Communication Between The Web Admin Server And The Web Admin Browser; Enterprise Client/Server Communications; Web Access Server Communications; Disabling The Ssl 2.0 Protocol - Novell IFOLDER 3.8 - SECURITY ADMINISTRATION Manual

2.2 Communication between the Web Admin
Server and the Web Admin Browser
By default, the Novell iFolder Web Admin uses SSL for communications to the iFolder enterprise
server being managed. For most deployments, this setting should not be changed. If the Web Admin
service and the iFolder enterprise service are on the same server, SSL is not required. For HTTP
connections, the password is passed in the clear.

2.3 Enterprise Client/Server Communications

By default, the iFolder enterprise server is configured for shared iFolder access. Client/Server
communication is not through SSL. All data is sent to the server in the clear. For most deployments,
this setting is used for high performance. This setting can be changed during the simias-server-setup
configuration for iFolder.
If you disable SSL for client/server communications, you should use a VPN (virtual private
network) for communications over wireless networks and outside the firewall. For information, see
Section 4.3, "Securing Communications with a VPN If SSL Is Disabled," on page 19.

2.4 Web Access Server Communications

By default, the iFolder Web Access server is configured to require SSL. All Web-browser-based
communication to the Web Access server is encrypted by using the SSL protocol. In most
deployments, this setting should not be changed because iFolder uses Forms-based authentication
for browser communications, which means passwords are sent to the server in the clear. For
information, see "Configuring the Web Access Server for SSL Communications with Web
Browsers" in the Novell iFolder 3.8 Administration Guide.

2.5 Disabling the SSL 2.0 Protocol

The built-in protections of SSL 3.0 for version rollback attacks (where the session is rolled back to
SSL 2.0 even when both client and server support SSL 3.0) are not effective against a version
rollback attackers who can brute force the key and substitute a new message
ENCRYPTED-KEY-DATA
containing the same key (but with normal padding) before the application specified wait threshold
has expired. You can disable SSL 2.0 on the server, so it is not possible to establish a session using
SSL 2.0, and so version rollback attacks are not be possible.
For information about disabling the SSL 2.0 protocol for the Apache server, see "Configuring the
SSL Cipher Suites for the Apache Server" in the Novell iFolder 3.8 Administration Guide.
For information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong
Encryption: How-To (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html) on the Apache.org Web
site.
12 Novell iFolder 3.8 Security Administration Guide