I initially re-opened an old thread regarding using client certificates for authentication with the vault client to the server ( http://support.sourcegear.com/viewtopic.php?t=1818 ) and unfortunately there is still no support for this in Vault, and I'm expecting if it is ever implemented, it won't be any time soon. As a result, I'm now looking at other possible solutions to our particular security situation.
What we are needing is a way to restrict certain users to only being able to access the Vault server from the LAN, while allowing other users to connect to the Vault server from the WAN (which everyone currently can do). We currently allow access via SSL only through our firewall to the Vault server and all other authentication is done at the vault server itself. With this scenario, all users can connect with a freely downloadable vault client from outside the firewall as long as they have vault credentials.
I see no way in Vault to restrict access for a user based on where their connection originates. I know I could restrict to certain IP ranges at the firewall, but it really needs to be based on some kind of user credentials and NOT with an IP range as we have developers spread out geographically that travel and IP ranges are not guaranteed. One possible solution is using a VPN, but we would prefer a more ubiquitos solution where only the ability to connect via SSL on port 443 with authentication that controls the access based on specific credentials can be enforced.
My initial thought was client certificates since those can be tied directly to Active Directory user accounts in IIS, but that is not an option due to limitations in Vault.
My next thought was potentially using a reverse proxy that authenticates the user since user credentials can be stored and cleared for a proxy server in the Vault client networking settings, but I am unsure as to wether I can implement this via a proxy that would employ SSL. I understand how ssl works over the proxy. What I don't understand is if I create this "reverse proxy" and then set up the Vault client to connect to it to get to the vault server, how will the credentials be sent? Will the credentials be in plain text or encrypted in some manner. Is this determined by the client or the proxy server?
If anyone has a different idea of how to implement our paricular security requirements, please feel free to share your ideas.
thanks,
JE
Vault User Connection Security Challenge
Moderator: SourceGear
Solution Found!
We have found a solution for our security challenge. Before I fill you in on the solution, I still think that a client certificate implementation in the Vault Client would have been the best solution in this instance and for others as well. That being said, I will get on with the solution.
In addition to providing custom software solutions and mentoring to our clients, Visionpace supplies infrastructure services to clients as well. We are a Sonicwall security appliance partner via our infrastructure services. We implemented a Sonicwall SSL/VPN appliance that not only answers the security issue with source control, but also opened up a number of new capabilities in how we deliver solutions to our clients as well as productivity tools for our employees.
The SSL/VPN has a NetExtender client. This client installs via an ActiveX control through the browser. Configuration is virtual seamless for the client in terms of setting up credentials, configuring where to connect to, etc...
Once the NetExtender client is installed, you can simply logon to the SSL/VPN via a browser, click the NetExtender button and the ActiveX control takes care of the rest. Authentication for the SSL/VPN can be handled either via a Windows Domain, local users on the SSL/VPN device or via a radius server. Security for exposure to the network can all be managed via groups, individual accounts and policies on the SSL/VPN device.
Additionally, this moves the burden of encryption to the hardware device and removes the overhead from the web server.
If anyone else has a similar security need for their source control via Vault, Visionpace-IT can assist with implementing a similar solution for your network.
JE
In addition to providing custom software solutions and mentoring to our clients, Visionpace supplies infrastructure services to clients as well. We are a Sonicwall security appliance partner via our infrastructure services. We implemented a Sonicwall SSL/VPN appliance that not only answers the security issue with source control, but also opened up a number of new capabilities in how we deliver solutions to our clients as well as productivity tools for our employees.
The SSL/VPN has a NetExtender client. This client installs via an ActiveX control through the browser. Configuration is virtual seamless for the client in terms of setting up credentials, configuring where to connect to, etc...
Once the NetExtender client is installed, you can simply logon to the SSL/VPN via a browser, click the NetExtender button and the ActiveX control takes care of the rest. Authentication for the SSL/VPN can be handled either via a Windows Domain, local users on the SSL/VPN device or via a radius server. Security for exposure to the network can all be managed via groups, individual accounts and policies on the SSL/VPN device.
Additionally, this moves the burden of encryption to the hardware device and removes the overhead from the web server.
If anyone else has a similar security need for their source control via Vault, Visionpace-IT can assist with implementing a similar solution for your network.
JE