This question has been flagged
3 Replies
6617 Views

Hello,

I am in the process of implementing Odoo for a new customer. The scope is mainly a management system for the internal manufacturing processes. But the customer would like to give to his salesforce the possibility to register quotes in the field. Therefore, the system will be open to the external world.

In my studies, I remember our security teacher saying that in such cases, the system open to the external world should be placed in a demilitarized zone (DMZ) to avoid direct access to the main ERP system.

I am quite worried about this requirement, since to my knowledge, Odoo V10 cannot be splitted into two instances that communicate in secure manner, at least witout an important investment. On the other hand, I have already got two snippets of information, being that :

  • if Odoo.com is offering an eCommerce module integrated with the solution, they have probably taken the security risks into account.

  • another cloud specialist told me that DMZ was a story of the past and not needed anymore in a cloud environment like Amazon AWS.

Have you already faced such security concerns, and how did you solve/minimized them ?

Many thanks for sharing your experience or providing your expertise.

Didier 

Avatar
Discard

Thanks Niyas, but of course I know this page... Still, the question remains : why is Odoo not designed to run on two different instances, one facing the public, and the other one nested under additional security layers and talking only in controlled formats, like in a DMZ ? Is this type of security obsolete or would be worth considering ?

An ERP system is crucial for a business, and having only backups as last resort does not seem to me satisfactory. Some people mentionned talks that happened already on this subject in mailing lists. Could someone lead me to these exchanges. Or did some of you solved the problem by creating your own interface ? 

Again, thanks for all your inputs.

Best Answer

Hello this is Gulshan Negi

Well, if we talk about it, in my opinion using Odoo as both an ERP and a frontend for your business is generally safe as long as you follow standard security best practices. These practices include keeping your Odoo system up to date, implementing strong access controls, using secure hosting, using SSL/TLS encryption, and regularly auditing your system. By following these steps, you can help ensure the security of your Odoo system and protect your business data.

I hope you are clear now.

Thanks

Avatar
Discard
Best Answer

Bonjour M. Stadelmann, in relation to your question, I am interested to know more about the solutions you implemented.  Could you please get in touch with me ?  Thank you.  Cordially,   JF Burguet (burguetjf@hotmail.com)

Avatar
Discard
Best Answer

Your question is easily answered, Odoo is not designed this way because the big advantages of integration do outweigh the potential security risks, when deployed properly. This is the opinion of Odoo and of course of most of the Odoo users (at least of all who are using the website and the web shop). There are different deployment options (such as a remote Postgres server for example) and there of course are different opinions, which have been already discussed in extenso in the community. You must have indepth knowledge of security risks/architectures and not only hearsay snippets in order to have a good understanding of these discussions and to make a proper decision. If you do not agree, you can still deploy Odoo with the connector framework to other online shops, such as Magento, Shopify, wooCommerce etc.

This may be an interesting read which more or less summarizes the situation: http://blogs.opusvl.com/opusvl/security-or-convenience-choose-one               

However, according to the forum rule, this is not a specific question and therefore this forum is not the place for this topic, for discussions of broader topics please use the mailing lists (www.odoo.com/groups).   

Avatar
Discard