Bitrix Software Security - PowerPoint PPT Presentation

About This Presentation
Title:

Bitrix Software Security

Description:

... the more substantial can be the risks and losses caused by a corporate site hack. ... Filter is the most effective way to protect sites against possible security ... – PowerPoint PPT presentation

Number of Views:150
Avg rating:3.0/5.0
Slides: 21
Provided by: Kolom
Category:

less

Transcript and Presenter's Notes

Title: Bitrix Software Security


1
Bitrix Software Security
Bitrix Intranet Portal
Bitrix Site Manager








































2
  • Site. Portal. Image. Reputation.

Your web site is a part of the Corporate
Infrastructure. More than 50 of attacks are done
through the Web. Corporate site hacks hit the
reputation and image of a company. What is more,
the loss of data and client information leads to
sheer material losses.  The more solid and
famous the name and products of a company, the
more substantial can be the risks and losses
caused by a corporate site hack.

Which to choose?
3
Security at All Stages

During the development of the Bitrix Site Manager
software particular attention is paid to the
security issues at all stages of developing and
testing.
  • Security policy set of rules restricting user
    authorization in order to ensure a certain level
    of security
  • Unified authorization system all permissions in
    the system are distributed among user groups only
  • Unified user account for all modules
  • Two-level system of access permission
    distribution
  • Access control system and page business logic
    independency
  • Strong password rules
  • Stored authorization
  • Siteupdate system
  • System event log

My Site is My Castle
4

New Approach to Security
Proactive Protection is the latest security
technology combining technical and organizational
measures that allow combating malicious programs
that have undergone modifications and those that
are still unknown!
  • Highlights
  • Security Panel with security levels
  • Web Application FireWall
  • One-time Password Technology (OTP)
  • Authorized Sessions Protection
  • Activity Control
  • Intrusion Log
  • IP-based Control Panel pages
  • Stop Lists
  • Script Integrity Monitor
  • Phishing Protection

Proactive Protection Armed Castle
5
Security Panel with Security Levels
With the Proactive Protection module, you can
significantly improve the security of your site.
You need only to select and configure one of the
module security levels.
  • Security Levels
  • Basic - assigned to all web projects running
    without the Proactive Protection module
  • Standard
  • Web application Fire Wall (for the entire site)
  • Weekly Intrusion log
  • Activity Control
  • High security level for Administrators
  • CAPTCHA protected registration procedure
  • Errors logging (errors only)
  • High Standard plus
  • Kernel module event logging
  • Control Panel protection
  • Storing sessions in the database
  • Session ID change
  • Highest High plus
  • One-time password technology
  • Control script integrity verification

6
Web Application FireWall (Proactive Filter)
The Proactive Filter is the most effective way to
protect sites against possible security defects
in the web project implementation (XSS, SQL
Injection, PHP Including, and others).
  • Protection against most known Web attacks
  • Application screening from the most importunate
    attacks
  • Filter exclusion list (with wildcards)
  • Recognition of most dangerous threats
  • Blocking of site intrusions
  • Protecting from possible security errors
  • Keeping of attacks log
  • Informing the administrator of invasions
  • Configuring options of the firewall reaction to
    intrusion attempts
  • Make data safe
  • Wipe unsafe data
  • Temporarily add attakers IP addresses to the
    stop list

7
One-time Password Technology (OTP)
The concept of one-time passwords empowers the
standard authorization scheme and significantly
reinforces web project security. The one-time
password system requires a physical hardware
token (device) (e.g., Aladdin eToken PASS) or
special OTP software.
What OTP gives you? Confidence that only a user
to whom a token was issued can authorize on the
site. Password interception loses meaning in
this case, as a password can be used only once.
A token is a hardware physical device that
generates unique passwords only when a token
button is being clicked. It means that a token
owner is unable to tell the password to a third
party to allow them authorize as well.
the password your password unique numerical
combination
8
Authorized Session Protection
Most web attacks are purposed to steal the
authorized user session data. Enabling Authorized
Session Protection makes session hijacking
senseless.
  • Session protection methods
  • Limited session lifetime (minutes)
  • Recurring session ID relay
  • Network mask to associate a session with a
    specific IP
  • Storing session data in the module database
  • Eliminate errors in
  • Virtual hosting and OS configuring
  • Temporary folder permissions settings
  • And more

9
Activity Control
  • Protection from profusely active users
  • Protection from bots
  • Protection from DDoS-attacks
  • Preventing password brute force attempts
  • Setting the maximum possible visitor (human)
    activity quota
  • Registering an excess of activity rate in the
    intrusion log
  • Blocking visitors exceeding the activity quota
  • Showing a special information page to a blocked
    visitor

You can set maximum user activity for your site
(for example, number of queries per second).
10
Intrusion Log
All events occurring in the system, including the
unusual or malicious, are logged. You can view
entries in the log immediately after they are
generated. The log is updated in real time so you
can view the events as soon as they have been
registered. This feature enables you to discover
attacks and intrusion attempts while they occur,
so you can riposte immediately and even prevent
attacks.
  • Immediate registration all system events
  • Filter for malicious events
  • Real-time viewing and analyzing of events
  • Immediate reaction to malicious events

11
IP-based Control Panel Pages
This type of protection strictly regulates secure
networks from which the users are allowed to
access Control Panel. All you have to do is
specify the legal IP addresses (or a range). No
need to worry about not adding yourself to this
list the system will check your IP automatically.
What effect would this protection produce? Any
XSS/CSS attacks become ineffective, interception
of authorization data absolutely useless.








































12
Stop Lists
The stop list contains parameters used to
restrict access to a site and possibly redirect
to a specified page. Any visitor matching the
stop list criteria (e.g. an IP address), will be
blocked.
  • Redirects visitors matching the stop list
    entries
  • Blocks visitors by their IP addresses
  • Manages stop list entry
  • Collects the statistics on visitors matching the
    stop list criteria
  • Allows you to specify the ban duration for
    users, IP addresses, network masks, UserAgents,
    and the referrer links
  • Shows a customizable message to a blocked
    visitor.









































13
Script Integrity Monitor
File integrity control
Verification of the file integrity control script
  • Verifies the file integrity control script for
    changes
  • Protects the script using the keyword and
    password pair
  • Tracks file system changes
  • Verifies kernel integrity
  • Verifies system area integrity
  • Verifies public files integrity









































14
Phishing Protection
Phishing is the criminally fraudulent process of
attempting to acquire sensitive information such
as usernames, passwords, and credit card details
by masquerading as a trustworthy entity in an
electronic communication.
  • Two methods exist to prevent redirect phishing
  • Detect malicious redirects by the lack of the
    referring page
  • in the HTTP header
  • Sign links with a digital signature and verify
    them upon redirect attempt
  • The following can be used as protection
  • Show a redirection warning to a visitor
  • Unconditionally redirect a visitor sto a surely
    safe site









































15
Under Development
Transmission channel encryption using SSL
Update monitor
In the nearest future
Recommendations on configuration








































16
Permanent Updates Audit
Bitrix has assigned a treaty of permanent update
security audits with Positive Technologies. Each
time a new set of updates is released through
the SiteUpdate system, minute security work is
done by the Positive Technologies
company. Thanks to this work, the level of
product security is always high.
17
  • The Proactive Protection module is included in
    all the Bitrix Software
  • Bitrix Site Manager (except for the Start
    Edition)
  • Bitrix Intranet Portal

18
Have a question?
E-mail to info_at_bitrixsoft.com
support_at_bitrixsoft.com








































19
Download the Free 30-Day Trial http//www.bitrix
soft.com/products/cms/ Test Online http//www.b
itrixsoft.com/products/cms/
20
Contact Information
USA Toll Free Number (US only) 1-888-5BITRIX
(1-888-524-8749) Telephone Number 1.703.740.8
301 Postal address 901 N. Pitt str, Suite
325 Alexandria, VA 22314
Sales Department sales_at_bitrixsoft.com
info_at_bitrixsoft.com Web Site
http//www.bitrixsoft.com
Write a Comment
User Comments (0)
About PowerShow.com