37.3 Securing the Vibe Site

37.3.1 Configuring a Proxy Server

Your Novell Vibe system should be located behind your firewall. If Vibe users want to access the Vibe site from outside your firewall, you should set up a proxy server outside your firewall to provide access. You can use Novell Access Manager to protect your Vibe site, as described in Configuring Single Sign-On with Novell Access Manager in Advanced Installation and Reconfiguration in the Novell Vibe 3.2 Installation Guide.

37.3.2 Setting the Vibe Administrator Password

The Vibe site is initially installed to allow administrator access by using the username admin and the password admin. The Vibe administrator password should be changed immediately after installation, as described in Accessing Your Basic Vibe Site as the Site Administrator in Basic Installation in the Novell Vibe 3.2 Installation Guide.

37.3.3 Setting Up SSL Connections

All communication with the Vibe site should be configured to use SSL connections, as described in:

37.3.4 Shortening the Vibe Session Timeout

By default, if a user’s Vibe session is idle for four hours (240 minutes), Vibe logs the idle user out. For increased security for your Vibe site, you can make the session timeout shorter, as described in Changing the Vibe Session Timeout in Advanced Installation and Reconfiguration in the Novell Vibe 3.2 Installation Guide.

37.3.5 Using Role-Based Access Control

Vibe controls all access to folders and entries by using role-based access controls. Vibe is intended to be used primarily for the sharing of information, so many default access rights tend toward allowing at least universal read access. For information on setting access controls for your Vibe site, see:

37.3.6 Monitoring Inbound E-Mail

You can configure Vibe to receive e-mail and post the messages as entries in a folder, as described in Enabling Inbound E-Mail in Basic Installation in the Novell Vibe 3.2 Installation Guide. Because e-mail is inherently non-secure, there is no way to be sure that the senders are who they claim to be. Entries posted by e-mail include the e-mail address of the sender to alert Vibe users about the origin of the postings.

37.3.7 Preventing Web Services Access

The default Vibe installation allows authenticated access via Web services, as described in Configuring Web Services in Advanced Installation and Reconfiguration in the Novell Vibe 3.2 Installation Guide. If you are not using Web services, you can disable them.

37.3.8 Controlling RSS Feeds

Because RSS readers are outside of the authentication Vibe system, the URL provided by Vibe for an RSS feed embeds some authentication information about the user. This means that the RSS URL must be protected and not shared between users. For this reason, RSS is not recommended for use on highly sensitive data. If necessary, you can disable RSS feeds for your Vibe site, as described in Managing RSS Feeds in Advanced Installation and Reconfiguration in the Novell Vibe 3.2 Installation Guide.

37.3.9 Securing Mirrored Folders

Mirrored folders make files that are stored on a file system available to users on the Novell Vibe site. Two levels of security are provided for mirrored folder access:

37.3.10 Securing the Vibe Site against XSS

Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Vibe contains a built-in security filter that protects against XSS vulnerabilities. This security filter is enabled by default.

The following sections describe the types of content that the security filter blocks from the Vibe site, where exactly it blocks it from entering, and how you can disable the security filter or enable specific users to bypass the security filter.

Understanding What Content Is Not Permitted

By default, the XSS security filter in Vibe is very strict, and does not allow users to add certain types of content. For example, the following content is not permitted:

  • HTML that contains JavaScript

  • Forms

  • Frames

  • Objects

  • Applets

Understanding Where the Content Is Not Permitted

The type of content discussed in Understanding What Content Is Not Permitted is filtered by Vibe in the following areas:

  • Text and HTML fields in entries and folders

  • Uploaded HTML files

Listing All XSS Threats in Your System

Vibe enables you to run an XSS report that lists XSS threats that are contained in your Vibe system. For more information, see Section 26.2.10, XSS Report.

Disabling the XSS Security Filter

IMPORTANT:Because of the serious nature of XSS attacks, we strongly recommend that you do not disable the XSS security filter for the entire site. If there are certain users who need to upload information to the Vibe site, you can grant those users access to bypass the XSS security filter, as described in Section 18.9, Enabling Users to Bypass the XSS Security Filter.

It is possible to disable the XSS security filter for the entire site for each of these areas by copying the appropriate lines from the ssf.properties file, pasting them into the ssf-ext.properties file, then changing the values of the lines to false. The lines in the ssf.properties file that are responsible for enabling and disabling the XSS security filter are:

  • xss.check.enable

  • xss.content.filter.file.extensions