DropPoint Security

Overview of the new DropPoint security features

Flowgear DropPoints provide a secure mechanism for Flowgear to integrate with on-premise systems. DropPoints install as a Windows Service and create an encrypted, outbound, persistent connection into the Flowgear Cloud in order to facilitate execution of Nodes in the on-premise environment. For general high-level information about DropPoints, refer to DropPoints.

This article discusses the security features provided by DropPoints.

Client-Side Certificates

In order for Flowgear to trust a DropPoint is who it claims to be, DropPoints support client-side certificates. This means that without the correct certificate, a DropPoint will not be able to impersonate another.

We strongly recommend adding a client-side certificate to all DropPoints, including test DropPoints.

Assigning a certificate

Follow these steps to assign a certificate:

  • Launch the DropPoint Configuration from the Start Menu
  • Click the Identity tab, navigate to 'Select Client Certificate for Mutual TLS'
  • Select a certificate or click Create Certificate. Any existing certificate in the Local Computer/Personal certificate store can be used, or alternatively, have the DropPoint create a certificate and install it there
  • Click 'Export Certificate' to save the public key to a file
  • In the Console open the DropPoint previously registered. Upload the public key to the 'Upload trusted client side certificate' property shown there
  • Click Apply & Restart
  • In the DropPoints Pane, after refreshing there should be a green padlock next to the DropPoint name which signals that the connection is secured with a client-side certificate

Node Whitelisting

Node whitelisting ensures that only Nodes that have been explicitly whitelisted can be executed at a DropPoint. Use this technique as part of security best practice to ensure that least-access permission at the DropPoint.

By default, whitelisting is disabled. For existing production DropPoints, we recommend upgrading to v5 and leaving the DropPoint for a week before enabling whitelisting. This will allow the DropPoint to gather all Nodes that are being invoked.

To enable whitelisting, follow these steps:

  • Launch the DropPoint Configuration from the Start Menu
  • Click the Whitelisting tab
  • Click Enable Whitelisting and follow the prompts
  • For every Node/Version displayed, click the Whitelisted checkbox for any that you want to allow
  • Click Save changes

If you would like to precisely control the input properties that are allowed for a Node, follow these steps:

  • Select the Node from the Whitelisting list
  • Ensure the Whitelisted checkbox is checked
  • For each of the Properties that display, choose a TestMode for that Property.

None indicates that no Property-level testing will be performed.
AllTests indicates that ll tests must pass.
AnyTest indicates that any of of the tests defined for the current Property must Pass.

  • In the Tests list that displays, add the tests that you would like
  • Click Save Changes to apply changes. The DropPoint will immediately discover new whitelisted Nodes or tests that pass without needing to restart the DropPoint service. If you have disabled a previously whitelisted Node, you'll need to restart the DropPoint service for this to take effect

Whitelisting test options

None

No test will be performed against the Property.

String

The Property must match the exact string defined in Expression. For example, if you are whitelisting the Query Property of a SQL Query Node, you could specify select top 10 * from contacts in Expression to match that exact query.

Regex

The Regex defined in Expression must match the query property. For example, to enable a File Node to read only text files in a particular folder, the following regex could be used: c:\\watchfolder\\.*.txt.

JsonPath

The JsonPath defined in Expression must have a match on the property. For example, if the property contained the following JSON:

{
	"order": {
		"account": "CASH"
	}
}

The following JsonPath would match it:

order[?(account=='CASH')]

XPath

The XPath defined in Expression must have a match on the property. This test type can also be used to validate parameters in a connection. For example, a connection for a SQL Query arrives at the DropPoint in the following form:

<root>
	<Server>10.0.0.4</Server>
	<Database>somedb</Database>
	<Username>someuser</Username>
	...
</root>

The following XPath will validate that a specific server is specified:

XPath root/Server[.="10.0.0.4"]