Share This [+]
September 30th, 2009 by Jason B.
Data today is more valuable than it has ever been. Mix that with the fact online date storage is growing exponentially and you have a potential nightmare. Security in today’s world is essential, but one doesn’t have to break the bank to get some basic protection and visibility. Here is a list of 5 easy steps to help you get some basic protection and visibility into your environment before it is too late:
- Use VPN for all non-public traffic – Today’s firewall almost always come with VPN capabilities. Take advantage of this technology. Your firewall should only be open up for services that are for public consumption. Utilizing the VPN for management traffic like FTP, SSH, RDP, etc., can be a huge jump in security hardening. Most people have dynamic IPs, so having to keep opening firewall ports for those IPs can lead to those old rules not being cleaned up or even opening those services up to everyone! Don’t take a chance and leave a hole open for potential hackers, use this method to help lock down the firewall.
- Limit external footprint of you servers – If you don’t need something, turn it off. If your servers are not running a service for public consumption, don’t allow it through the firewall. For example, Active Directory servers typically have IIS installed and working. But as there is no public need for that, don’t allow external connections. Default to deny, and only allow the essentials are good rules of thumb.
- Log….Log….Log… – Turn on firewall logging whenever possible. Logging is essential to helping detect any problems that are currently going on, or have been going on. Seeing a particular server getting strange requests, or a single IP address scanning your network could be an early indication of issues.
Read the full post »
Tags: firewall, security
Share This [+]
September 17th, 2009 by Jason B.
High availability is a necessity for any high performing web application today. Consumers want access to their information anytime, and not having high availability means your potential clients will go somewhere else for their needs or experience frustration.
One of the first areas to consider for a high availability network is the firewall. After all, it is usually your first line of defense and when it doesn’t work, it leaves your business down. Many people think the way to fix this is to add a second firewall and call it a day, but there are many options within the configuration that can improve your client’s experience and site availability. Here are two important considerations:
Current Sessions
The first things to think about are your current sessions. Most firewalls can perform what is known as stateful failover. In a regular failover, all connections are dropped. Clients then need to re-establish their connections when the other firewall takes over. In a stateful failover, however, the active unit shares connection information with its peer, so in the event of a failover the other firewall already has the connection information. This may seem like a trivial issue, but it decides whether the client sees the failure or not.
Typically, entry level models do not have stateful failover, so this is a business decision that needs to be made before purchasing or upgrading firewalls. Also, you will need to make sure your application qualifies for stateful failover. HTTP is sometimes not enabled for stateful failovers by default, since they are typically not long lasting connections.
Redundant Links
Another item to think about is redundant links. Failover should only happen if the primary firewall is unresponsive, because the failover process takes some time to happen. Depending on firewall models, failover times can vary. I typically see Cisco ASA firewalls reliably failover in under 10 seconds with default settings, but that still leaves a window of downtime. Redundant links is a technology I setup for clients who want added HA by reducing the chance of failover. With redundant links, there are 2 cables used per interface rather than one.
So, picture a circumstance like this:
Read the full post »
Tags: firewall, high availability
Share This [+]
May 20th, 2009 by Jason B.
As you begin the journey to PCI compliance, you might feel a little overwhelmed with all of the steps and requirements involved. That’s why I’ve written this guide to break the PCI DSS into small, digestible chunks. If you understand the 12 basic requirements as an overview, and understand how they protect your customers, the rest of the pieces fall easily into place.
Obligatory disclaimer: You should always consult a QSA for how PCI requirements apply to your environment and what is required for you to become PCI compliant.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
This requires you to not only properly segment your network to control who and what has access to cardholder data, but also to maintain this segment via regular audits and testing. Remember that your data is only as secure as the people who have access to it.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Read the full post »
Tags: firewall, pci, security
![[]](/imagesb/reflection02.gif)