Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

title
Info

For Datafari 5.1

The documentation below is valid from Datafari v5.1 CE and EE

There are many ways to secure an application.

...

Another way of securing the application is to use SSL Offloading. It is the security that we chose into Datafari. Basically we delegate the functions required for SSL/TLS, namely the handshake and the encryption/decryption to a dedicated component in front of the user. So all the servers behind the reverse proxy communicate as usual.

More precisely it is called SSL Termination in this case :

...

The proxy server/load balancer we use for the SSL offloading acts as the SSL terminator. When a client attempts to connect to Datafari, the client still has a secure connection with the SSL terminator, which is acting as a pass-through.
The Datafari architecture is like this for monoserver and multiservers :

Gliffy
imageAttachmentIdatt572489754
baseUrlhttps://datafari.atlassian.net/wiki
macroIdb553e23b-98ac-4b71-b892-ae1aead5d1c7
namearchitecture_apache_monoserver
diagramAttachmentIdatt572915738
containerId572981249
timestamp1551367212427

Architecture Apache reverse proxy monoserver

Gliffy
imageAttachmentIdatt572784669
baseUrlhttps://datafari.atlassian.net/wiki
macroId0350af8e-8c36-459d-9c7c-9e2f5e81ffe8
namearchitecture_apache_multiservers
diagramAttachmentIdatt572784664
containerId572981249
timestamp1551367340063

Architecture Apache reverse proxy multiserver

This solution is a good compromise between the secuirty and the maintenance. The network part between the load balancer and the Datafari servers can be more secured by isolating the servers by their own VLAN or IPSEC tunneling for example.

By using VLAN, we avoid all broadcast attacks like ARP cache poisoning, DHCP spoofing, smurf attack,, MAC table overflow, etc …)

According to section 4.1 of

...

the PCI Data Security Standard

...

 any merchant handling credit card data should:

"...use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

This means that Front End SSL is allowed, as once the data reaches the load balancer, it is considered to have entered a secure private network.

...

title
Info

For Datafari 4.3

The documentation below is valid from Datafari v4.3 only EE version

There are many ways to secure an application.

...

Another way of securing the application is to use SSL Offloading. Basically we delegate the functions required for SSL/TLS, namely the handshake and the encryption/decryption to a dedicated component in front of the user. So all the servers behind the reverse proxy communicate as usual.

More precisely it is called SSL Termination in this case :

...

The proxy server/load balancer we use for the SSL offloading acts as the SSL terminator. When a client attempts to connect to Datafari, the client still has a secure connection with the SSL terminator, which is acting as a pass-through.
The Datafari architecture is like this for monoserver and multiservers :

Gliffy
imageAttachmentIdatt572489754
baseUrlhttps://datafari.atlassian.net/wiki
macroIdb553e23b-98ac-4b71-b892-ae1aead5d1c7
namearchitecture_apache_monoserver
diagramAttachmentIdatt572915738
containerId572981249
timestamp1551367212427

Architecture Apache reverse proxy monoserver

Gliffy
imageAttachmentIdatt572784669
baseUrlhttps://datafari.atlassian.net/wiki
macroId0350af8e-8c36-459d-9c7c-9e2f5e81ffe8
namearchitecture_apache_multiservers
diagramAttachmentIdatt572784664
containerId572981249
timestamp1551367340063

Architecture Apache reverse proxy multiserver

This solution is a good compromise between the secuirty and the maintenance. The network part between the load balancer and the Datafari servers can be more secured by isolating the servers by their own VLAN or IPSEC tunneling for example.

By using VLAN, we avoid all broadcast attacks like ARP cache poisoning, DHCP spoofing, smurf attack,, MAC table overflow, etc …)

According to section 4.1 of

...

the PCI Data Security Standard

...

 any merchant handling credit card data should:

"...use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

This means that Front End SSL is allowed, as once the data reaches the load balancer, it is considered to have entered a secure private network.