DEPLOYING PHIXFLOW FOR WEB B AND MOBILE ACCESS
PhixFlow 7.0
16 September 2016
!worddav348d3085035cf3d99341a92e32d0d000.png|height=150,width=900!Table of contents
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
1 Introduction
2 PhixFlow security design features
2.1 Secure coding
2.2 Secure authentication
2.3 Authorisation
2.4 Access to other data
2.5 Separation of test data
2.6 Logging & audits
3 Deploying PhixFlow for web access
3.1 Introduction
3.2 Risk Assessments
3.3 Deployment Options
3.4 Deploying via VPN
3.5 Deploying using a DMZ or Screened Subnet
3.5.1 Hardening
3.5.2 Install an X509 Certificate to provide encryption
3.5.3 Configure firewall to allow access to the internal network
3.5.4 Configure firewall to allow access to the internet
3.5.5 General recommendations for using PhixFlow securely
3.6 Intrusion Detection & Prevention (ID/IP)
3.6.1 Patching and Monitoring
4 Deploying PhixFlow for Mobile Access
4.1.1 Centrally managed mobile devices
4.1.2 Auto-lock / PIN unlock
4.1.3 Restrict use in public places
4.1.4 Review read only access
Change History
Version | Date | Author/Approver | Description |
1 | 12-Sep-16 | Craig Strangwick | Initial public version. |
2 | 16-Sep-16 | Andy Humphries | Approved version |
References
Other PhixFlow sources which may be referenced are:
- PhixFlow online help
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
The following architectures are commonly used by operators of remote access business applications when a VPN is not appropriate:
DMZ using two firewalls
This is most secure and often uses firewalls from 2 different vendors
Screened sub-net using a tri-homed firewall
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
The following table lists the areas that require hardening and recommendations
Area to Harden | Recommendations |
Operating Systems | Refer to the PhixFlow system planning guide and Vendor recommendations |
Apache Tomcat application server | Refer to the PhixFlow system planning guide and vendor recommendations |
PhixFlow Database server | Refer to the PhixFlow system planning guide and database vendor recommendations |
PhixFlow Application | Refer to the PhixFlow Installation guide for installation with least-privilege access and removal of installation files and users. |
PhixFlow Solutions Configuration | Review the permissions implemented on any applications. |
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
If your company currently uses intrusion detection monitoring tools, the following information may be helpful.
Whitelist/Blacklist | Pattern | Description |
Blacklist | .php, .exe, .asp, .aspx, | PhixFlow does not use any of these file extensions |
Blacklist | ..\ – <! </script> | Requests with these character combinations are not required |
Whitelist | ? & : | PhixFlow uses these characters in the URL |
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
To protect PhixFlow from security vulnerabilities we recommend a best practice approach is used to identify assess and apply operating system and web application server security updates as soon as possible.
You should also ensure clients operating systems and browsers also deploy security updates as soon as possible, if possible using automatic updates for high priority security vulnerabilities.
Audit PhixFlow user accounts regularly, checking for accounts that are no longer needed or not being used and disable or remove them.
| Anchor | ||||
|---|---|---|---|---|
|
...
When data does need to be entered or viewed in public places, we recommend that customers review screens, process and access controls to reduce the volume of data.