DropPoint Security
Overview of the new DropPoint security features
Flowgear DropPoints provide a secure mechanism for Flowgear to integrate with on-premise systems. DropPoints install as a Windows Service and create an encrypted, outbound, persistent connection into the Flowgear Cloud in order to facilitate execution of Nodes in the on-premise environment. For general high-level information about DropPoints, refer to DropPoints.
This article discusses the security features provided by DropPoints.
Client-Side Certificates
In order for Flowgear to trust a DropPoint is who it claims to be, DropPoint's support client-side certificates. This means that without the correct certificate, a DropPoint will not be able to impersonate another.
We strongly recommend adding a client-side certificate to all DropPoints, including test DropPoints.
Assigning a certificate
Follow these steps to assign a certificate:
- Launch the DropPoint Configuration from the Start Menu
- Click the Identity tab, navigate to 'Select Client Certificate for Mutual TLS'
- Select a certificate or click Create Certificate. Any existing certificate in the Local Computer/Personal certificate store can be used, or alternatively, have the DropPoint create a certificate and install it there
- Click 'Export Certificate' to save the public key to a file
- In the Console open the DropPoint previously registered. Upload the public key to the 'Upload trusted client side certificate' property shown there
- Click Apply & Restart
- In the DropPoints Pane, after refreshing there should be a green padlock next to the DropPoint name which signals that the connection is secured with a client-side certificate
Node Whitelisting
Node whitelisting ensures that only Nodes that have been explicitly whitelisted can be executed at a DropPoint. Use this technique as part of security best practice to ensure that least-access permission at the DropPoint.
By default, whitelisting is disabled. For existing production DropPoints, we recommend upgrading to v5 and leaving the DropPoint for a week before enabling whitelisting. This will allow the DropPoint to gather all Nodes that are being invoked.
To enable whitelisting, follow these steps:
- Launch the DropPoint Configuration from the Start Menu
- Click the
Whitelisting
tab - Click
Enable Whitelisting
and follow the prompts - For every Node/Version displayed, click the
Whitelisted
checkbox for any that you want to allow - Click
Save changes
If you would like to precisely control the input properties that are allowed for a Node, follow these steps:
- Select the Node from the Whitelisting list
- Ensure the
Whitelisted
checkbox is checked - For each of the Properties that display, choose a
TestMode
for that Property.
None
indicates that no Property-level testing will be performed.
AllTests
indicates that ll tests must pass.
AnyTest
indicates that any of of the tests defined for the current Property must Pass.
- In the Tests list that displays, add the tests that you would like
- Click
Save Changes
to apply changes. The DropPoint will immediately discover new whitelisted Nodes or tests that pass without needing to restart the DropPoint service. If you have disabled a previously whitelisted Node, you'll need to restart the DropPoint service for this to take effect
Whitelisting test options
None
No test will be performed against the Property.
String
The Property must match the exact string defined in Expression. For example, if you are whitelisting the Query
Property of a SQL Query
Node, you could specify select top 10 * from contacts
in Expression to match that exact query.
Regex
The Regex defined in Expression must match the query property. For example, to enable a File Node to read only text files in a particular folder, the following regex could be used: c:\\watchfolder\\.*.txt
.
JsonPath
The JsonPath defined in Expression must have a match on the property. For example, if the property contained the following JSON:
{
"order": {
"account": "CASH"
}
}
The following JsonPath would match it:
order[?(account=='CASH')]
XPath
The XPath defined in Expression must have a match on the property. This test type can also be used to validate parameters in a connection. For example, a connection for a SQL Query arrives at the DropPoint in the following form:
<root>
<Server>10.0.0.4</Server>
<Database>somedb</Database>
<Username>someuser</Username>
...
</root>
The following XPath will validate that a specific server is specified:
XPath root/Server[.="10.0.0.4"]