Hi all,
We are looking to deploy Geoserver, but in order to do that I need
to prepare a security plan that (among other things) demonstrates
the secure design of Geoserver. I have been looking through the
Geoserver website and not found any material that deals specifically
with this.
Any pointers to materials on the following aspects of Geoserver would
be appreciated and I promise to summarise and report back:
- existing threat risk modelling (OWASP, Microsoft, TRIKE, DREAD etc.)
- code reviews
- application deployment and hardening
- deployments that are likely to have conducted such assessments
Thanks,
Antti Roppola
----------------------------------------------------------------------
IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on.
Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF
----------------------------------------------------------------------
Antti.Roppola@anonymised.com wrote:
Hi all,
We are looking to deploy Geoserver, but in order to do that I need
to prepare a security plan that (among other things) demonstrates
the secure design of Geoserver. I have been looking through the
Geoserver website and not found any material that deals specifically
with this.
Any pointers to materials on the following aspects of Geoserver would
be appreciated and I promise to summarise and report back:
- existing threat risk modelling (OWASP, Microsoft, TRIKE, DREAD etc.)
- code reviews
- application deployment and hardening
- deployments that are likely to have conducted such assessments
GeoServer hasn't done much in the way of security, which is why you haven't found much on the website. We have plans to eventually add user permissions and the like, and really make a secure framework then.
But GeoServer is well coded, and can easily be stuck behind a more secure solution. I believe for the OWS-3 project uDig successful stuck GeoServer behind DACS: http://dacs.dss.ca/. You can limit the access to specific operations in GeoServer as well, since it uses well known urls.
If you do go forth with this, please do share your results, even if for some reason GeoServer ends up as very bad, at the very least an assessment of where it is worst is quite helpful to us.
best regards,
Chris
Thanks,
Antti Roppola
---------------------------------------------------------------------- IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF ----------------------------------------------------------------------
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Chris Holmes
The Open Planning Project
thoughts at: http://cholmes.wordpress.com
I don't know if everybody on this list is familiar with the 52north open source project, but they also provide OGC security services (Web Authentication Service and Web Security Service):
http://www.52north.org/
A good presentation is at:
http://www.52north.org/download.php?id=1862907,176,7
Best regards,
Bart
Chris Holmes wrote:
Antti.Roppola@anonymised.com wrote:
Hi all,
We are looking to deploy Geoserver, but in order to do that I need
to prepare a security plan that (among other things) demonstrates
the secure design of Geoserver. I have been looking through the
Geoserver website and not found any material that deals specifically
with this.
Any pointers to materials on the following aspects of Geoserver would
be appreciated and I promise to summarise and report back:
- existing threat risk modelling (OWASP, Microsoft, TRIKE, DREAD etc.)
- code reviews
- application deployment and hardening
- deployments that are likely to have conducted such assessments
GeoServer hasn't done much in the way of security, which is why you haven't found much on the website. We have plans to eventually add user permissions and the like, and really make a secure framework then.
But GeoServer is well coded, and can easily be stuck behind a more secure solution. I believe for the OWS-3 project uDig successful stuck GeoServer behind DACS: http://dacs.dss.ca/. You can limit the access to specific operations in GeoServer as well, since it uses well known urls.
If you do go forth with this, please do share your results, even if for some reason GeoServer ends up as very bad, at the very least an assessment of where it is worst is quite helpful to us.
best regards,
Chris
Thanks,
Antti Roppola
---------------------------------------------------------------------- IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF ----------------------------------------------------------------------
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Bart van den Eijnden
OSGIS, Open Source GIS
http://www.osgis.nl
Have you tried this out Bart? Any success sticking it in front of GeoServer or MapServer? Or does it not work that way? If it's at the service level then I guess it couldn't really do anything like column level permissions... I think we're interested in a pretty fine level of granularity eventually, like at the level of a datastore. Though perhaps we could reuse some of their code for the connection part.
Chris
Bart van den Eijnden (OSGIS) wrote:
I don't know if everybody on this list is familiar with the 52north open source project, but they also provide OGC security services (Web Authentication Service and Web Security Service):
http://www.52north.org/
A good presentation is at:
http://www.52north.org/download.php?id=1862907,176,7
Best regards,
Bart
Chris Holmes wrote:
Antti.Roppola@anonymised.com wrote:
Hi all,
We are looking to deploy Geoserver, but in order to do that I need
to prepare a security plan that (among other things) demonstrates
the secure design of Geoserver. I have been looking through the
Geoserver website and not found any material that deals specifically
with this.
Any pointers to materials on the following aspects of Geoserver would
be appreciated and I promise to summarise and report back:
- existing threat risk modelling (OWASP, Microsoft, TRIKE, DREAD etc.)
- code reviews
- application deployment and hardening
- deployments that are likely to have conducted such assessments
GeoServer hasn't done much in the way of security, which is why you haven't found much on the website. We have plans to eventually add user permissions and the like, and really make a secure framework then.
But GeoServer is well coded, and can easily be stuck behind a more secure solution. I believe for the OWS-3 project uDig successful stuck GeoServer behind DACS: http://dacs.dss.ca/. You can limit the access to specific operations in GeoServer as well, since it uses well known urls.
If you do go forth with this, please do share your results, even if for some reason GeoServer ends up as very bad, at the very least an assessment of where it is worst is quite helpful to us.
best regards,
Chris
Thanks,
Antti Roppola
---------------------------------------------------------------------- IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF ----------------------------------------------------------------------
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Chris Holmes
The Open Planning Project
thoughts at: http://cholmes.wordpress.com
Hi Chris,
I haven't tried this out as yet, but do plan to do so in the near future.
Best regards,
Bart
Chris Holmes wrote:
Have you tried this out Bart? Any success sticking it in front of GeoServer or MapServer? Or does it not work that way? If it's at the service level then I guess it couldn't really do anything like column level permissions... I think we're interested in a pretty fine level of granularity eventually, like at the level of a datastore. Though perhaps we could reuse some of their code for the connection part.
Chris
Bart van den Eijnden (OSGIS) wrote:
I don't know if everybody on this list is familiar with the 52north open source project, but they also provide OGC security services (Web Authentication Service and Web Security Service):
http://www.52north.org/
A good presentation is at:
http://www.52north.org/download.php?id=1862907,176,7
Best regards,
Bart
Chris Holmes wrote:
Antti.Roppola@anonymised.com wrote:
Hi all,
We are looking to deploy Geoserver, but in order to do that I need
to prepare a security plan that (among other things) demonstrates
the secure design of Geoserver. I have been looking through the
Geoserver website and not found any material that deals specifically
with this.
Any pointers to materials on the following aspects of Geoserver would
be appreciated and I promise to summarise and report back:
- existing threat risk modelling (OWASP, Microsoft, TRIKE, DREAD etc.)
- code reviews
- application deployment and hardening
- deployments that are likely to have conducted such assessments
GeoServer hasn't done much in the way of security, which is why you haven't found much on the website. We have plans to eventually add user permissions and the like, and really make a secure framework then.
But GeoServer is well coded, and can easily be stuck behind a more secure solution. I believe for the OWS-3 project uDig successful stuck GeoServer behind DACS: http://dacs.dss.ca/. You can limit the access to specific operations in GeoServer as well, since it uses well known urls.
If you do go forth with this, please do share your results, even if for some reason GeoServer ends up as very bad, at the very least an assessment of where it is worst is quite helpful to us.
best regards,
Chris
Thanks,
Antti Roppola
---------------------------------------------------------------------- IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF ----------------------------------------------------------------------
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Bart van den Eijnden
OSGIS, Open Source GIS
http://www.osgis.nl