Website security options

[Alex]

Hi,

I have a project rebuilding a company website that does not have any CMS managing it at the moment.

There is also the need for a separate site they refer to as an 'intranet' but it is more like a company resources website which is accessed by multiple interstate offices and also by sales staff on the move. This site contains files and info they would consider sensitive information.

I am interested in using the multi-site feature of processwire to share some files across both sites.

The resources website will have user login access, does anyone have any advice on additional security to protect the more sensitive company files?

I have just started looking into VPN hosting for example, would this be necessary? Can I still use multi-site processwire if the company website does not require the VPN?

[Pete]

I think all you really need to do is make sure people have to log in yo view the content and use an SSL certificate for the intranet for good measure to encrypt the flow of data from the site to the users.

Then it can just go on normal hosting.

Of they're running im am Active Directory environment on their company network then this could be useful for authentication but it's not straightforward to set up:

[Wanze]

Hi Alex,

For the sensitive data, maybe the secured pagefiles introduced with PW 2.3 are an option for you.

Here's what ryan posted in the 2.3 announcement thread:

Add support for secured pagefiles. Now unpublished or non-public pages may have their files (in /site/assets/files/...) protected from direct URL access. For existing installations, you need to add $config->pagefileSecure = true; to your /site/config.php in order to enable this capability. See also $config->pagefileUrlPrefix and $config->fileContentTypes in /wire/config.php, if interested. Files become secured when the page is not accessible to the 'guest' role.

[Alex]

Thanks Pete & Wanze,

PW 2.3 secured pagefiles might be enough - really good to know. An SSL cert. could be another layer if necessary, i'll have to discuss it with them.

cheers,

Alex

[netcarver]

If you do use SSL certs for parts of the site, and if those parts are not 'public' you could try using self-signed certs as you probably don't need to go to the expense of getting anything fancy from a "trusted" third party.

[JeffS]

In a corporate environment I would strongly suggest not hosting the intranet on the same server as a public facing site. In addition you would want to secure the intranet behind a firewall in a DMZ and use a web application firewall like mod security as well.  Also you would typically separate your DB from your HTTP server and pass those communications through a FW and VLAN with monitoring.  Sounds like overkill? Check out the cost for a typical compromise.  Happens every day. 

I don't know your environment, but the fastest attack path against / into a company is compromising a site/server that employees use.  That is not to say the PW is a security issue, but that security should be layered. And as soon as you start serving up sensitive corporate data, the game changes. Just saying. 

This site contains files and info they would consider sensitive information.

[Alex]

thanks for adding to this thread Jeff, lots to think about!