CMIS/ePortal security question

[nutso]

Hi all,

Does anyone know how secure Facility CMIS and ePortal are against packet sniffing attacks? I'm not sure about CMIS Admin, but I assume ePortal is pretty vulnerable as it operates over HTTP rather than HTTPS.

Am I right in thinking that someone within the school network could potentially sniff out an ePortal username and password pretty easily and then gain access to the data within? If so has anyone been able to counter this?

Thanks

[kylewilliamson]

I imagine you could use IIS Securely...

[Geoff]

use IIS Securely

I believe that's an oxymoron. However, yes, the answer is to use HTTPS instead of HTTP.

[nutso]

Is it really that simple? Serco don't make any mention of using SSL with eportal and it seems like such a basic security thing that it should be covered. The IIS solution just seemed too basic somehow and the total lack of mention of it on Serco's part made me question whether there was some problem with using that.

Is there any word on how secure communications between CMIS Admin and the SQL server are? If Force Protocol Encryption is enabled on SQL Server 2000, is this sufficient?

[kylewilliamson]

use IIS Securely

I believe that's an oxymoron. However, yes, the answer is to use HTTPS instead of HTTP.

touche.

I believe also you can configure tomcat to operate securely. Please do not ask how to do this.

[k-strider]

i need to test this too, we do use the IIS pass through for external, and internal acces at present. i just need to try it over ssl... but i dont see why it shouldn't work.

[plock]

i need to test this too, we do use the IIS pass through for external, and internal acces at present. i just need to try it over ssl... but i dont see why it shouldn't work.

Any luck? I have installed the SSL Certificate - however I get that the secured page contains secure and non-secure items! Not ideal! :P