Neil Stone
on
•
4 mins
A customer asked me the other day how to set up Squid Proxy Protocol on their Loadbalancer appliance.
The long and short of it is, there are updates to the Linux kernel and glibc packages which will 'fix' the issue
Different vendors have widely different opinions on which method should be used to deploy web filters or SWGs. Historically, vendors struggled to implement authentication in Transparent mode, and maybe they remember some awkward conversations with customers that chose the wrong method.
I am going to focus on how simple it is to mitigate it when using the SSL termination/offloading options available on a Loadbalancer.org appliance.
The Web Application Firewall is based on ModSecurity which is an open source WAF for Apache, IIS, and Nginx for protecting against a many variety of attacks and allows for HTTP traffic monitoring and logging.
SNI is an extension to the TLS protocol which enables the client to broadcast its hostname when it tries to connect to your server. This allows you to use multiple SSL certificates on a single IP.
Due to the way that PuTTY uses a signed integer variable to store the number of characters to be erased and there was inadequate checking for overflow, there was the potential for an attacker to corrupt important data in certain circumstances.
Anomaly score based blocking is more flexible and effective than simple first error blocking.
Denial of Service (DOS) attacks can be used to degrade or cripple the functionality of a site.
Is getting an A+ rating with the Qualys scanner starting to feel a bit like chasing a mythical unicorn? Every time you get close to catching and keeping the beast — it run's away and they change the rules again!
There seems to have been so much hype over the recent bash bug, shell shock! And there were all the people in the Microsoft world thinking YES we are so cool we are NOT affected by it!
Whilst the Heartbleed bug was relatively easy to exploit, the latest batch of bugs are not.
To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key.
Let me first say that I'm not really a fan of PCI scanners. It's not so much that I'm anti security scanners but rather that scanning for vulnerabilities based on only the version number a package returns seems rather simplistic to me.
The BEAST attack is a practical attack based on a protocol vulnerability and mainly affects the client side.
Any engineer dealing with PCI DSS compliance issues probably looses a little bit of the joy in life.
I've previously blogged about how to get TPROXY and HAProxy working nicely together, but what if you want to terminate SSL traffic on the load balancer to use HAProxy to insert cookies in the standard HTTP stream to the backend servers?