I would like to draw everyone’s attention to the Native Client Launcher.
If you haven’t ever used it, I suggest you check it out. Here is a link to the help page for reference.
I believe that this could pose a potential security risk. Not in the form that someone could get in and access the internals of your system, but in the sense that outsiders might be able to find out information about your organization by seeing the names and descriptions of your projects.
A large company is confidentially testing out a new piece of software, and they name one of their Ignition projects accordingly. If someone used the Native Client Launcher, they might see the name of the new software which would breach the confidentiality of the software test.
An integrator has several projects which are named for their different clients. A competitor could potentially find a “client list” by accessing their project names through the NCL. Additionally if there were any project names that indicate work on a potential improvement or strategy they were working on, those would be exposed.
There are many reasons why one might need to allow external internet traffic to their Ignition server. (Mobile client access without a VPN, for one)
There already exists the ability to remove project names from the gateway webpage. Why not from the NCL?
Since IA is migrating away from JNLP files and wholly to the NCL, many more people will become familiar with it and begin to use it.
I am curious if anyone has any ways to prevent random people from viewing a list of projects with the NCL on a server which MUST be accessible from the general internet.
I realize that port obfuscation is an option, but that port must necessarily be shared to users which makes it relatively easy for it to get out in the open.
IA’s response from support regarding this issue was:
“…I checked with one of our developers and they were not aware of any plans to provide that functionality.”
I’m curious of people’s/organizations’ level of concern regarding this issue, and suggestions for fixes / workarounds.
(Obviously, my level of concern is HIGH)
As an aside, I am almost certainly going to have to anonymize all of my project names and descriptions.
Thanks for the feedback,