[OPEN-ILS-DEV] Staff Client Port

[Jason Etheridge]

On 10/4/07, Karen Collier <kcollier at kent.lib.md.us> wrote:
> This raises another question though.  What kind of security is there to keep
> hackers out of the staff client if you can't just firewall it off, since it
> uses the same ports as the OPAC which the public is supposed to get to?

Hi Karen,

Anything "dangerous" such as retrieving or changing patron data
requires both authentication and authorization (you have to login with
sufficient permissions).

You'll need to protect your client workstations the same way you would
need to for any application, from such things as keystroke loggers.
However, you should be relatively immune from network attacks like
packet sniffing and man-in-the-middle intercepts, since the client and
server encrypts anything sensitive with industry-standard SSL.  You'll
just need a SSL certificate from an authority that the client
recognizes (and you could self-sign and add yourself as an authority
to your deployed clients).

The OPAC and the staff client are both applications that speak the
same Evergreen language, and use the same permission and
authentication systems.  However, you could conceivably segregate the
traffic by a number of means, and filter certain types of requests
from going through the OPAC gateway and layering additional
authentication upon the client gateway (for example, you could require
access through a VPN).

Let me know if this answers your question!

-- 
Jason Etheridge
 | VP, Community Support and Advocacy
 | Equinox Software, Inc. / The Evergreen Experts
 | phone:  1-877-OPEN-ILS (673-6457)
 | email:  jason at esilibrary.com
 | web:  http://www.esilibrary.com