We are pleased to announce that all rates will drop 10% in 2015.
Here are some statistics for those who are interested:
• Number of Cloud/Data Center users: 2.962
• Storage in use: 381 TB
• Number of virtual machines: 207
• Number of external attacks: 19.458.000
• Number of DC tickets handled: 1.722
• End point security failures: 0
• Edge security failures: 0
• Downtime: 22 hours (0,004 percent)
• Support hours: 541
• Average solution time: 48 minutes
Tags: Rates 2015
We haven't run the stats for you yet, but in the
meantime we wish you all a good Christmas from the
Here's our new mascot....
Tags: xmas 2014
This week and the next we will be busy moving DC-OTA-A and DC-OTA-B from Antwerp to Rotterdam, you
may have intermittent connectivity while the hardware is in transit. Due to the nature how OTA works you
can't rely on the netscalers until both A and B are reinserted into the cluster.
Tags: ota move
It took awhile since we started planning our new multi lane 10Gb backbone in February, after many internal
discussions how to get this done without downtime and one bright idea :) we've just done it, as of today you
can enjoy our new 10Gb backbone. Cloud performance has never been this fast !
Tags: speed, backbone
In June we have started a mayor program to step up security measures around all our systems, this is part
2, our sslvpn gateways, here's the fingerprint to look for:
ssh-rsa 3072 cd:71:5d:4d:c2:10:7a:2d:3a:46:88:3e:81:16:b6:9b
Tags: security, sftp, sslvpn
Updated 16 October 2014: SSLv3 disabled.
So how do you harden your ciphers ? ssl_labs can test your current ciphers but doesn’t really tell you what to
do or how to do this…
We’d like to keep things simple so here’s the answer:
SSLProtocol ALL -SSLv2 -SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
options = NO_SSLv3
ciphers = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+
Tags: security, hardening, ciphers
In June we have started a mayor program to step up security measures around all our systems, our root CA
has been changed and hardened (no doubt you have seen the warnings about that :) encryption services
have been further hardened and yesterday we have phased out the FTPS services in favour of the
sslvpn/sftp gateway already in place, the only change for you is the name from dc2 to sslvpn, all the rest
remains the same.
Inside the management interface for your webdrive you will see a new folder called _Abs_Root which is an
alias to the absolute root of your subscription, due to the merge between sftp and sslvpn the service
management interfaces have been consolidated.
Webdrive, Backup Online, your personal Webspace and also any Website/ERP/CRM we host for you now
all share the same management interface.
Tags: security, ftps, sftp, sslvpn, webdrive
Having legacy applications should not have to be a security risk, migrating them can be costly and may even
be technically impossible to some extent.
A fairly simple mitigating way is to deploy a reverse proxy, even one with a WAF.
The reverse proxy will become the secure endpoint solving any DoS / HTTP / HTTPS vulnerability, when
required with additional authentication, GEO restrictions, load control and balancing, etc.
Adding or enabling a WAF at the secure endpoint to keep the remaining vulnerabilities shielded.
Reverse proxies can also be used with pop3, imap, ActiveSync, syncml, etc. and can also be firewalled by
way of a WAF.
Tags: legacy, mitigating
What is a WAF and why should this be integrated as default with any internet facing application ?
WAF stands for Web Application Firewall, it inspects traffic as it comes in from users and allows or denies
the traffic to flow to your web application.
The way a WAF works is usually based on rule-sets, ‘if x=badrequest then…’ would be the most simplistic
way to explain what a rule is in the context of a WAF.
A somewhat unknown but very powerful WAF is naxsi, a lightweight but heavy-duty detector of unwanted
traffic to any application.
Do’s and don’ts: DO keep your WAF up to date with newly added detection patterns, DON’T allow your WAF
to be bypassed by white-listing an IP address or headers.
Whatever a user sends you and no matter where it comes from, consider it to be harmful or spoofed.
Integrate a WAF with your web application before deployment, it doesn’t have to be active strait away if there
is no need for it, but when you do need it, it will have been tested, installed and ready to be deployed in
Tags: mitigating, WAF
1 March 2014 - 8:31 [Our new mobile fleet]
Today we are starting our engines on our new fleet of
cars which will be ‘flying’ around Europe.
Tags: our new carfleet
Starting 16 march we will be switching off the last 11 generic Linux VM’s in our DC’s as those last ones have
been migrated to debian. March first, Debian is now the only supported other platform we allow next to
Tags: linux, debian
We are all well aware of the need to firewall our systems, but how many are aware and actually use
outbound firewalls ? Why would you need or use outbound firewalling ?
For a simple reason, you need to look at applications
which tend to send more stuff then needed for their
A more complex reason can be local systems that advertise services which might become visible outside
your firewalled perimeter unless such communication is outbound blocked: (https://www.grc.com/nat/nat.htm)
‘When any incoming packets arrive at the router from the Internet, the router scans its "current connections" table to see
whether this data is expected by looking for the remote IP and port number in the current connections table. If a match is
found, the table entry also tells the router which computer in the private LAN is expecting to receive the incoming traffic
from that remote address. So the router re-addresses (translates) the packet to that internal machine and sends it into
Which is true while the router is not expecting, the issue here is a router might be expecting if this
expectation is based on a unexpected advertisement.
Remember that a LAN broadcast for LAN devices and LAN users also reaches the LAN router. (Reverse
multicast hijacking comes to mind…)
Of course it won’t protect you from outbound traffic above port 1024 or from other traffic piggybacking over
legitimate traffic unless you also deploy IP filters specific to machines on your LAN. For example not every
machine needs access to port 25 or 21, while a single compromised machine can easily become a spam-
Most routers are capable to handle outbound firewalling yet hardly anyone uses it, maybe it’s time for you to
have a look ?
Tags: mitigation, outbound firewalling
This year, 2014, we are highlighting technical vulnerability management and methods of mitigation.
We often talk about 'jailing that user', but what do we mean with this statement?
Let's first explain the basic difference between Linux and Windows when it comes to security, in Linux a user
has little to no rights, in order to do things like adding software you need to elevate your rights, this is done
using su or sudo where additional rights are added when the proper password is given, this prevents users
or other processes running for this user from doing things we don’t want.
In Windows this is not the case, a user is usually created as member of the administrators group or is made
a member after creation, you then always have rights to do whatever you want including the processes you
Of course you can create a user with limited rights in Windows and use the 'runas' feature to elevate your
rights when you want to do things like adding software. A method which by the way is much saver then the
elevation prompt Microsoft came up with since Windows Vista (being forced to type a password versus a
mouse click on a dialog box).
Either way you can make your Windows as safe as you want versus how easy you want things to work.
There is nothing magical how Linux does this that can’t be done for Windows.
In order to understand how jailing works for Windows
you need to understand a very simple strategy, a
service runs as (local) system service or network
service with maximum rights on your system ! These
are not your typical users which can be access
restricted... by now you might have guessed the next
step, run that service as a user which can be
restricted or in other words you can jail a service-
Not every service is suitable to be access restricted
but given enough time you can figure out where an
application needs access to (ea. log files, registry
values), sometimes poweruser(group) rights are
really needed which at least is better than full access.
When an application consists out of several components which run as different services you can jail these
the same way even with different service-user accounts each with their own restrictions.
Typical applications where jailing is highly recommended are webservers, sshd servers, proxies, ftp servers,
A properly jailed webserver under Windows is just as secure as the default webserver installation under
Nb. Do not make the mistake of thinking that applying a 'policy' is the same as jailing, jailing is a second layer
of hardening (sometimes associated with a CIS hardening benchmark) where a policy is a first layer of
hardening, applying a policy should not be considered to be true hardening.
Tags: vulnerability, jailing, mitigation
All partners and Data Centers Support Teams would like to wish all our customers another very good ICT
year, like we have shown in 2012, 2013 and we will show again in 2014, commitment and solutions that work
Via this media we will keep you updated about our services, mainly our current 12 datacenters across
Europe with integrated Cloud/IaaS/DaaS and we will be posting solutions for ICT and Management issues.
Additions/submissions are welcome but only accepted via Email: firstname.lastname@example.org
All rights reserved © ECSystems.nl 2014