function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
BryanTSCBryanTSC 

Securely Linking to Files via URL

Hi Folks!

 

We are looking to link to files stored locally on our file server via a URL field on a custom object.

 

Thinking about how to do this securely, I initially thought about configuring the directory to only allow external connections from the salesforce domain.  Our network admin brought up the possibility of IP spoofing which would then give access to our files (containing sensitive data).

 

What other security measures / features can you think of that would help us make this secure?

 

BrendanOCBrendanOC

Bryan - If you are using Salesforce to provide links to your Internal file server, you have nothing to worry about.  Let's say the link is \\FileServer\Share\MyDocument.doc

 

\\FileServer is an Internal path name.  That is, no one outside of your internal network will be able to resolve the name, and its IP address will be an internal IP .

These are internal IP ranges: 10.0.0.0/8,  172.16.0.0/12, 192.168.0.0/16

Those IPs are not accessible via the Internet, only within your LAN.

 

Additionally, when you click a link such as \\FileServer\Share\MyDocument.doc its not the Salesforce server that is connecting to the file, its your computer.  Your computer can only resolve that address and access that file if its inside your Firewall. 

As a test, you can put a link somewhere in salesforce that points to an internal file server.  If you log in to Salesforce from outside your network, like from your home computer, clicking that link will give you a browser error that it cannot find the server.

 

If I didn't understand your problem correctly or was unclear, let me know.

 

Regards,

 

Brendan

 

BryanTSCBryanTSC

Yes - that is precisely the issue.  Users are accessing this information from many locations, so we would not want to restrict it to computers inside the domain.  We want to avoid requiring users to VPN and or provide additional login credentials if possible.

 

Does that help or lead you to any possible solutions?

 

Thank you for your help!

BrendanOCBrendanOC

Ok, so it sounds like you want to use content and document storage inside Salesforce. (is that correct?)

 

Salesforce has a few features that can perform this function.  The most simple way is adding a file as an Attachment to an existing record, like an Account or Opportunity.

There is also Document folders. Users have a My Personal Documents folder, and Administrators can create shared document folders and set permissions on them.

Lastly, there is Salesforce Content, which is a much more robust feature for sharing and collaborating on documents, spreadsheets, presentations, etc.

 

Each of these features stores the actual document inside of your Salesforce organization. That means that your users need to be logged in to Salesforce before they can see the documents.  You can also restrict who can see what using the security features I described above.

 

If this is what you want to do, you don't need to worry about someone outside of your organization getting access to these documents.  The documents will be just as secure as any other piece of data in Salesforce.  Of course you should make sure that your users are using strong passwords, and that passwords are changed regularly, but that is true of any system.

 

If you network admin is worried about IP Spoofing, you can tell him/her that all traffic between Salesforce and the browser is HTTPS.  HTTP and HTTPS use the TCP protocol.  Spoofing a single TCP packet is possible, but TCP is specifically designed to use random sequence numbers when the session is first initialized.  After that, TCP sequence numbers are continuously changed as packets move back and forth across the connection.  This security mechanism is the foundation of network security on the Internet.

In addition to this, all data flows within an SSL encryption tunnel to maintain data privacy.

 

For more information on TCP sequence numbers, you can check out these links:

http://www.faqs.org/rfcs/rfc1948.html

http://en.wikipedia.org/wiki/Transmission_Control_Protocol

 

 

If your network administrator has any other questions about Salesforce security, he/she can email security [at] salesforce [dot] com or talk to your account rep.

 

 

I hope that answers your question!