Skip to main content

Posts

Google Cloud Armor - Restrictions

Google Cloud Armor is Google's Network Security service that provides protection against DDoS and web application based attacks. If you have been thinking about enabling Google Cloud Armor for leveraging its DDoS protection and WAF capabilities, you must know the following restrictions: 1. Cloud Armor cannot be enabled on non-HTTP Load balancers. 2. If your HTTP load balancers have Cloud CDN enabled on them, then you cannot enable Cloud Armor on them.       3. If your HTTP Load Balancer has backend buckets instead of backend services, you cannot enable Cloud Armor. This is evident in the below snapshot, where the only option you get is to enable Armor for "Load Balancer backend service". The above restriction is also mentioned in the official GCP document. Click here :  Cloud Armor Limitations . Summary: You can enable Cloud Armor only on HTTP load balancers which have backend services (not buckets) as the backend resources. 

Collection of Traffic Logs in case of Azure Application Gateway

Centralized collection and storage of traffic logs is one of the most important pieces of any enterprise security environment and it is crucial to have the information about the source (resource requester). In most cases this is as simple as installing an agent on the server and / or forwarding the log files to the log collector / SIEM etc. However, in some cases, it is not so straight forward. Azure Application Gateway Consider an Internet facing application that you have hosted in you Azure infrastructure. Just a quick refresher, an Azure Application Gateway: is an OSI Layer-7 load-balancer is capable of performing an SSL termination is a reverse proxy (like any standard load balancer) is capable of performing health checks of the backend servers (which host the actual application content) and thereby ensure that if one of the backend servers goes down, it automatically stops sending the traffic to this bad server and thereby save you from an outage The following setup shows users en...

PCI DSS - Checklist

Requirement 1: Build and Maintain a Secure Network This can be divided into two parts: Create a secure network Document your network Following steps should help you to achieve this: Identify your Card Holder Environment (CDE): If you are hosting your CDE on-premise then your local network is usually the CDE. It is preferable to have some demarcation for your CDE. This is usually achieved by means of a firewall. Secure your CDE: Most firewalls work on a whitelist model i.e. only the services that are explicitly allowed to pass are allowed, the rest are blocked. Firewall process document : You should document the list of services that are allowed across the firewall. This should consist of the IP addresses, ports and applications (in case of Next-generation firewalls) that have been allowed on the firewall. Not only the IP addresses, you should be able to map these IP addresses with the servers hosting your card related applications. Requirement 2 : Do Not Use Vendor Supplied Defaults Th...

Warp - 1.1.1.1 (Cloudflare)

Tested : Private, Fast and Free I have used several Mobile apps that either promise total anonymity or faster speeds. Unfortunately, I never found an app that does both, simultaneously. Come Warp - 1.1.1.1 ! This app created by Cloudflare not only keeps your internet communication private, it also speeds up the communication. Why, of course - the CDN provider which hosts the fastest DNS server (1.1.1.1 - which it says is twice faster than Google's famous DNS server 8.8.8.8) would be expected to come up with something like this. You should find app here - Warp - 1.1.1.1 This is how the app will look like. Warp 1.1.1.1 The first thing I did post installation of the app was, check the Internet speed and the nearest Cloudflare CDN server which the app connected me with. Notice below the nearest server connected was located in Mumbai and the download speed being near 2.79 Mbps (Ideally I was expecting about 10 Mbps but have been getting reduced speed since the COVID-19 quarantine) Inter...

Palo Alto Firewall Management Hardening

So you got a fresh new firewall, out of the box. You are done with the basic configuration, placed it into your network, connected the management interface to the management network (Either you have a dedicated management switch / infrastructure which promises a true out of band connectivity or you create a "pseudo" separate network using management VLANs). Of course, it is already recommended to have a firewall protecting the management network, the since compromise on this network can directly lead to access to each of the devices, with catastrophic outcome. In spite of this, there are several management hardening steps that should be carried out to ensure that the firewall's management access is as secure as it can be. Disable telnet (TCP 21) and HTTP (TCP 80) Telnet and HTTP send data in clear text and all it takes is a carefully crafted SPAN / RSPAN session to forward a copy of the communication to a remote machine where the captured traffic (including clear text pas...

PCI DSS

With over 257 billion card transactions for goods and services worldwide, the payment cards (credit or debit cards) serve as one of the most preferable modes of payment. In fact, many surveys show that over 70% people prefer card payments over cash. Payment Card - PCI DSS While alternate modes of payment are catching up (such as IBAN in Europe, UPI in India etc.), the card industry will continue to thrive for several years, on account of its worldwide acceptance, transaction success rate and ease of use. Of course, like all other electronic media, security is of paramount importance when it comes to payment cards. While there is a legal structure for protecting the interests of the card users, the underlying security (both infrastructure and application) is governed by PCI DSS compliance. So what is PCI DSS? It stands for Payment Cards Industry - Data Security Standards. Five different companies Visa, MasterCard, American Express, Discover and JCB International - each of them who alrea...

Database Recovery Strategies

Be it a natural disaster striking your primary data center and obliterating all your databases or some technical error that brings it down, forcing you to consider moving your database to your backup DR (disaster recovery) location, the right disaster recovery strategy would definitely save the day. How do we accomplish this? Well, there are primarily three strategies, you can considering, depending upon your downtime tolerance level: Electronic Vaulting Remote Journaling Remote Mirroring Let us see what each one of them has in store for us: Electronic Vaulting These are essentially bulk transfers wherein the database backups are moved from the primary site to the remote (backup / DR) site via network There is a significant delay between the time you declare a disaster and the time to recover your database backups Entire Backup files are transferred Not suited for hot sites where the recovery should be instantaneous Remote Journaling These are much more frequent and faster than Electro...