Hello,
we're going to make the Vault server available through the internet. We're not using VPN as many firewalls deny out bound traffic on those protocols.
Questions:
* Are there any "Best Practice/How To" documents as this is probably a very common scenario?
* What do we need to take care of conserning security?
* Is there a mechanism in Vault that prevents passwords from being brut force attacked? Does Vault lock out accounts with too may invalid password requests?
Regards,
Alexander
Placeing the Vault server in a DMZ
Moderator: SourceGear
Placeing the Vault server in a DMZ
update4u Software AG
Some more detailed questions...
1.) How can I disable the Vault web? As I need to allow anomynous athentification every one can actually do port scan and sees "Hey cool a responding web server, lets play with it" )).
2.) The most prefered solution would be a client certificate that would be required to access the Vault web server. This would enable me to grant access to the server on a machine basis. Is that possible or queued?
2.) The most prefered solution would be a client certificate that would be required to access the Vault web server. This would enable me to grant access to the server on a machine basis. Is that possible or queued?
update4u Software AG
Re: Placeing the Vault server in a DMZ
First of all, you should setup SSL. If you want an official certificate, you will have to pay money to Verisign or one of its ilk. However, Vault will function with a self-signed certificate as well.aluetjen wrote:* What do we need to take care of conserning security?
Of course, we do recommend using your firewall to block access to all ports other than 443 (HTTP/SSL).
Sorry, no. Vault currently does not lock out accounts with too many failed login attempts.aluetjen wrote:* Is there a mechanism in Vault that prevents passwords from being brut force attacked? Does Vault lock out accounts with too may invalid password requests?
Eric Sink
Software Craftsman
SourceGear
Software Craftsman
SourceGear
Re: Some more detailed questions...
You can use IIS configuration to simply disallow all access to the VaultService/VaultWeb directory.aluetjen wrote:1.) How can I disable the Vault web? As I need to allow anomynous athentification every one can actually do port scan and sees "Hey cool a responding web server, lets play with it" )).
We currently do not support client certificates, but this is already on our list of requested features for a future release.aluetjen wrote:2.) The most prefered solution would be a client certificate that would be required to access the Vault web server. This would enable me to grant access to the server on a machine basis. Is that possible or queued?
Eric Sink
Software Craftsman
SourceGear
Software Craftsman
SourceGear