If you don't want to set up proxy servers with HTTPS support and restrictive ACLs, do VLAN segmentation to decrease the likelyhood of sniffing, and set up secure tunneled clients (in the extreme case) to your Zope server, your security is as bad as YOU make it, not Zope. This is simply an issue of good integration; I've never heard of turnkey application security, except from sales people. You can: - Bind Zope to a particular interface or interfaces, and only the ones you need - Place Zope on both public and private networks behind HTTPS/SSL enabled proxy server gateways with restricitve ACLs - Keep the proxy server in a fasion that it bridges your network to a private, segmented VLAN that your Zope server runs on - Set up SSH or other types of tunnels between hosts that must have FTP access and your server; this is only in the situation where you are paranoid about security. - Keep an audit trail of access via proxy logs - Bind users to particular domains in Zope and also in proxy ACLs - Set up proxy auth using http basic auth that uses the password same verification source as Zope, this, over https is secure and allows you to bind ACLs to user categories, IP addresses, etc in combination (especially if your roles closely match ACL user categories). In other words, there is lots you can do. Sean -----Original Message----- From: Mark James Adams [mailto:mark@raysend.com] Sent: Monday, October 15, 2001 9:56 PM To: zope@zope.org Subject: [Zope] a notable objection The biggest security problem of Zope is unsecured access. What, you're still using telnet and ftp? What's the use of all the users, roles, and permissions if someone can sniff my Manager password?f -- Mark James Adams mja27@cornell.edu | mark@raysend.com | http://www.raysend.com "Who knows which moments make us who we are? Some of them? All of them?" - Lynda Barry _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )