Security
No laughing matter
Events
Lessons from InfoSec 2023: how to prevent a cyber crisis with a defense-in-depth strategy
The talk of the town at InfoSec 2023 was the evolving cyber security battleground, and the practical steps organizations might take in order to mitigate some of these threats...
WAF
Why you shouldn't lose sleep over the commercial end-of-life of ModSecurity
The ModSecurity web application firewall (WAF) engine is set to go end-of-life (EOL) on 1 July 2024...
ADC centralized management for enhanced security
You need a clear, comprehensive view of your entire load balancing estate to maintain control and security...
How-tos
Three scenarios for implementing time-based security and content switching on your load balancer
It can sometimes be useful to make load balancing decisions based on the time and date. This allows you to conditionally refuse or redirect connections based on the time they're received...
Security
Should an ADC be your first line of defense against Denial of Service (DoS) attacks?
There are two schools of thought on this: ‘yes, it should’ and ‘no, it shouldn't’. Let's look at the arguments both for and against...
Security
OWASP doesn't want you to have crAPI security
Here's what we learned from crAPI about API security, and how a Web Application Firewall (WAF) can help you take things one step further...
Security
The role of load balancers in zero trust architectures
Getting on board with zero trust is the easy part. Actually applying these principles to your architecture is less black and white...
WAF
Report back from the OWASP Core Rule Set Community Summit and OWASP Global AppSec 2023: The WAF conundrum
I had the privilege of speaking in Dublin at this year's OWASP Core Rule Set Community Summit before then attending OWASP Global AppSec immediately afterwards...
How-tos
How to create an SSL certificate in Linux
I thought I would try and cover the basics here by explaining how to create an SSL certificate and the various files that you'll end up with...
High Availability
The role of network management in business continuity
We'd all rather prevent a disaster than have to live with the consequences of one...
WAF
Handling large requests with a Web Application Firewall (WAF) while avoiding Denial of Service (DoS) attacks
Sometimes, we need to pass unusually large HTTP requests through our WAF stack...
HAProxy
How to rate limit with HAProxy Stick Tables and the WAF
A while ago I was asked if it would be possible to apply some general rate limiting in HAProxy and the WAF, in order to help prevent DOS-style attacks on a customer's servers...
Security
What can we learn from the recent F5 security vulnerability?
F5 recently announced a critical security vulnerability, allowing an attacker to bypass its iControl REST authentication, and execute commands such as creating or deleting files and disabling services...
How-tos
When is it right to SSL offload?
It's a fair question, right? Let's take away the strain of SSL terminations from our application servers and let the load balancers deal with it. After all, why would we want to bog down our nifty application with network-level considerations?..
Security
Spring Framework vulnerabilities
It is understandable that SysAdmins, DevOps, and most in the IT and Security Departments involved want to ensure all load balancers are fully patched and protected, given that our product plays an important role in their topology...
Security
DoS vulnerability in OpenSSL related to certificate parsing (CVE-2022-0778)
Customers with manually configured, custom client authentication deployments (rare) or using “re-encrypt to backend” to communicate with untrusted third-party servers (very rare) may be impacted...
Security
PwnKit Vulnerability (CVE-2021-4034)
A local privilege escalation vulnerability was found on polkit's pkexec utility. It is a critical vulnerability because it gives full root privileges to any local user or attacker...
Open source
ModSecurity DoS vulnerability (CVE-2021-42717)
All WAF vendors and services using ModSecurity are affected by this vulnerability (unless they have the vulnerable piece of code disabled, by chance)...
Security
Does Niagara Networks have the answer to scaling Secure Web Gateways all the way up to 100G?
Network Security devices such as firewalls, WAF, SWG, IPS etc. are often deployed inline with bridge mode., which has two major problems...
How-tos
Simplifying web application security with the Core Rule Set v3
A WAF isn't a magic bullet, but, as part of a defense in depth strategy, a properly configured WAF should catch and stop common, everyday attacks...
Security
Apache Log4j vulnerability CVE-2021-44228
The Apache Log4j utility is commonly used for logging requests by millions of Java applications to log error messages. However, recently the critical vulnerability CVE-2021-44228 was discovered in the Apache Log4j library...
High Availability
What can we learn from the recent Facebook outage?
On the 4th October 2021, the social media giant Facebook experienced a global outage, affecting not only Facebook, but also Instagram and WhatsApp...
WAF
Extending ModSecurity: How to add completely custom WAF functionality
In this example, I’m going to add a new transformation function to ModSecurity to calculate the Scrabble score of a variable. This will allow us to block HTTP requests containing query string parameters with a Scrabble score above a chosen threshold...
Integration
How to create a load balancer SSL/TLS certificates report
I should really say that not every request of this type can be turned around on the same day - but we do try!..