[Zope] Various security aspects to Zope as an Internet HTTPD server ...

Bryan J. Smith bjs@crc.com
Mon, 14 Jun 1999 17:28:23 -0400


Various security aspects to Zope as an Internet HTTPD server ...

[ I am on the Digest, so please respond directly ]
[ to me @ mailto:b.j.smith@ieee.org,bjs@crc.com  ]

I am looking at using Zope as a corporate Internet HTTPD service
(i.e. as the main service people hit on the Internet).  I am a
Zope newbie, but have installed and used it on the port (i.e.
9673, NOT integrated with Apache).

I have an idea of my basic configuration along with some
security-oriented questions.

Proposed configuration:
-----------------------

A.  Two servers, one in a DMZ behind a firewall and one on the
internal corporate network, also behind the firewall (but on a
different port not accessable from the outside).

B.  Users would ONLY UPLOAD TO THE INTERNAL network server.  Then,
at an X periodical, the internal server's contents would be copied
to the external server.  So even if the external server's HTTPD
site/contents are cracked/replaced, the data will be overwritten
ever X minutes with the clean/internal version (very simple to
do -- something the FBI should have take note of ;-).

C.  Not sure if I should keep Zope on its own port (9673, with a
simple redirect from Apache on port 80 (//sitename ->
//sitename:9673) or integrate it with Apache (security is the
issue here).

D.  Looking to use OpenBSD/i386 as the OS (on both systems, or at
least the external server in the firewall DMZ).

Questions:
----------

1.  Since Zope runs as a user-level service, does that make it any
more secure than Apache?  Or is it more securite to integrate it
as a bunch of cgi-bin scripts under Apache?  Or does anyone see
even a more secure setup?

2.  Available SSL support?  Or is that the commercial Medusa
(Zope+SSL) product from Digital creations?

3.  Anyone got Zope running under OpenBSD/i386?  I really am
aiming for the OpenBSD avenue since they are the best when it
comes to finding security holes (don't need slick console-side
interfaces like with Linux/FreeBSD/NT).  If it runs under FreeBSD,
it should run under OpenBSD, but just wanted to see if anyone was
running it under OpenBSD (or FreeBSD for that matter).

Thanx in advance ...

-- Bryan "The BS" Smith
   Software Engineer
   FL-based Aerospace Company and
     OpenSource developer/consultant

P.S.  As a side-note, there are those FrontPage 98 wennies out
there who "just-have-to-have" the FP98 extensions on the Apache
server.  Does that not create a security risk?  I (as well as
PCWeek) have found using Amaya (the W3C standard HTML 4.0 WYSIWYG)
much better and combined with Zope's built-in upload functionality
(is that via the HTTP 1.1 protocol??? as well as 2.0 WebDAV
support), there is NO REASON to have to support M$'s proprietary
extensions on the same server as Zope.  Any comments here???  I
think even they are SOL on FP2000 since it REQUIRES an NT Server
for publishing (no more Apache support?).

Bryan J. Smith        mailto:b.j.smith@ieee.org,bjs@crc.com
Software Engineer   http://www.SmithConcepts.com/legal.html
===========================================================
"Microsoft's efforts to position Windows NT as an embedded
 operating system remind one of an elephant entering a
 track meet."                     -- PC Week's Peter Coffee