[Zope] a notable objection

sean.upton@uniontrib.com sean.upton@uniontrib.com
Tue, 16 Oct 2001 09:21:13 -0700


If you don't want to set up proxy servers with HTTPS support and restrictive
ACLs, do VLAN segmentation to decrease the likelyhood of sniffing, and set
up secure tunneled clients (in the extreme case) to your Zope server, your
security is as bad as YOU make it, not Zope.  This is simply an issue of
good integration; I've never heard of turnkey application security, except
from sales people.

You can:
- Bind Zope to a particular interface or interfaces, and only the ones you
need
- Place Zope on both public and private networks behind HTTPS/SSL enabled
proxy server gateways with restricitve ACLs
- Keep the proxy server in a fasion that it bridges your network to a
private, segmented VLAN that your Zope server runs on
- Set up SSH or other types of tunnels between hosts that must have FTP
access and your server; this is only in the situation where you are paranoid
about security.
- Keep an audit trail of access via proxy logs
- Bind users to particular domains in Zope and also in proxy ACLs
- Set up proxy auth using http basic auth that uses the password same
verification source as Zope, this, over https is secure and allows you to
bind ACLs to user categories, IP addresses, etc in combination (especially
if your roles closely match ACL user categories).

In other words, there is lots you can do.

Sean

-----Original Message-----
From: Mark James Adams [mailto:mark@raysend.com]
Sent: Monday, October 15, 2001 9:56 PM
To: zope@zope.org
Subject: [Zope] a notable objection


The biggest security problem of Zope is unsecured access. What, you're 
still using telnet and ftp? What's the use of all the users, roles, and 
permissions if someone can sniff my Manager password?f

--
Mark James Adams
mja27@cornell.edu | mark@raysend.com | http://www.raysend.com
"Who knows which moments make us who we are? Some of them? All of 
them?"  - Lynda Barry



_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )