Deploying Yellowfin on a public IP

Gadi Glogowski shared this question 3 years ago
Answered

Hello,


One of our customers would like for us to deploy our instance of Yellowfin on a public environment (i.e. public IP). We don't normally do this so wanted to know what are some things that we should take into considerations? Any concerns with security?

Comments (2)

photo
1

Hello Gadi,

Thanks for reaching out with your question. Most of our clients consider Yellowfin to be a fairly turn-key deployment. There are a few things that can be done within Yellowfin geared towards further securing the application:


  • Configure Yellowfin to use SSL to encrypt the connection to Yellowfin using this guide.
  • Disable unauthenticated access to the information pages of Yellowfin using this guide.
  • Change the default administrator credentials.
  • Configure a Password policy within Yellowfin (unless using LDAP).
  • Keep Yellowfin up-to-date with the most recent patches.

The rest of the security considerations that should be made will be more generalized and related more towards network and server security (securing the kernel or OS). Some considerations you may want to factor are things such as other services hosted by the Yellowfin server. If there are other accessible services on the server such as websites, publicly accessible databases, etc. it can increase your attack surface. Ensuring any neighboring services are secured as per their best practices will help mitigate threats to the box.

You can set the Yellowfin port to any unrestricted number you want, preventing it from responding to requests on 80 or 443 like normal web servers. This can help obscure the fact that it's hosting a web application, as most web application requests default to 80, 443, and 8080. We do remove unused components from the Tomcat / Apache that ships with Yellowfin, and do a fair amount of configuration related to minimizing the attack surface and removing access to Tomcat itself externally.

Keeping the OS up to date with patches can help mitigate threats, as patches are often security related. Configuring some form of monitoring of web traffic can help you identify possible attack patterns, this will usually be at the firewall level. Monitoring user activity and logins with the Admin Audit Panel can help identify a pattern of failed user logins. By default Yellowfin locks user accounts after three failed attempts, which helps mitigate brute force attempts should they arise.

In closing, most of the security configurations you'll want to consider will not be related to Yellowfin itself, but rather the network and server on which it resides. Please note that these general guidelines are only suggestions and not required for a public deployment, they simply increase security posture. The bullet points mentioned above are considerations to take in configuratoins of Yellowfin which will help bolster your security posture.

Does this address your concerns?

Thanks,

Ryan

photo
1

Hi Gadi,


I'm going to mark this as answered, since I haven't heard back. If you would like any clarifications or had any subjects related to this inquiry that you wanted to address specifically please don't hesitate to let us know.


Thanks,

Ryan