[FRS-246] Securing FusionReactor

Background

FusionReactor offers several access and authentication methods. This technote describes the best-practice configurations for securing a FusionReactor installation.

Access control

Using the external web-server (recommended when combined with HTTPS)

The most secure way to access FusionReactor when combined with HTTPS.
Essentially, the internal web-server should be disabled (FusionReactor –> Settings page in the FusionReactor Internal Web Server section) followed by hardening access via the external web-server. Access via the external web-server should be limited by a firewall, secured by SSL and ideally authenticated (e.g. using the web-server's HTTP authentication).

Technote FRS-225 has further details on configuring this setup.

Using the internal web-server

By default, the internal web-server is enabled and configured on port 8088. Access to this port can be restricted by having FusionReactor bind (listen) to a set IP address. These settings are controlled from the FusionReactor –> Settings page in the FusionReactor Internal Web Server section. You can also change the listening port in this section.
When using the internal web-server, it is recommended that you combine this with a firewall device to restrict access.

Obfuscation

The default path for FusionReactor is /fusionreactor/. This can be altered to add further security and help prevent scripted attacks. The option is available from the FusionReactor –> Settings page in the FusionReactor Web Root section.

Authentication

All access to FusionReactor is authenticated against the stored user data. Passwords are stored hashed and salted to help prevent brute-force attacks. There are three users in the system with increasing levels of privilege – Observer, Manager and Administrator. You can disable any accounts you do not use to help reduce the attack footprint. This can be done on the FusionReactor –> Change Password page. On this page, you can (and should) also change any default passwords used.

Other considerations

It is still possible for other types of attack to be attempted against FusionReactor. For example, browser saved password retrieval, brute-force, etc. As such, you should maintain the usual precautions for accessing secure websites, especially if using a shared computer.

At Intergral, makers of FusionReactor, we take security seriously and continuously review our products for improvements. If you have any feedback on how we can improve FusionReactor, please contact us.

Issue Details

Type: Technote
Issue Number: FRS-246
Components: FusionReactor Settings
Environment:
Resolution: Fixed
Last Updated: 08/Mar/11 1:04 PM
Affects Version:
Fixed Version: 3.5.5
Server:
Platform:
Related Issues:

Comments are closed.