2 Replies Latest reply: Apr 29, 2009 10:05 PM by Jay Jakosky RSS

    QlikView Security

    Colin Albert

      We are looking at hosting QV so it is directly accessible from the internet. We are currently viewing over the VPN but this is one too many steps for some of the sales force, and one more thing (well several actually) to go wrong.

       

      We have done this in the past with other web apps but recently discovered that one of the apps had a secuiry flaw which meant that an unauthorised user could bypass the built-in security (did not use NTFS based permissions) and access the information it usually presented to authenticated users only. When contacting the supplier to query this, they stated that the 'Application' was not designed for direct internet use and should only be used across a VPN as it is not secure enough in this version and that a later release would be more secure.

       

      With this in mind, I have been hesitent to open QV to the wider web. I have read through "CHAPTER 6 QLIKVIEW SERVER 8 SECURITY" and can't see any thing saying "Don't connect QV directly to the internent". I have also read through several discussions e.g. "QVA for IE through https tunnel is seen as nonsecure" and assume it's ok.

       

      I think it's better to be safe than sorry, so I'm posing the question here…

       

      Thanks.

        • QlikView Security
          YVES BLAKE

          Different hints for you :

          - You can push Application by mail using Publisher

          - You can publish Ajax applications, and rely on IIS authentication like other webapps.

          - If you have identified sales people, you may restrict QVServer port (default 4747) to some mac address by firewall settings

          - You can work with the DMS service to identify users by different ways (changing password SecureId cards,...)

          But the truth is that Internet is public, and all softwares may have "holes" (as you can see with browsers security patches). So showing data thru the net is always a risk, and i'm quite sure no editor will guaranty total safety...

          In our country, the QlikTech license contract says that they guarentee that software is conform to the documentation and no other warranty, and you accept to use it "as it is".

          If security is an important matter, I recommend you to ask for professional services at Qliktech to best implement your concerns.

           

          • QlikView Security
            Jay Jakosky

            There are lots of Internet-attached installations of QlikView. How secure is it? Well, it's a proprietary product and I doubt there's any real data on when installations have been compromised.