Your Novell Vibe system should be located behind your firewall. If Vibe users want to access the Vibe site from outside your firewall, you should set up a proxy server outside your firewall to provide access. You can use Novell Access Manager to protect your Vibe site, as described in Novell Vibe 3.3 Installation Guide.
The Vibe site is initially installed to allow administrator access by using the username admin and the password admin. The Vibe administrator password should be changed immediately after installation, as described in Novell Vibe 3.3 Installation Guide.
All communication with the Vibe site should be configured to use SSL connections, as described in:
By default, if a user’s Vibe session is idle for four hours (240 minutes), Vibe logs the idle user out. For increased security for your Vibe site, you can make the session timeout shorter, as described in Novell Vibe 3.3 Installation Guide.
Vibe controls all access to folders and entries by using role-based access controls. Vibe is intended to be used primarily for the sharing of information, so many default access rights tend toward allowing at least universal read access. For information on setting access controls for your Vibe site, see:
You can configure Vibe to receive e-mail and post the messages as entries in a folder, as described in Novell Vibe 3.3 Installation Guide. Because e-mail is inherently non-secure, there is no way to be sure that the senders are who they claim to be. Entries posted by e-mail include the e-mail address of the sender to alert Vibe users about the origin of the postings.
The default Vibe installation allows authenticated access via Web services, as described in Novell Vibe 3.3 Installation Guide. If you are not using Web services, you can disable them.
Because RSS readers are outside of the authentication Vibe system, the URL provided by Vibe for an RSS feed embeds some authentication information about the user. This means that the RSS URL must be protected and not shared between users. For this reason, RSS is not recommended for use on highly sensitive data. If necessary, you can disable RSS feeds for your Vibe site, as described in Novell Vibe 3.3 Installation Guide.
Mirrored folders make files that are stored on a file system available to users on the Novell Vibe site. Two levels of security are provided for mirrored folder access:
When you create mirrored folder resource drivers, as described in Novell Vibe 3.3 Installation Guide, you can choose read-only access or read/write access. In addition, you can identify specific Vibe users and groups that are allowed access to the mirrored folder resource drivers.
When you set up the mirrored folders on the Vibe site, as described in Section 16.0, Setting Up Mirrored Folders in this guide, you can set access controls on the Mirrored File folder.
Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Vibe contains a built-in security filter that protects against XSS vulnerabilities. This security filter is enabled by default.
The following sections describe the types of content that the security filter blocks from the Vibe site, where exactly it blocks it from entering, and how you can disable the security filter or enable specific users to bypass the security filter.
By default, the XSS security filter in Vibe is very strict, and does not allow users to add certain types of content. For example, the following content is not permitted:
The type of content discussed in Understanding What Content Is Not Permitted is filtered by Vibe in the following areas:
Text and HTML fields in entries and folders
Uploaded HTML files
Vibe enables you to run an XSS report that lists XSS threats that are contained in your Vibe system. For more information, see Section 28.2.10, XSS Report.
IMPORTANT:Because of the serious nature of XSS attacks, we strongly recommend that you do not disable the XSS security filter for the entire site. If there are certain users who need to upload information to the Vibe site, you can grant those users access to bypass the XSS security filter, as described in Section 19.10, Enabling Users to Bypass the XSS Security Filter.
It is possible to disable the XSS security filter for the entire site for each of these areas by copying the appropriate lines from the ssf.properties file, pasting them into the ssf-ext.properties file, then changing the values of the lines to false. The lines in the ssf.properties file that are responsible for enabling and disabling the XSS security filter are: