23 December 2014 - 21:10 [Statistics] We are pleased to announce that all rates will drop 10% in 2015. Here are some statistics for those who are interested:     •  Number of Cloud/Data Center users: 2.962     •  Storage in use: 381 TB     •  Number of virtual machines: 207     •  Number of external attacks: 19.458.000     •  Number of DC tickets handled: 1.722     •  End point security failures: 0     •  Edge security failures: 0     •  Downtime: 22 hours (0,004 percent)     •  Support hours: 541     •  Average solution time: 48 minutes Tags: Rates 2015
19 December 2014 - 22:36 [Happy Holydays !] We haven't run the stats for you yet, but in the meantime we wish you all a good Christmas from the Cloud.                                       Here's our new mascot.... Tags: xmas 2014
9 October 2014 - 22:51 [DC-OTA is moving] This week and the next we will be busy moving DC-OTA-A and DC-OTA-B from Antwerp to Rotterdam, you may have intermittent connectivity while the hardware is in transit. Due to the nature how OTA works you can't rely on the netscalers until both A and B are reinserted into the cluster. Tags: ota move
27 September 2014 - 22:56 [More speed ?] It took awhile since we started planning our new multi lane 10Gb backbone in February, after many internal discussions how to get this done without downtime and one bright idea :) we've just done it, as of today you can enjoy our new 10Gb backbone. Cloud performance has never been this fast ! Tags: speed, backbone
7 July 2014 - 11:58 [Step up security measures part 2] In June we have started a mayor program to step up security measures around all our systems, this is part 2, our sslvpn gateways, here's the fingerprint to look for: ssh-rsa 3072 cd:71:5d:4d:c2:10:7a:2d:3a:46:88:3e:81:16:b6:9b Tags: security, sftp, sslvpn
27 June 2014 - 9:58 [How to harden your ciphers] Updated 16 October 2014: SSLv3 disabled. So how do you harden your ciphers ? ssl_labs can test your current ciphers but doesn’t really tell you what to do or how to do this… We’d like to keep things simple so here’s the answer: Apache: SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+ 3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!MD5:!DSS Nginx: ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+ 3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!MD5:!DSS; STunnel: options = NO_SSLv3 ciphers = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+ 3DES:RSA+AESGCM:RSA+AES:RSA+3DES:-aNULL:-eNULL:-MD5:-DSS:-ADH:-LOW:-EXP:-SSLv2 IIS: Have a look here for a simple but effective tool. Tags: security, hardening, ciphers
25 June 2014 - 9:21 [Step up security measures] In June we have started a mayor program to step up security measures around all our systems, our root CA has been changed and hardened (no doubt you have seen the warnings about that :) encryption services have been further hardened and yesterday we have phased out the FTPS services in favour of the sslvpn/sftp gateway already in place, the only change for you is the name from dc2 to sslvpn, all the rest remains the same. Inside the management interface for your webdrive you will see a new folder called _Abs_Root which is an alias to the absolute root of your subscription, due to the merge between sftp and sslvpn the service management interfaces have been consolidated. Webdrive, Backup Online, your personal Webspace and also any Website/ERP/CRM we host for you now all share the same management interface. Tags: security, ftps, sftp, sslvpn, webdrive
3 April 2014 - 20:16 [Mitigating legacy applications] Having legacy applications should not have to be a security risk, migrating them can be costly and may even be technically impossible to some extent. A fairly simple mitigating way is to deploy a reverse proxy, even one with a WAF. The reverse proxy will become the secure endpoint solving any DoS / HTTP / HTTPS vulnerability, when required with additional authentication, GEO restrictions, load control and balancing, etc. Adding or enabling a WAF at the secure endpoint to keep the remaining vulnerabilities shielded. Reverse proxies can also be used with pop3, imap, ActiveSync, syncml, etc. and can also be firewalled by way of a WAF. Tags: legacy, mitigating
21 March 2014 - 20:23 [Mitigating vulnerabilities before they strike] What is a WAF and why should this be integrated as default with any internet facing application ? WAF stands for Web Application Firewall, it inspects traffic as it comes in from users and allows or denies the traffic to flow to your web application. The way a WAF works is usually based on rule-sets, ‘if x=badrequest then…’ would be the most simplistic way to explain what a rule is in the context of a WAF. A somewhat unknown but very powerful WAF is naxsi, a lightweight but heavy-duty detector of unwanted traffic to any application. Do’s and don’ts: DO keep your WAF up to date with newly added detection patterns, DON’T allow your WAF to be bypassed by white-listing an IP address or headers. Whatever a user sends you and no matter where it comes from, consider it to be harmful or spoofed. Integrate a WAF with your web application before deployment, it doesn’t have to be active strait away if there is no need for it, but when you do need it, it will have been tested, installed and ready to be deployed in seconds. Tags: mitigating, WAF
1 March 2014 - 8:31 [Our new mobile fleet] Today we are starting our engines on our new fleet of cars which will be ‘flying’ around Europe. Tags: our new carfleet
26 February 2014 - 11:23 [Fase out Linux for Debian] Starting 16 march we will be switching off the last 11 generic Linux VM’s in our DC’s as those last ones have been migrated to debian. March first, Debian is now the only supported other platform we allow next to Windows. Tags: linux, debian
19 February 2014 - 21:54 [Outbound firewalling] We are all well aware of the need to firewall our systems, but how many are aware and actually use outbound firewalls ? Why would you need or use outbound firewalling ?
For a simple reason, you need to look at applications which tend to send more stuff then needed for their functionality.
A more complex reason can be local systems that advertise services which might become visible outside your firewalled perimeter unless such communication is outbound blocked: (https://www.grc.com/nat/nat.htm) ‘When any incoming packets arrive at the router from the Internet, the router scans its "current connections" table to see whether this data is expected by looking for the remote IP and port number in the current connections table. If a match is found, the table entry also tells the router which computer in the private LAN is expecting to receive the incoming traffic from that remote address. So the router re-addresses (translates) the packet to that internal machine and sends it into the LAN.’ Which is true while the router is not expecting, the issue here is a router might be expecting if this expectation is based on a unexpected advertisement. Remember that a LAN broadcast for LAN devices and LAN users also reaches the LAN router. (Reverse multicast hijacking comes to mind…) Of course it won’t protect you from outbound traffic above port 1024 or from other traffic piggybacking over legitimate traffic unless you also deploy IP filters specific to machines on your LAN. For example not every machine needs access to port 25 or 21, while a single compromised machine can easily become a spam- master. Most routers are capable to handle outbound firewalling yet hardly anyone uses it, maybe it’s time for you to have a look ? Tags: mitigation, outbound firewalling
13 January 2014 - 19:36 [Jail that user !] This year, 2014, we are highlighting technical vulnerability management and methods of mitigation. We often talk about 'jailing that user', but what do we mean with this statement? Let's first explain the basic difference between Linux and Windows when it comes to security, in Linux a user has little to no rights, in order to do things like adding software you need to elevate your rights, this is done using su or sudo where additional rights are added when the proper password is given, this prevents users or other processes running for this user from doing things we don’t want. In Windows this is not the case, a user is usually created as member of the administrators group or is made a member after creation, you then always have rights to do whatever you want including the processes you are running. Of course you can create a user with limited rights in Windows and use the 'runas' feature to elevate your rights when you want to do things like adding software. A method which by the way is much saver then the elevation prompt Microsoft came up with since Windows Vista (being forced to type a password versus a mouse click on a dialog box). Either way you can make your Windows as safe as you want versus how easy you want things to work. There is nothing magical how Linux does this that can’t be done for Windows.
	In order to understand how jailing works for Windows you need to understand a very simple strategy, a service runs as (local) system service or network service with maximum rights on your system ! These are not your typical users which can be access restricted... by now you might have guessed the next step, run that service as a user which can be restricted or in other words you can jail a service- user. Not every service is suitable to be access restricted but given enough time you can figure out where an application needs access to (ea. log files, registry values), sometimes poweruser(group) rights are really needed which at least is better than full access.
When an application consists out of several components which run as different services you can jail these the same way even with different service-user accounts each with their own restrictions. Typical applications where jailing is highly recommended are webservers, sshd servers, proxies, ftp servers, etc. A properly jailed webserver under Windows is just as secure as the default webserver installation under Linux. Nb. Do not make the mistake of thinking that applying a 'policy' is the same as jailing, jailing is a second layer of hardening (sometimes associated with a CIS hardening benchmark) where a policy is a first layer of hardening, applying a policy should not be considered to be true hardening. Tags: vulnerability, jailing, mitigation
1 January 2014 - 00:11 [Have another extremely good ICT year !] All partners and Data Centers Support Teams would like to wish all our customers another very good ICT year, like we have shown in 2012, 2013 and we will show again in 2014, commitment and solutions that work for you. Tags: 2014 Via this media we will keep you updated about our services, mainly our current 12 datacenters across Europe with integrated Cloud/IaaS/DaaS and we will be posting solutions for ICT and Management issues. Additions/submissions are welcome but only accepted via Email: support@ecsystems.nl All rights reserved © ECSystems.nl 2014