Security Basics
Re: DDoS protection Jun 25 2014 02:23PM
Comp Pycho (computer pycho gmail com)
The concept of cloud computing did not get popular until NIST made it a standard and ordered the gov't to move 30% of their IT infrastructure to the cloud. Cloud was a concept of IBM sine 1984 it was not coined cloud computing by them but the concept is theirs. FedRamp is always based off the latest NIST controls so I don't understand your claim with that. FedRamp is a govt wide program that standardizes approach to security assessment, authorization and continuous monitoring for cloud products and services. This is from the GSA website whom provide the service by definitions it shoulda like a compliance standard. It applies the NIST 800- 53 controls.

Do what you know
-Dame Dash

> On Jun 25, 2014, at 9:36 AM, "Mikhail A. Utin" <mutin (at) commonwealthcare (dot) org [email concealed]> wrote:
>
> Some remarks.
> 1. Cloud Computing, yes, is just about datacenters serving hosting, i.e. application hosting service.
> 2. First appeared as Amazon AWS
> 3. CC is not actually IBM own concept as there is no concept in CC at all, see #1
> 4. NIST actually was far later than other parties in "cloudization" (I claim this term :) )
> 5. FedRAMP is not certification program at all. Plus, its security controls list is outdated - it is based on NIST SP800-53 R3, pretty outdated version. Current is R4. So, absolutely cannot be used for anything like certification.
>
> Mikhail
>
> -----Original Message-----
> From: Comp Pycho [mailto:computer.pycho (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, June 25, 2014 8:52 AM
> To: Marios Stylianou
> Cc: Mikhail A. Utin; <Dominick.Sardina (at) pseg (dot) com [email concealed]>; <security-basics (at) securityfocus (dot) com [email concealed]>
> Subject: Re: DDoS protection
>
> Cloud computing is an IBM concept that was blow up by NIST. NIST pushed this "Cloud" BS for external parties to make money. The cloud is nothing but a data center. The secure clouds are data centers which have gone through the FedRamp certification program for security compliance.
>
> Do what you know
> -Dame Dash
>
>
>> On Jun 25, 2014, at 6:56 AM, "Marios Stylianou" <styllosmarios (at) gmail (dot) com [email concealed]> wrote:
>>
>> You can try Incapsula services.
>>
>>
>> Mindbets
>>
>>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed]
>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Mikhail A. Utin
>> Sent: Monday, June 23, 2014 7:02 PM
>> To: Sardina, Dominick; security-basics (at) securityfocus (dot) com [email concealed]
>> Subject: RE: DDoS protection
>>
>> Hello,
>> Yes, all has been known for a while. I got two presentations discussing partially "cloud" matter at OWASP AppSec DC 2012 and DeepSec 2012 and 2013.
>> You can check both for presentations or ask me personally.
>> Basically, all "clouds" are simply application hosting web sites. And technically a "cloud" is a datacenter. Whether such app is a virtual network or Mom&Dad Pizza shop HTML site does not matter.
>> So named "cloud computing concept" has nothing in common with computing, and not a concept at all. Models are useless and in such case as "Community Cloud" and "Hybrid Cloud" is legal nonsense, simply because a service provider cannot have legal binding relationship (aka a contract) with a community, which is not a legal entity.
>> I tried to dig out where "cloud" came from. It is an invention of IBM
>> circle companies hosting site reselling IBM services. And in essence
>> is the replacement of Google and next IBM funded academic cluster
>> project "Academia Cluster Computing Initiative" or ACCI, see: Let a
>> Thousand servers bloom â?? Google official post, Posted by Christophe
>> Bisciglia, October 8, 2007
>> http://googleblog.blogspot.com/2007/10/let-thousand-servers-bloom.html
>> IBM circle guys replaced "cluster" with "cloud" and renamed ACCI as "Academia Cloud Computing Initiative". Bingo! Next they needed something looking like science in a form of "models".
>> However, guys violated Google intellectual property rights on the original ACCI project name.
>>
>> Regards
>>
>> Mikhail
>>
>>
>>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed]
>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Sardina, Dominick
>> Sent: Friday, June 20, 2014 2:49 PM
>> To: security-basics (at) securityfocus (dot) com [email concealed]
>> Subject: RE: DDoS protection
>>
>> Brett, I have to agree 100%.
>>
>>
>> Regards,
>> Dominick
>>
>>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed]
>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Wagner, Brett
>> Sent: Friday, June 20, 2014 12:57 PM
>> To: Hartley, Christopher J.; Kellstr
>> Cc: security-basics (at) securityfocus (dot) com [email concealed]
>> Subject: RE: DDoS protection
>>
>> IMHO - I am not a fan of all the mumbo jumbo that goes along with the "Cloud" like it is a new invention. I worked at GTE/BBN in 1999 and we were selling all the same crap back then. With that said and having worked at EMC for a while you can have a "Cloud" on premises just means you have the hardware in one of your company locations. You can have private, shared, public or a combo.
>>
>> It is the same evolution as IT security circa 1970-80s (Rainbow Book Series days), then Information Security circa 1990s, then Information Assurance circa late 90s early 2000s and now Cyber Security. With each name change consultants and companies can charge more for the same ultimate goal with each name change.
>>
>> OK I will now get off my soapbox.
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Hartley, Christopher J.
>> Sent: Friday, June 20, 2014 10:48 AM
>> To: Kellstr
>> Cc: security-basics (at) securityfocus (dot) com [email concealed]
>> Subject: Re: DDoS protection
>>
>> This is a little confusing; â??cloudâ?, â??on-premiseâ? etcâ?¦ weird.
>>
>> By â??Cloud,â? it seem like we mean â??by providerâ? (makes sense).
>>
>> On-premise is the best way to detect an attack imo, since the victim network knows whatâ??s good and whatâ??s not (or shouldâ?¦.).
>>
>> So I think the best solution involves some kind of remote blackhole or ideally, perhaps flowspec.
>>
>> I donâ??t think itâ??s a problem that requires spending significant money.
>>
>> Chris
>>
>>> On Jun 19, 2014, at 12:50 PM, Kellstr <kellstr (at) gmail (dot) com [email concealed]> wrote:
>>>
>>> Disclaimer: I work for a company which offers a DDoS Protection Service.
>>>
>>> The advantage of a service "in the cloud" is that if an attack
>>> exceeds your circuit bandwidth the provider will be able to drop the
>>> malicious traffic. That cannot be done at your premise. Both Arbor
>>> and Radware offer strong appliances that can clean up smaller attacks
>>> at your premise and can send a signal to the provider if they support
>>> that service. You can block traffic using IPS's but keep in mind they
>>> are not designed for a volumetric attack and may be overwhelmed.
>>>
>>> On Wed, Jun 18, 2014 at 11:10 AM, Lance Lassetter
>>> <lancelassetter (at) gmail (dot) com [email concealed]> wrote:
>>>> What about Suricata or Snort IDS in IPS mode?
>>>>
>>>>> On Jun 18, 2014 8:43 AM, "Mikhail A. Utin" <mutin (at) commonwealthcare (dot) org [email concealed]> wrote:
>>>>>
>>>>> As you indicated " Although we're small, We're an organization playing with ($,¥,�,£) exchanges" you are on client side rather than on server. If that is right, you do not need to bother with DDoS protection, which is against server side.
>>>>> Mikhail
>>>>>
>>>>> -----Original Message-----
>>>>> From: listbounce (at) securityfocus (dot) com [email concealed]
>>>>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
>>>>> kartik.netec (at) gmail (dot) com [email concealed]
>>>>> Sent: Wednesday, June 18, 2014 12:49 AM
>>>>> To: security-basics (at) securityfocus (dot) com [email concealed]
>>>>> Subject: Re: Re: DDoS protection
>>>>>
>>>>> Hi,
>>>>>
>>>>> Thanks for your replies.
>>>>>
>>>>> Noted the points raised by Jacint and Kelly Keeton. I appreciate that.
>>>>>
>>>>> May I be kind to seek an opinion/ arguments suggesting if the In-house appliances are more "intelligent" thwarting the application level DOS/ DDoS attacks as compared to ISP provided DOS protection wherein it may even fail to detect them. or if there are other benefits owning an In-house product?
>>>>>
>>>>> As far as Cons are concerned, I feel that the appliance may add some latency which may create issues wherein a latency of milliseconds count.
>>>>>
>>>>> Although we're small, We're an organization playing with ($,¥,�,£) exchanges and heavily regulated by the Government.
>>>>>
>>>>> Thanks,
>>>>> KT
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -
>>>>> ---- Securing Apache Web Server with thawte Digital Certificate In
>>>>> this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>>>>
>>>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6
>>>>> b
>>>>> e442f727d1
>>>>> -------------------------------------------------------------------
>>>>> -
>>>>> ----
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE: This email communication and any
>>>>> attachments may contain confidential and privileged information for
>>>>> the use of the designated recipients named above. If you are not
>>>>> the intended recipient, you are hereby notified that you have
>>>>> received this communication in error and that any review,
>>>>> disclosure, dissemination, distribution or copying of it or its
>>>>> contents is prohibited. If you have received this communication in
>>>>> error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org.
>>>
>>>
>>>
>>> --
>>> Laws alone cannot secure freedom of expression; in order that every
>>> man present his views without penalty there must be spirit of
>>> tolerance in the entire population. - Albert Einstein
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> -- Securing Apache Web Server with thawte Digital Certificate In this
>>> guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>>
>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be
>>> 4
>>> 42f727d1
>>> ---------------------------------------------------------------------
>>> -
>>> --
>>
>>
>>
>> ----------------------------------------------------------------------
>> -- Securing Apache Web Server with thawte Digital Certificate In this
>> guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
>> 42f727d1
>> ----------------------------------------------------------------------
>> --
>>
>>
>>
>> -----------------------------------------
>> The information contained in this e-mail, including any attachment(s), is intended solely for use by the named addressee(s). If you are not the intended recipient, or a person designated as responsible for delivering such messages to the intended recipient, you are not authorized to disclose, copy, distribute or retain this message, in whole or in part, without written authorization from PSEG. This e-mail may contain proprietary, confidential or privileged information. If you have received this message in error, please notify the sender immediately. This notice is included in all e-mail messages leaving PSEG. Thank you for your cooperation.
>>
>> CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org.
>>
>>
>>
>> ----------------------------------------------------------------------
>> -- Securing Apache Web Server with thawte Digital Certificate In this
>> guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
>> 42f727d1
>> ----------------------------------------------------------------------
>> --
>
> CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
> and privileged information for the use of the designated recipients named above. If you are
> not the intended recipient, you are hereby notified that you have received this communication
> in error and that any review, disclosure, dissemination, distribution or copying of it or its
> contents is prohibited. If you have received this communication in error, please reply to the
> sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
> and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
> please visit our Internet web site at http://www.commonwealthcare.org.
>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus