How do you protect yourself and your business online? This is an integral question that you need to set before, during and after your deployment goes online.
In looking at options for Linux, CSF (ConfigServer Firewall) is our preferred option as it provides proven security and a more friendly interface through cPanel which for a lot of web hosting users is an ideal mix. CSF at its core is an SPI iptables firewall, otherwise known as a Stateful Firewall, and is a highly scalable solution that is comprehensive, straight-forward and very flexible to configure. Here is a link to the feature set of the firewall, and most good web hosting companies will offer this at no cost.
When looking at software firewalls like CSF, there are some potential pitfalls that can occur when using a software based-firewall. For starters, the firewall is on the server itself and if you are carrying a lot of traffic, your server may not be able to handle the amount of traffic that your business is experiencing. Its direct affect in the case of web hosting, is that your server’s ability to handle the incoming traffic is taken away because it has to spend time processing traffic coming into the server through the firewall before it can handle the actual connections.
A second potential drawback that can occur is that if your operating system firewall is not configured correctly, it is possible for your server to become completely inaccessible and in some cases even more vulnerable to attacks than it was before. In looking at the scenario, a malicious user could gain access to a web site hosted on your server and ultimately gain access to an administrator’s account and modify your firewall to give them access.
One of the most significant benefits is that a hardware firewall takes the load off of the server. This includes activities like processing firewall rules, controlling traffic (including the ability to have a predetermined amount of concurrent connections), application layer protection and deep logging features. Though similar in functionality to software firewalls, the dedicated hardware option tends to be much more robust in its ability to block certain types of traffic. In addition, for web hosting customers who have multiple servers, hardware firewalls are better able to handle the traffic for multiple servers and can differentiate between what traffic is allowed to one server but not to another.
Cisco ASA Firewalls
Let’s look deeper into a very popular line of hardware firewalls – Cisco ASA firewalls. In the case of the Cisco ASA firewalls, they can provide a 1-to-1 NAT-based firewall solution, where machines behind the firewall maintain internal IP addresses, and can be accessed through a public IP address. Here is a sample diagram of a NAT setup as demonstrated on Wikipedia:
This provides further security to your network by concealing your internal network, thereby making it harder for a malicious user to look at your network.
Another great feature is that Cisco ASA firewalls can provide transparent firewall functionality. Cisco defines a transparent firewall as a “Stealth Firewall” that allows the firewall to connect to the same network on its inside and outside ports. Though hidden, a transparent firewall still interprets the data and will restrict traffic unless explicitly permitted in the access list. This type of configuration is a great option for users who already have a pre-existing network because the end users do not need to re-address IP. This simplifies the configuration as there is no translating involved. The public server IP address is the one being configured.
Many firewall appliances, including the Cisco ASA series and Juniper SSG series, provides advanced features and allows for further functionality as a VPN access point. In turn, it can provide access to an end-users internal network in a secure and reliable fashion, again taking more load off of the servers.
What is the best firewall option?
The best option depends entirely on the individual requirements for your web hosting solution. If you don’t have much experience in securing a server for use on the Internet or you are the administrator of a low-traffic website, we would typically recommend a software-based firewall. But if you have multiple machines or you are an experienced system administrator with higher security requirements for your servers/network, we would recommend a hardware firewall solution. Of course, there is always a third option.
In the end, all of these options possess user friendly interfaces and provide security. You have to assess your own comfort level when making your choice, but overall, our aforementioned options are great solutions to help you keep your data secure. For more comprehensive security, you can implement both solutions and have something to fall back on, in the event that a personal computer gets compromised and a malicious user tries to infect your servers behind your firewall!
Ultimately, no matter why type you go with - some security is better than no security.
Since we (www.canadianwebhosting.com) completed our recent SAS70 Type II and CICA 5970 audits, we’ve been getting a lot of questions about what it means and why these types of audits are important to a business and their operations. To understand the full benefits, it’s important to understand why the audit process was created. SAS70 stands for for the “State on Auditing Standards No. 70”. This audit standard was created to identify organizations that are willing to hold themselves to higher standard of commitment and to provide transparency of their “controls” and processes that a company or organization claims to have to protect customers and their data.
One very significant difference between leading hosting companies is what is defined as a “control” and how it is used. We spent a lot of time reviewing this internally, and with other leading subject matter experts; all to gain a better understanding of what is required to have a verifiable control. Based on those discussions, we defined a “control” as a process, policy or tool (hardware or software) that a company has in place to enforce a specific claim. For Canadian customers, this is especially important, as PIPEDA requires your hosting company to meet specific privacy and security requirements, and by measuring these controls, one can have a level of security that your requirements are being met. It is important to consider that not all types of audits can give you this level of surety. When an independent auditor is engaged, the hosting company has two options - Type I and Type II.
Listed below are the descriptions of the different types of audits as defined by our an independent auditor SAS70cpa.com including the described benefits of each:
Type I Audit
A SAS 70 Type I, officially known as a “Report on Controls Placed in Operation” or a Type I Service Auditor’s Report, is intended to provide user organizations and user auditors with information about the controls in place at a service organization that may be relevant to the user organization’s internal control over financial reporting. Materiality of the services provided by the service organization to the user organization is taken into account by the user auditor in planning an audit of the user organization.
What is significant about this type is that unlike a Type II SAS 70 audit, no testing is performed to determine the operating effectiveness of the controls described in the report. Therefore, a Type I report does not provide user organizations or their auditors with a basis for reducing their assessment of control risk below the maximum level. A Type I report is not an acceptable replacement for first-hand testing in conjunction with financial statement audits or Sarbanes-Oxley (SOX) compliance. For this reason, Type II reports are highly preferred by user organizations and their auditors. The Type I reports are generally used only for informational purposes and carry weight because a licensed third party CPA firm verified information contained in the report.
Type II Audit
A SAS 70 Type II, officially known as a “Report on Controls Place in Operation and Tests of Operating Effectiveness” or a Type II Service Auditor’s Report, is an independent third party verification by a licensed CPA firm as to whether control activities described by a service organization were suitably designed to meet specified control objectives and were in place and operating effectively over a period of time that is typically at least a six month period. The Type II auditor's report deals with the fairness of presentation of the internal controls, the design of the controls with regard to their ability to meet defined control objectives, and the operation effectiveness of those controls over the defined period.
Obviously, we are not all CPA’s or experts in identifying and measuring controls. So, what should you look for in these audit reports? One should carefully note the description of controls and it should cover items such as:
- Facilities and asset management
- Physical and logical security
- Logical access and access control
- Network and information security
- Backup and recovery
- Organizational and administrative controls
- Security policies, reporting, and monitoring
- Computer operations
This is the essence of how seriously the hosting provider takes their processes and systems to assure repeatability and verification of their controls.
Last Tuesday, Microsoft launched Office 365, their newest cloud service now available in 40 markets. By using this new tool, you'll have access to any of your documents, emails, calendars, contacts and more as it brings together Microsoft Office, Microsoft SharePoint Online, Microsoft Exchange Online and Microsoft Lync Online.
As a small or midsize enterprise, you can benefit from being connected to any of your documents in real time thanks to their cloud service. This tool will help increase and enhance your own productivity along with your employees. Collaborating on projects will be easier and more seamless than ever since Office 365 allows you to share calendars and ideas at the same time.
Why should you think about using Office 365? It's simple. It's already enterprise ready and it works on all the browser platforms. For example, compare it to the Google Apps, it stands to be a lot more robust with all the full features that Word and Excel or Powerpoint offer rather than very basic functioning apps that can't work offline (Google plans on changing that soon). With Office 365, you can run the apps on your desktop or in your browser and everything looks the same, there's no headache. Besides, since most of the marketplace is dominated by Microsoft, here, they're providing us with a solid solution in becoming more efficient on how we access any data on the go anywhere at any time.