Differences

This shows you the differences between two versions of the page.

--- evergreen-admin:security:firewall [2007/10/03 20:48] – Update Jabber server security recommendations dbs
+++ evergreen-admin:security:firewall [2022/02/10 13:34] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+[[user-comments:evergreen-admin:security:firewall|User Comments]]
+====== Security Considerations: Firewall ======
+In general, we recommend reading more about networking from starting points like [[http://en.wikipedia.org/wiki/Network_port|Wikipedia]] and more authoritative sources on network security.
+===== Incoming ports =====
+Generally, there are about 4 zones you should have for your Evergreen system.  These are as follows:
+  - Localhost (stuff on the server, accessed only by the server)
+    - Jabber server: This is the base messaging system of the OpenSRF network. If you are using the recommended Jabber server (eJabberd), access requires an authenticated username / password combination and is considered secure. The built-in Jabber server, "chop chop", performs no authentication, is insecure by definition, and should not be used in a production system.
+      - **Single-server scenario**: For a single-server system which runs Jabber, PostgreSQL database, Apache web server, and the memcached server, there is no need for the Jabber server to listen to any services outside of ''localhost''.
+      - **Multi-server scenario**: For a multi-server system which runs Jabber and the OpenSRF Router on one of several servers, only the Apache web server and any OpenSRF application servers requires access to the Jabber server.
+  - Evergreen System Administrators (people who administer the bowels of the evergreen system)
+    -The big consideration here is the HTTP directory of the web server.  This contains the config bootstrap script.  Although damaging things can't really be done (IE: everything likely has attachments, so they can't be deleted), a user can create a dozen new libraries with a few clicks.  Nobody other than the IT/Evergreen Administration Staff should have access to this directory.
+  - General Public (people who use the PAC)
+    - The general public will need access to the web server (port 80) for the OPAC.
+    - 443: SSL in the OPAC
+  - Library Staff (People who use the staff client)
+    - The staff client uses the same ports as the public interface, so ports 80 and 443 will need to be opened.
+===== Outgoing ports =====
+Note that these are ports on external servers to which your Evergreen server(s) might need to connect. As a reminder of [[http://en.wikipedia.org/wiki/Network_port|basic networking principles]], outgoing connections on the Evergreen server(s) are assigned to random ports - so when connecting to port 210 on zed.example.com, your Evergreen server might use local port 37080 to make the connection.
+  - 25: SMTP-For E-mail notifications
+  - 80: Web traffic (Syndicated content, Book Jackets, etc)
+  - 210: Z3950 (OCLC, LC, etc).  Note that while 210 is commonly used by Z39.50 servers, it's not the only one in use; for example, the LC Z39.50 server uses port 7090.
+Again: this list is just a start, and by all means incomplete.