hardening plone, a military-strength cms
DESCRIPTION
Talk given by Kim Chee Leong and Kees Hink at the 2009 Plone Conference in Budapest (PloneConf2009)TRANSCRIPT
![Page 1: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/1.jpg)
Hardening Plone
A Military-Strength CMS
![Page 2: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/2.jpg)
2
Hardening Plone
A Military-Strength CMS
Hardening the Plone stack
A Military-Strength CMS and its infrastructure
![Page 3: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/3.jpg)
3
Class rules
● Feel free to ask questions
![Page 4: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/4.jpg)
4
About us
● Kees Hink● Plone developer since
January 2008
● Kim Chee Leong● Plone developer since
May 2007
![Page 5: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/5.jpg)
5
Introduction
● This talk is about:● Making the Plone stack even more secure● Not much about Plone itself● How to get others to acknowledge that it's secure
● For who?● New to Plone● Marketing● Developers
![Page 6: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/6.jpg)
6
Overview of sections
● Why security?● Our use case● Plone● Infrastructure● Audits (and feedback)
![Page 7: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/7.jpg)
7
The internet is evil
● :Have to protect against
● Cross site scripting
● Unencrypted connections
● Spoofing
● Password cracking
● Mail interception
● Server hacking
● SQL injection
![Page 8: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/8.jpg)
8
SQL Injection
Comic by XKCD: http://xkcd.com/327/
![Page 9: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/9.jpg)
9
Our use case
● Two portals:● Plone as a DMS for online collaboration
– Largely standard Plone– Alternative to Sharepoint– Sensitive data
● Plone as a user friendly file upload system– Document upload by suppliers– User friendly upload
![Page 10: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/10.jpg)
10
Security of default Plone
● Plone (Zope) is pretty secure by default● Quantitative comparison:
– Track number of hits on Google – See nr. of vulnerabilities in the National Vulnerability
Database● Qualititative comparison:
– See article “security overview of plone” on plone.org
![Page 11: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/11.jpg)
11
Small Plone modifications
● Disable self-registration
● Workflow + permissions
● Additional Products– Aagje (activity log)– LoginLockout
![Page 12: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/12.jpg)
12
How to protect?
● Let's start with a secure location
![Page 13: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/13.jpg)
13
Infrastructure
● Secure hosting● Trusted hosting partner● Secure hosting● Dedicated servers
● Operating system● Security updates
● Company procedures● Who has access?
![Page 14: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/14.jpg)
14
● Only HTTPS port is opened to the internet
● VPN-only access for all except HTTPS
![Page 15: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/15.jpg)
15
Infrastructure: OS
● Modifications on Debian Linux to enhance security– Different system user
for each Zope instance– Regular security
update– Tighten filesystem
permissions
![Page 16: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/16.jpg)
16
Infrastructure: Web server
● Apache– HTTPS– Get an SSL certificate
(Thawte, VeriSign) – No rewrite rule for
Zope root– Keep log files
![Page 17: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/17.jpg)
17
SSL certificate
![Page 18: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/18.jpg)
18
Just to keep your attention
http://xkcd.com
![Page 19: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/19.jpg)
19
Audits
● Document your procedures● We are using parts of
ITIL
● Get audits● Technical audit● Process audit
![Page 20: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/20.jpg)
20
Technical security audit
● Done by 3rd party● They have a checklist● They report back in a structured way
● Black box audit● From outside, on Plone portal
● Crystal box audit● On server, with root access● Check user permissions, etc.
![Page 21: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/21.jpg)
21
Recommendations for Plone
● Plone itself is pretty secure● Modifications:
● Quota (file upload limit)● Cookie settings (HTTPOnly, Secure), fixed with
Apache
● And, of course:● disable self-registration, check workflow,
permissions, use LoginLockout
![Page 22: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/22.jpg)
22
Recommendations outside Plone
● Modifications:● Use HTTPS only (no redirects from HTTP)● Paranoid user permission restrictions● Caching header control
● And, of course:● secure hosting, VPN, security updates, etc.
![Page 23: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/23.jpg)
23
Technical audit final result
● We implemented these recommendations for the next audit, which was tested again and approved:
![Page 24: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/24.jpg)
24
Process security audit
● Done by our client's accountants● Check processes:
● Talk about our server management documents (esp. security-related)
● Talk about certification of hosting partner● Talk to technical auditing party● Talk to us, again...
![Page 25: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/25.jpg)
25
Recommendations for Plone
● Confidentiality and user agreement
![Page 26: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/26.jpg)
26
Process audit final result
● We passed!
Image by Getty images
![Page 27: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/27.jpg)
27
Wrapping up
● Done:● Think about how to secure our existing setup even
more● Have specialists check our setup + procedures● Implement their recommendations
● Result: Plone is officially 100% secure.
![Page 28: Hardening Plone, a military-strength CMS](https://reader033.vdocument.in/reader033/viewer/2022051818/549603b3b47959384d8b4e33/html5/thumbnails/28.jpg)
28
Remaining questions?