top 10
• HIPPA!• FISMA!• FedREMP!• ISO 27001!• PCI-DSS!
@ToniBlyx #AlfrescoSecurity
Finally, a review:
@ToniBlyx #AlfrescoSecurity
Alfresco Security Checklist
@ToniBlyx #AlfrescoSecurity
List of Alfresco third party components
@ToniBlyx #AlfrescoSecurity
Now… Yes!That’s all folks!
Questions? Suggestions?
Complaints? Beers?
@ToniBlyx #AlfrescoSecurity
Thanks
Toni de la Fuente!Principal Solutions Engineer
[email protected] @ToniBlyx – blyx.com