OpenEMPI security plan

Hi,

Something urgent has come up and I won't be able to attend the call this morning/afternoon. Here is the
write up on the security configuration I had promised to send out.

The problem we need to solve is that we would like some people on the outside (such as Shaun and myself)
to have access to the web application for OpenEMPI but we would like to restrict access to it using additional
security beyond the one provided by the application itself.

What I am proposing is that we install a web server on the outside server that receives external requests and
forwards ones intended for the OpenEMPI web application to the internal server. The external server will be
configured either through its firewall configuration or through the web server's configuration (or both)
to only accept requests from certain network domains (for example SYSNET and Regenstrief). The firewall
of the internal server will also be configured to only allow specific requests to pass through the firewall. The
requests that will be permitted to flow through are those coming from the external server trying to connect
to the OpenEMPI port.

In addition to the proposal above, we should do the following:
 -  enhance the security of the database for OpenEMPI and configure it to only allow login requests from
the local machine. This will ensure that no outside users are able to connect to the database directly. The
default configuration of the database server is a bit lenient.
 -  enable SSL on the external web server that is installed for redirecting requests to the internal server. This
will make sure that all data is encrypted.


We will be glad to perform that configuration on those servers and also setup a Certificate Authority 
infrastructure that can be used not just to issue the SSL certificate for this external server but also to
provide SSL certificates for our other servers.

My apologies that I won't be on the call this morning to describe this proposal in person but maybe we can discuss
it at some point next week in Indianapolis.

Best regards,
Odysseas