Placeing the Vault server in a DMZ

This forum is now locked, since Gold Support is no longer offered.

Moderator: SourceGear

Locked
aluetjen
Posts: 40
Joined: Wed May 19, 2004 1:00 am
Location: Germany, Karlsruhe
Contact:

Placeing the Vault server in a DMZ

Post by aluetjen » Wed May 19, 2004 1:07 am

Hello,

we're going to make the Vault server available through the internet. We're not using VPN as many firewalls deny out bound traffic on those protocols.

Questions:

* Are there any "Best Practice/How To" documents as this is probably a very common scenario?

* What do we need to take care of conserning security?

* Is there a mechanism in Vault that prevents passwords from being brut force attacked? Does Vault lock out accounts with too may invalid password requests?

Regards,

Alexander
update4u Software AG

aluetjen
Posts: 40
Joined: Wed May 19, 2004 1:00 am
Location: Germany, Karlsruhe
Contact:

Some more detailed questions...

Post by aluetjen » Wed May 19, 2004 1:42 am

1.) How can I disable the Vault web? As I need to allow anomynous athentification every one can actually do port scan and sees "Hey cool a responding web server, lets play with it" ;-))).

2.) The most prefered solution would be a client certificate that would be required to access the Vault web server. This would enable me to grant access to the server on a machine basis. Is that possible or queued?
update4u Software AG

ericsink
Posts: 346
Joined: Mon Dec 15, 2003 1:52 pm
Location: SourceGear
Contact:

Re: Placeing the Vault server in a DMZ

Post by ericsink » Wed May 19, 2004 7:40 am

aluetjen wrote:* What do we need to take care of conserning security?
First of all, you should setup SSL. If you want an official certificate, you will have to pay money to Verisign or one of its ilk. However, Vault will function with a self-signed certificate as well.

Of course, we do recommend using your firewall to block access to all ports other than 443 (HTTP/SSL).
aluetjen wrote:* Is there a mechanism in Vault that prevents passwords from being brut force attacked? Does Vault lock out accounts with too may invalid password requests?
Sorry, no. Vault currently does not lock out accounts with too many failed login attempts.
Eric Sink
Software Craftsman
SourceGear

ericsink
Posts: 346
Joined: Mon Dec 15, 2003 1:52 pm
Location: SourceGear
Contact:

Re: Some more detailed questions...

Post by ericsink » Wed May 19, 2004 7:42 am

aluetjen wrote:1.) How can I disable the Vault web? As I need to allow anomynous athentification every one can actually do port scan and sees "Hey cool a responding web server, lets play with it" ;-))).
You can use IIS configuration to simply disallow all access to the VaultService/VaultWeb directory.
aluetjen wrote:2.) The most prefered solution would be a client certificate that would be required to access the Vault web server. This would enable me to grant access to the server on a machine basis. Is that possible or queued?
We currently do not support client certificates, but this is already on our list of requested features for a future release.
Eric Sink
Software Craftsman
SourceGear

Locked