WEB HOSTING BAND WIDTH AND SECURITY
We utilize an integrated Tier-1 Network Access Points (NAPs) and best-in-class network services, and the fifth Tier-1 Network Access Point (NAP) in the world, the NAP of the Americas. The NAP of the Americas is housed in the Technology Center of the Americas (TECOTA), a telecommunications fortress with the most advanced security features available.
NAP OF THE AMERICAS
The NAP of the Americas provides carrier-neutral connectivity, bilateral and unilateral peering, colocation, and a full menu of managed services, routing Internet traffic between the Americas, the Caribbean and Europe.
OC-12 Sonet Ring connectivity to multiple backbone providers POPs. Controlled (temperature, humidity, static and airborne (particles) environment designed for maximum server reliability, Advanced fire suppression systems. Diesel powered generators capable of independently sustaining server operations for more than three weeks, surge suppression and UPS systems for individual servers. Multiple-SCSI backup cluster system for data storage and recovery. Complete state-of-the-art Cisco systems; and a 24x7 Network Operations Center. AT&T, UUnet, Bellsouth, Level3, and Global Crossing Backbones Sonet Ring technology with dual OC-12 and multiple DS-3 fiber optic lines for backbone fail over.
POWER
1450 Amps premise power
Power backed-up by Un-interruptible Power Supply (UPS)
High-capacity Caterpillar generator
Servers-dedicated circuit breaker protection
PROTECTION
State-of-the-art, gas-based fire protection system
Separate fire zones below the floor and above the ceiling
Specialized heat/smoke sensors
Automatic local fire department notification
Hurricane-grade fortificationsMotion sensors
Secured access
24x7 guard patrols
SecurityLink alarm systems
24 x 7 automatic police department notification
Web application firewalls are an important building block in every HTTP network. First of all, they protect the most exposed part of your IT assets : the website. Web applications need their [intelligent and self-learning] bodyguard. When we say bodyguard, we mean a solution which ‘understands’ the application, taking into account its behavior, and can REACT. At the same time, it has to be discrete and stick to business logic. It is the “last rampart”, the ultimate protection! Network security is not web application security!
The perimeter network firewall cannot block all flows and attacks. Indeed, it usually lets http flows (ports 80 and 443) come into company's networks as it is usually needed for communication with outside world.
A CUSTOMER...
I have been delighted with Webdesignoffice as my Web host. Unlike the two I used previously, I can count on no hassles when I update my site or access it. Being able to use Microsoft Frontpage as an editor is fantastic for beginners. Few Web hosts are equipped or skillful enough to offer Frontpage extensions. One owner told me "it creates problems for me." Funny, Webdesignoffice has no problems with it. You're customer service and knowledge exceeds all expectations with genuine commitment to high standards of performance.
IS YOUR WEBSITE VULNERABLE? ARTICLE
Webmaster dilemma: having to choose between “easy and quick developments” and security?
« 75% of malicious attacks on the web take place on the application layer (Gartner) »
«... The evolution of web applications has been characterized by a relatively immature level of security awareness ... (Deloitte and Touche) »
Websites create value. Whether you are an e-merchant, a manager, or a car manufacturer, your core values (accounting, supply chain, customer data, business info, …) are processed, stored and communicated via your internet applications and more generally thanks to your IT system. Web applications include of course web sites as well as business and logic internal applications, intranets, extranets, portals … It is a fact: more and more companies and administrations tend to ‘webize’ their IT infrastructure.
But there are disadvantages : being open brings dangers and threats that are often underestimated.
Web protocols are not secure.
«More than 80% of all malware that emerged in the past year focused on application-level vulnerabilities (various sources, 2006). »
« In June 2006, 92 SQL injection and 34 cross-site scripting (XSS) new vulnerabilities were recorded on our database (Secunia) »
These real threats result in: private data theft, illegal use of your website (for instance: to host forbidden content or spam relays), website defacement, e-commerce website abuse, and unavailability.
Major threats include :
· Cross-site scripting (XSS) - arbitrary code injection in scripts
· SQL injection - reading or modifying databases
· Command injection - unauthorized command execution
· Parameter/form tampering - sending false arguments to the application
· Cookie/header tampering - HTTP fields use to send false values to the web server
· Buffer overflow - overflowing buffer memory
· Directory traversal/forceful browsing - access outside the application
· 'Attack obfuscation' - attack masquerading, for instance via URL encoding
Very well known security principles are confidentiality, availability, integrity and auditability. HTTP and HTTPS protocols give poor results on these aspects. Web protocols hardly authenticate, only partly guarantee confidentiality and integrity, and malicious SSL traffic will remain illegitimate when processed by your website!
Keep in mind that an URL sent by a browser is a command line to your web server: for instance, a URL generating an SQL command or activating a CGI script.
Coding secure web applications is a hard work.
« For far too many development professionals, Web application security only consists of producing applications that are functional and stable, not building hacker protection into the code or checking for SQL injection vulnerabilities (Spi Dynamics) »
|
WEB PROTOCOLS
Web protocols are not secure by default. But web application developers could strongly improve security standards with good coding principles.
As M. Andrews and J. Whittaker test mention in their Guide to Web Application Security : “If developers only validated their inputs to what they are expecting to be given, rather than attempting to filter for malicious inputs (if at all), then 80-90% of web application vulnerabilities would go away. SQL Injection -- gone, XSS -- gone, parameter tampering -- gone.”
Unfortunately, from a software vendor’s perspective: launching a new product on time is more important than launching a secure(d) software !
The limits of traditional tools
«According to CSI/FBI 2006 study :
97% of interviewed companies and administrations were using an antivirus, 98% have a network firewall, 69% have intrusion detection systems.
However ... 65% of these organisations have undergone a viral or spyware attack, 32% have experienced unauthorized access to their internal data and even 15% have suffered from network intrusions ... »
As this specific port is open, more and more applications are using this open door, for instance, VoIP as well as peer to peer. This http port becomes a real toll-free motorway to penetrate internal network. More and more applications (including suspicious ones) are encapsulated into http traffic. This is the “everything over HTTP” phenomenon !
Comprehensive IT security requires a layered approach!
«Two very old adages in security are "least privileges" and "defense in depth." The idea is to only give software enough privileges to get the job done, and not to rely on only one security mechanism. M. Andrews and J. Whittaker, Guide to Web Application Security »
Although security tools have their limits, they are usually necessary to make IT security infrastructure stronger.
Security experts refer to IT security infrastructure as “rings of protections”. Two very well known and common tools are antivirus and network firewalls. As regards with web security, we have seen that web traffic penetrates IT systems with no real opposition. That is why web application firewalls become indispensable.
A web application and a web site need its ‘bodyguard’, as web technologies become increasingly critical and exposed in modern IT infrastructures ! In late 2004, a Red Herring journalist mentioned : "Web-app security will be just like anti-virus was 10 years ago. In five years, it will be a must-have.”.
|