Fresh install on Linux
We are in planning stages of changing from Luminis on Windows to Linux.
Our current plan is to completely reinstall our environments with no migration of data. Fresh from the ground up. Our current setup is two environments, prod and test. In each setup there is a resource server, web server, and an email/calendar server. The Database is also on a separate maching as well.
I would like to make this a setup of One server (resource and web on one box). We would eliminate the Email/Calendar server due to it not being needed. This setup would require the luminis Resource/Web server to be outside our firewall.
Our Director of Infrastructure and Security feels as though it is more secure to stay in our current Parallel Deployment environment due to there being EAS setup for authentication against Active Directory. He feels as though this is a security hole seeing as though from what I understand, Luminis actually keeps the Username and password encrypted in its LDAP. Is that right?
What are the security concerns with putting the luminis system outside the firewall?
Thanks in advance.
-SKerstiens
Security
We are running our Luminis instance on a two box system. One box is the Resource/Web Server and the other is the database server. We just have a tunnel to the outside world that allows the HTTP traffic through. All other ports are blocked by the firewall. I don't know if you are considering the web port open as having the system outside the firewall. All of the AD authentication is done on the inside of the firewall so there isn't a security concern. Somebody else may say this isn't a good setup but it has worked great for us.
Security considerations
Luminis does keep the username and passwords of users in its LDAP. Look at the entries pdsExternalSystemID, and pdsPssEntry. It doesn't seem to be encrypted using the user supplied password to encrypt the value. This is how passwords are typically encrypted so that they remain one way. I say this because an administrator can supply a key and recover credentials on behalf of a user without knowing the user's password.
The LDAP server only runs on the resource tier however, so your portal tiers can be accessible to the public while minimizing your risk of exposure. That being said, the portal tiers do maintain a connection to the LDAP server at all times, so malicious code could compromise the data.
I would certainly restrict access to only needed ports no matter what configuration you go with.
DMZ setup
I would not put Luminis outside of your firewall. If you do so, you'll have to allow traffice from this machine to access the following internal servers in order for things to work properly (and I' pretty sure that your network administrator/ security officer is not going to be comfortable allowing public routes from a server outside of your firewall to these internal machines) :
The better route is to put the Luminis server(s) into a DMZ, then configure select port access on the internal firewall/router between the DMZ subnet and your internal network to the relevant internal servers.
As others have mentioned, you can open select public ports on your external firewall to allow Luminis to function properly. The list of pubic ports is in the Luminis installation guide & I think also the Luminis administration guide, so you should be able to provide this list to your network administrator so that they can configure traffic on these ports.
Alice Kim
we just did the same thing last year
Luminis DOES encript the password in its LDAP server. I am not fully aware of any issues that would prevent you from putting it outside the firewall but it certinally seems more secure to keep luminis behind the firewall.