March 4, 2010

Security Reminders from Perforce

What's New

You may have seen Perforce in the news as being the target of the cyber attacks against several well known companies in recent months. We want to reassure you that there has been no determination that any security vulnerabilities in the product played a role in these attacks. You can read our company response at:

http://perforce.com/press/perforce-software-responds-mcafee-white-paper-operation-aurora

We would like to take this opportunity to remind users and administrators about basic security precautions that can be taken.

PROTECTING YOUR INTELLECTUAL PROPERTY

Productivity and security are absolute requirements in most enterprises, yet they are sometimes seen as enemies of each other. Productivity always matters. Security (like backups) is one of those things that means nothing until the day it means everything. Recent events have raised awareness of the importance of security for Perforce customers. Now is a good time to remind users and administrators of basic steps that should be taken to secure your Perforce installation.

RULE #1: LOCK YOUR FRONT DOOR

The most effective means of protecting your valuable data in Perforce is to operate it only on a well-secured network. Perforce is not a security product, but many excellent security products and technologies can be employed to help secure Perforce. Enterprise-grade VPN solutions encrypt traffic and help prevent unauthorized access. VPNs help guard the Perforce server and communications channels to all potential clients. Disk encryption technologies help secure end points, such as vulnerable laptops where Perforce workspaces may have sync'd files.

PERFORCE SECURITY BASICS

Please review this article in the Perforce Knowledge Base:

http://kb.perforce.com/article/1173/basics-of-perforce-security

This is a good starting point, but there are many other factors to consider.

PROTECT THE END POINTS

Your intellectual property is likely sitting on a number of machines -- build servers, QA environments, developer workstations, laptops, etc. Do you have Perforce proxies in place? If so, that's another endpoint to secure. Do you have High Availability and/or Disaster Recovery solutions in place? More end points to secure.

TAKE ADVANTAGE OF PERFORCE SECURITY STRENGTHS

Perforce can work with network infrastructure to further deflect attacks. Perforce's protections mechanism can limit access to groups of people by IP address. You can deny access to people connecting over a VPN (which will have IP addresses in a predictable range), as opposed to those connecting directly from within a secured, trusted network environment.

Out of the box, Perforce runs in a friendly, trusting, open mode suitable for demonstration purposes. In secure commercial production environments, you'll want to consider disabling certain features, such as automatic account creation and "Security Level 0".

Many SCM systems do not have the capability to keep an audit trail. We suggest that if you are not currently taking advantage of P4AUDIT, you may consider doing so now. If you operate Perforce on Windows, you may want to ensure that Perforce runs as a non-privileged user. Each of these changes can have convenience, productivity, performance, and other implications, which should be balanced against the net benefit of security.

Once again, please review the security article in the Perforce Knowledge Base:

http://kb.perforce.com/article/1173/basics-of-perforce-security

If you have any questions, please contact Perforce Technical Support (support at perforce.com).