Clovertech

penetracion test against Quovadx

Clovertech Forums Read Only Archives Cloverleaf Cloverleaf penetracion test against Quovadx

  • Creator
    Topic
  • February 11, 2010 at 4:10 pm #51565
    Anonymous

      Quovadx 5.3 on Windows 2003 SP2

      During a penetration test at the customer’s site also the host running Cloverleaf was penetraed. The connections between clinic server and Quovadx (inbound and outbound) stopped and had to be restarted manually.

      Is there any thing that can be configured to beware the connections to stop their work?

      Thanks for any remark/hint. I assume that penetration tests will be done sooner or later at any site taking care of security.

      I append an part of the customer’s email:

      [Start quote:]

      We were scanning windows and Unix servers using XXXX which is a vulnerability scanning tool. This scanner first check for all open ports in the targeted system and identify which service is running on each of the ports. It then check the application that is running the service and check if there is any known vulnerability

    • Creator
      Topic
    Viewing 2 reply threads
    • Author
      Replies
      • February 12, 2010 at 3:23 pm #70794
        Kevan Riley
        Participant

          While I an not sure what methods of penetration that the testing software that was used performed, I will make a couple of general statements about this, as I understand things.

          Since the typical interface in Cloverleaf is a persistent tcp/ip socket, it will always be vulnerable to ip/macs address spoofing type connection hijacking attacks.  As far as I know there is no way to mitigate this inside the firewall (ie. inside the “protected LAN”).  Once a connection has been hijacked, I would not expect the Cloverleaf connection to be able to recover on its own.  Cloverleaf relies on a proper closing of the tcpip connection to reset the state to “opening”.  If for any reason this closing handshake does not happen, Cloverleaf will usually remain in an “up” state even though the actual connection may not still be viable.  Without a transition to “opening” Cloverleaf will not try to reestablish the connection, since it would still “think” it is up.

          The only remedy I know of for this is to monitor “Last Rd” and “Last Wt” times on the threads/connections and if a gap become apparent, restart the thread/connection.  I do this from Cron on our AIX system.  There maybe other/better ways, but this works well for us for a few connections we have that “die” in abnormal ways on a regular basis.

          I hope this helps.

        • February 16, 2010 at 6:23 pm #70795
          Vaughn Skinner
          Participant

            You might consider firewalling the cloverleaf ports so that only the expected ips can access them.  This obviously will not work if the remotes use dynamic addressing, but in many cases firewalling would work and be sufficient.

          • February 17, 2010 at 3:56 pm #70796
            Rob Abbott
            Keymaster

              Later releases of Cloverleaf (5.6 and above) are much less vulnerable to penetration tests/attacks.  I suggest you upgrade to a more recent release of the product.

              Rob Abbott
              Cloverleaf Emeritus

          • Author
            Replies
          Viewing 2 reply threads
          • The forum ‘Cloverleaf’ is closed to new topics and replies.