Security — No laughing matter

The Web Application Firewall is based on ModSecurity which is an open source WAF for Apache, IIS, and Nginx for protecting against a many variety of attacks and allows for HTTP traffic monitoring and logging.

SNI is an extension to the TLS protocol which enables the client to broadcast its hostname when it tries to connect to your server. This allows you to use multiple SSL certificates on a single IP.

Due to the way that PuTTY uses a signed integer variable to store the number of characters to be erased and there was inadequate checking for overflow, there was the potential for an attacker to corrupt important data in certain circumstances.

The integrated WAF in version 8 of the Loadbalancer.org appliance has been designed for fast, low latency PCI compliance for our customers.

Updates include an enhanced process for high availability appliance pairing, improved LBCLI, and advancement of the web user interface.

Anomaly score based blocking is more flexible and effective than simple first error blocking.

Denial of Service (DOS) attacks can be used to degrade or cripple the functionality of a site.

Is getting an A+ rating with the Qualys scanner starting to feel a bit like chasing a mythical unicorn? Every time you get close to catching and keeping the beast — it run's away and they change the rules again!

So here we go again...  Another vulnerability has been found in OpenSSL. However, this is very hard to exploit and requires the hacker to have control of your wireless hotspot or network.

There seems to have been so much hype over the recent bash bug, shell shock! And there were all the people in the Microsoft world thinking YES we are so cool we are NOT affected by it!

Whilst the Heartbleed bug was relatively easy to exploit, the latest batch of bugs are not.

To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key.

Let me first say that I'm not really a fan of PCI scanners. It's not so much that I'm anti security scanners but rather that scanning for vulnerabilities based on only the version number a package returns seems rather simplistic to me.

There are a lot of SSL offload throughput statistics available for appliances across the internet but rarely do they detail the way they were tested

The BEAST attack is a practical attack based on a protocol vulnerability and mainly affects the client side.

Any engineer dealing with PCI DSS compliance issues probably looses a little bit of the joy in life.

I've previously blogged about how to get TPROXY and HAProxy working nicely together, but what if you want to terminate SSL traffic on the load balancer to use HAProxy to insert cookies in the standard HTTP stream to the backend servers?

I was reading a post by Tony Bourke 'license to SSL' about the licensing restrictions of Verisign et al. when it comes to web sites running on clusters.