This question has been flagged
3 Replies
11266 Views
securitynetworks
Avatar
Mark

Hello all, new user here.

I am new to Odoo but do have some experience in ERP's, namely a short stint with sap.

As much as I am impressed with so much functionality, I am curious to know how people are integrating Odoo/OpenERP within their corporate landscape - mostly from a security perspective.

The glaring dilemma I am faced with is can I use Odoo's public website functionality and still use it to keep corporate data? In my experience, public websites should always be in DMZ's...and corporate data is always buried deep within the 'safer' recesses of an organization's network. After a cursory introduction to Odoo, I am left with the belief that either:

1) Odoo should be installed in the DMZ...corporate data and all.

2) Odoo is buried in the network, but some restrictive port forwarding rules are put in place to let the public through on port 80/443 for website access.

3) The website functionality is not meant for the public at all, but only for internal/extranet access...maybe through vpns etc.

For instance, consider an ecommerce app with some products for sale - where do I keep track of the inventory and shipping details? Since this information is tied in with companies, contacts, order history, leads, opportunites...it leaves me to believe this data needs to be packaged with the public website...which should be in a DMZ.

Thanks in advance for your responses!

Avatar
Discard
Avatar
Fabien Pinckaers (fp)
Best Answer

Hello,

Both approaches have advantages and disadvantages:

  1. Have a separate server for the backend and the website

  2. Have both the backend and the website on the same server


Going for two different servers allows to host your backend in a DMZ. Thus, if the website is compromised, an attacker will not have access to your private data. You may have two servers of Odoo, having different data, one for the eCommerce, one for the backend. This approach is similar to having an eCommerce synchronized with an ERP (like magento and Odoo) but the interface is much easier since you sync Odoo data with Odoo data. (you can even use the base_synchro module to help you sync data)

But this approach also has a huge disadvantage: you don't get a full integration and you only interface a few data. As with any eCommerce - ERP integration, it's complex and not super efficient. (you don't get a clean inventory in real time, you may have data conflicts, it's super complex to setup, features are limited to a few synchronized documents, etc.)


As a security point of view, the solution 2 is less efficient. But having everything fully integrated is a huge advantage for the setup, maintenance and efficiency of the users. If you go for the second solution, instead of securing two servers, you can concentrate your effort into securing one Odoo server.


Note that even if your ERP is in a private network, it still need to be open to external access for lots of different reasons: emails gateway, EDI with other software, Web-Services, customer and supplier portal, etc. Most of the current ERPs tend to be online and collaborative, and not anymore hosted in a private network and accessed by employees only. DMZ are not DMZ anymore and what matters is to secure your server, not to hide it.


So, it's a trade off and every one should choose the best solution according to their need and priority. You can also opt for a solution in-between, like putting the backend in a DMZ and setting a HTTP proxy to access to website pages only.


If you need strong integration between the backend and the frontend (e.g. an advanced customer portal), the second solution is probably better. If the security is your primary concern, I would suggest the solution 1, even if it's less efficient and much more complex to setup and maintain.

Not related, but you should have a look at our Security Policy (mostly for SaaS).

Avatar
Discard
Avatar
Tony Felice
Best Answer

Mark, unfortunately, it appears that Odoo is slow to recognize see the importance of security.  It is only very recently that the nightly apt repository has had a PGP key.  Lack of a PGP key would make it trivial in some cases for bad guys to get malicious code into some organizations' ERP systems.  Specifically on your point, I agree, this is a show stopper.  Conceptually, perhaps a separate instance of Apache or Nginx in the DMZ, which proxies traffic to the "public" pages of an Odoo instance, would be an approach.  I would think that the public-facing web proxy would refuse to proxy for any URL whose document name begins with /web.  Still, this is a kludge.  If Odoo wants to be as successful as its overall quality genuinely warrants, they need to get serious about security.

Another glaring security issue seems to be related to session management.  I have many times been startled to open up Chrome, go to one of my Odoo installations, and get right into the ERP without so much as a password challenge.  This seems to happen any time you close the browser without explicitly logging out first.  This is seriously dangerous.

Avatar
Discard
Avatar
Garth Lezama
Best Answer

Fabien, I appreciate you taking the time to comment personally. As an aside, having implemented SAP and Microsoft Dynamics let me say I like the direction Odoo is moving both as a platform and a company. I think the updated partner program is a step in the right direction and staying true to the open source ethos will bring great prosperity and success to the Odoo ecosystem.

To the specific issue of securing backend data, Mark and Tony have a valid point and I wonder if there is not a third option from an Odoo architectural standpoint. Would it not be possible to create a "slave" Odoo installation that loads modules from the "master" and connects either with a Odoo or Postgres user with reduced privileges? I know this adds some complexity to the configuration but given the proliferation of zero day exploits we have to create a multilayered defense of the core erp database as we are asking organizations to use the platform to keep all the crown jewels.

Avatar
Discard