Skip to content Accesskey=4Skip to sub-navigation Accesskey=3View our Accessibility Options MIT Information Services and Technology Home About IS&T Contact IS&T Site Map Search Advanced Search
Getting StartedGetting Services by Topic or Alphabetically Getting Help

Guidelines and Procedures

ITAG standards
tools

FileMaker

Resources

DCAD

Architecture

Database Operations

Usability Team

ATIC Lab

Training and Help

Training

User Groups


Search the Developer's Resource:


FileMaker - Data Encryption

ITAG Standard #5: Applications that transmit sensitive information including passwords over the network must encrypt the data to protect it from being intercepted by network eavesdroppers.

Encrypting the data stream and user accounts

Since the arrival of FileMaker v7, it has been possible to encrypt FileMaker data over the network via SSL. In earlier versions, encryption required plug-ins, tunneling, or a VPN. Now it is simply enabled via a checkbox on the FileMaker Server Admin console security tab. With encryption so easily accomplished, there is no reason not to encrypt your data stream.

Exceptions and additional considerations:

  • Odbc connections are not encrypted when you enable SSL on FM Server; your odbc client or driver must provide for encryption.
  • Web site connections to client browsers are only encrypted if you have configured your web server accordingly.
  • The connection between the web server application and the web publishing engine is not encrypted. You must either put both applications on the same machine or put a firewall around that connection.
  • Versions 7 and 8 only: The connection between FileMaker Server and the Server Admin Tool (SAT) is not encrypted. So, if you password-protect the SAT, you should use Apple Remote Desktop or Windows Remote Desktop to take control of the server machine and launch the SAT "locally" so that the password does not go over the network.

To enable SSL between FM clients and FM Server, check off the "Secure Connections to FileMaker Server" checkbox in the security section of the Server Admin console. You must restart FileMaker Server for this change in setting to take effect.

FileMaker Server v9 Admin Console:


console_ssl

 

Encryption Technology

In the current version of FileMaker, authentication occurs at the server level. Hashes of the passwords, not the passwords themselves, are stored. FileMaker now uses TripleDES encryption with the addition of HMACSHA-1 for integrity checking. Still it must be noted that while the hashed passwords are less likely to be cracked, there do still exist tools that allow hackers to replace a password entirely with one of the hacker's choosing, thus accomplishing the same effect as decrypting a password to gain unauthorized access. So, access to the database must be secured by other means, in addition to the hashes. Without also ensuring the physical security of the database file and server, encryption is a very limited tool.

It is worth noting that as of version 7, FileMaker switched to a Unicode text format. This compressed format makes the data stream more difficult to read in a text editor, thus further reducing compromise by network sniffing.

For more information about encryption technologies, as well as other security-related issues, in FileMaker, see http://www.filemaker.com/downloads/pdf/techbrief_security.pdf.
MIT Home | Getting Started | Getting Services | Getting Help | About IS&T | Accessibility
Ask a technology question or send a comment about this web page.