Security
 |
Bitrix Intranet Portal provides maximum protection from the thousands of threats on the Internet. Every day your website could be attacked many times and damage the integrity of your site. Why should I protect my website?
|
PRO+PRO™ Framework
PRO+PRO™ Framework
The PRO+PRO™ security framework provides a unique set of tools for proacive protection of your web projects. More importantly, now it comes integrated in Bitrix software products with no extra charges applied! The PRO+PRO™ framework includes a number of technically advanced security technologies. Multiple security levels allows to detect and combat almost all known hacking techniques making your internet projects invulnerable to most modern web threats.
 |  | |||
| ||||
 |  |
The module offers the following protection features:
 Control panel to set the protection level
Proactive filter (FireWall Web Application)
One Time Password technology
Protection of authorized sessions
Activity control
Phishing protection
Intrusion log
IP-based Control Panel protection
Stop lists
Script integrity control
|
|
Industry Vulnerability Chart
Percentage of websites susceptible to security threats, by industry.
Source: White Hat Security, "Website Security Statistics" by Trey Ford.
 | More than six hundred Russian hackers tried to invade the brand-new Bitrix PRO+PRO™ security framework as part of the "Bitrix Real-Time Hack Competition". The test was organized during the "Chaos Constructions CC9 Festival" in August 2009. During the competition, more than 25.000 attacks on the Proactive Protection security mechanism were repulsed, proving its superb reliability. Read more... |
| | ||
| |||
| |
.ppt
.zipFeatures
Proactive Filter (Web Application FireWall)
The Web Application Firewall protects the system from most known web attacks. The filter recognizes dangerous threats in the incoming requests and blocks intrusions. Proactive Filter is the most effective way to guard against possible security defects in a web project implementation (XSS, SQL Injection, PHP Including etc.). The filter analyzes entirely all data received from visitors in variables and cookies.
* Note that some harmless actions which a visitor may perform can be suspicious and cause the filter to react.
|
|
Control Panel to Set Protection Level
Any website based on Bitrix Intranet Portal is preconfigured with the basic protection level. However, you can improve the site security significantly by selecting one of the Proactive Protection module presets: standard, high or highest. The system will show you tips about any parameter you may need to configure.
|
|
Intrusion Log
The intrusion log registers all events occurring in the system including uncommon, suspicious and malicious events. The log is updated in real time so you can view the events as soon as they have been registered. This feature enables you to discover attacks and intrusion attempts while they occur, so you can riposte immediately and even prevent attacks.
|
|
One-Time Passwords (OTP)
The PRO+PRO system supports one-time passwords (OTP) for any site users. 
These passwords are especially recommended to be used by the site administrators since they significantly improve security of the “Administrators” user group.
The concept of one-time passwords empowers the standard authorization scheme and significantly reinforces the web project security. The one-time password system requires a physical hardware token (device) (e.g., Aladdin eToken PASS) or special OTP software.
This technology gives you confidence that only a user to whom a token has been issued can authorize on the site. Password theft or interception is absolutely excluded because a password can be used only once. A token is a physical hardware physical device that generates a unique password only when the token button is clicked. Effectively, this means that a token owner is unable to tell the password to third party to allow them authorize as well.
|
|
File Integrity Control
File integrity control helps an administrator reveal maliciously or mistakenly modified system files. You can check the integrity of the system kernel and other system or public files any time.
|
|
Verification of the File Integrity Control Script
Before checking the system integrity, the file integrity control script has to be verified for possible changes. When running the script for the first time, enter a desired password containing at least 10 characters (letters and digits), and any keyword (other than the password), and click “Set New Key”. The system then
|
|
|
Control Panel Protection
This type of protection strictly regulates secure networks from which the users are allowed to access Control Panel. All you need to do is specify the legal IP addresses (or a range). No need to worry about not adding yourself to this list: the system will check your IP automatically.
What effect will this protection produce? Any XSS/CSS attacks become ineffective and interception of authorization data becomes absolute useless.
|
|
Session Protection
Most web attacks are intended to steal an authorized user's session data. Enabling the session protection makes session hijacking impossible. Furthermore, concerning an administrator’s authorized session, use of session protection is one of the most effective and necessary security measures.
In addition to the conventional session protection options that are available in the user group parameters, the session protection mechanism includes some special, even unique features.
Storing session data in the module database prevents data from being stolen by running scripts of other projects on the same server. This approach excludes virtual hosting configuration errors, bad temporary folder permission settings, and other operating system-related errors. Additionally, it also reduces file system stress by loading the database server with these operations.
|
|
Activity Control
Activity Control lets you protect the system from profusely active visitors, obtrusive bots, some DDoS attacks, and prevent brute force attacks on passwords. You can also set the maximum allowed activity for your site (e.g. number of requests per second a user can perform).
User activity control is built around the Web Analytics module's mechanisms and requires this module to be installed.
|
|
Stop List
The stop list contains parameters used to restrict access to a site and possibly redirect to a specified page. Any visitor matching the stop list criteria (e.g. an IP address), will be blocked.
|
|
Phishing Protection
Phishing - is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Two methods exist to prevent redirect phishing:
- Detect malicious redirects by the lack of a referring page in the HTTP header
- Sign links with a digital signature and verify it upon a redirect attempt
- Show a redirection warning to a visitor
- Unconditionally redirect visitors to a site known to be safe
Certificates
Certificates
Bitrix carries out constant auditing and testing of the system protection mechanisms. In order to make these tests unbiased and objective, Bitrix recruits third-party expert companies for unbiased auditing in addition to tests performed internally by the Bitrix team. The certificates obtained from security audit companies confirm the quality of the protection mechanisms and ensure their conformity to information security requirements.
 | |
|
|
"Protected Web Application"
This certificate is issued by Positive Technologies which has performed an audit of the new security features in Bitrix Intranet Portal. The built-in security features fully meet the requirements of the Web Application Firewall Evaluation Criteria as established by the Web Application Security Consortium.
|
© 2001-2010 Bitrix, Inc. Bitrix® is a registered trademark of Bitrix, Inc.
Powered by Bitrix Site Manager
Powered by Bitrix Site Manager