Friday, August 29, 2008

Walking the Network Tight Rope made easier... With Load Balancers

Load Balancing is defined as a process and technology that distributes site traffic among several servers using a network based device. This device intercepts traffic destined for a site and redirects that traffic to various servers.
It is a technique to spread work between two or more computers, network links, CPUs, hard drives, or other resource. in order to get optimal resource utilization, throughput, or response time. Using multiple components with load balancing, instead of a single component, may increase reliability through redundancy. The balancing service is usually provided by a dedicated program or hardware device (such as a multilayer switch). It is commonly used to mediate internal communications in computer clusters, especially high-availability clusters. This process is completely transparent to the end user.

Benefits of Load Balancing:

- Optimal resource utilization
- Better throughput and response time
- Increases reliability through redundancy
- Streamlining of data communication
- Ensures a response to every request
- Reduces dropping of requests and data.
- Offers content aware distribution, by doing things such as reading URLS, intercepting cookies and XML parsing.
- Maintains a watch on the servers and ensures that they respond to the traffic. If they are not responding, then it takes them out of rotation.
- Priority activation: When the number of available servers drop below a certain number, or load gets too high, standby servers can be brought online.
- SSL Offload and Acceleration reduces the burden on the Web Servers and performance will not degrade for the end users.
- Distributed Denial of Service (DDoS) attack protection through features such as SYN cookies and delayed-binding to mitigate SYN flood attacks and generally offload work from the servers to a more efficient platform.
- HTTP compression: reduces amount of data to be transferred for HTTP objects by utilizing gzip compression available in all modern web browsers.
- TCP buffering: the load balancer can buffer responses from the server and spoon-feed the data out to slow clients, allowing the server to move on to other tasks.
- HTTP caching: the load balancer can store static content so that some requests can be handled without contacting the web servers.
- Content Filtering: some load balancers can arbitrarily modify traffic on the way through.
- HTTP security: some load balancers can hide HTTP error pages, remove server identification headers from HTTP responses, and encrypt cookies so end users can't manipulate them.
- Priority queuing: also known as rate shaping, the ability to give different priority to different traffic.
- Client authentication: authenticate users against a variety of authentication sources before allowing them access to a website.
- Firewall: Direct connections to backend servers are prevented, for security reasons

References: Server Load Balancing by Tony Bourke

Image Reference:

Monday, August 25, 2008

Keep unwanted mail away with Email filtering

Email filtering is the processing of e-mail to organize it, according to specified criteria. Most often this refers to the automatic processing of incoming messages, but the term also applies to the intervention of human Intelligence in addition to anti-spam techniques, and to outgoing emails as well as those being received.

Email filtering software takes emails as input. For its output, it might pass the message (though unchanged) for delivery to the user's mailbox, redirect the message for delivery elsewhere, or even throw the message away. Some mail filters are able to edit messages during processing.

Common uses for mail filters include removal of spam and of computer viruses. A less common use is to inspect outgoing e-mail at some companies to ensure that employees comply with appropriate laws. Users might also employ a mail filter to prioritize messages, and to sort them into folders based on subject matter or other criteria.


1. Defend against inbound threats

2. Prevent data leakage through emails

3. Encrypt sensitive information

4. Help in analyzing messaging infrastructure.

References: Wikipedia
Inputs from Gerry Tucker. Director- Sales, APAC Proofpoint systems

Monday, August 18, 2008

Increase Productivity.... Implement a SSL VPN

What is a SSL-VPN?

SSL-VPN stands for Secure Socket Layer Virtual Private Network. It is a term used to refer to any device that is capable of creating a semi permanent encrypted tunnel over the public network between two private machines or networks to pass non-protocol specific, or arbitrary traffic. This tunnel can carry all forms of traffic between these two machines meaning it is encrypting on a link basis, not on a per application basis.

It is a mechanism provided to communicate securely between two points with an insecure network in between them.

Benefits of using SSL VPN:

· Improves work force productivity since Employees and contractors can perform tasks even when not physically present in their usual work facilities.

· Easy deployment since it does not require any special client software to be installed.

· Provides more security options.

· Improved manageability due to highly configurable access control capabilities, health checks etc.

· Lowers costs because of the Increased self-service capabilities for conducting business with outside parties such as suppliers and customers. Employees can work remotely on a regular basis (e.g., IT consulting) thereby allowing the organization to maintain less office space (and save money).

· Increased self-service capabilities for suppliers improve their efficiency, yielding better-negotiated service/product rates.

· If remote access is used as part of business-continuity strategy, fewer seats may be necessary at disaster-recovery/business-continuity facilities than if all workers must work at the secondary site.


Thursday, August 14, 2008

Identify ME!! Securing Your Future with Two- Three Factor Authentication

What is Authentication?

Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. This might involve confirming the identity of a person or assuring that a computer program is a trusted one.

What is an Authentication Factor?
An authentication factor is a piece of information and process used to authenticate or verify a person's identity for security purposes.

What is Transactional Authentication?
Transaction authentication generally refers to the Internet-based security method of securely identifying a user through two or three factor authentication at a transaction level, rather than at the traditional Session or Logon level.

Types of Factor Authentications:

1. Two Factor Authentication: Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. In this context, the two factors involved are sometimes spoken of as something you have and something you know. A common example of two-factor authentication is a bank card: the card itself is the physical item and the personal identification number (PIN) is the data that goes with it.

2. Three Factor Authentication: is a security process in which
the user has to provide the following three means of identification:
• Something the user has (e.g., ID card, security token, software token)
• Something the user knows (e.g., a password, pass phrase, or personal identification number (PIN))
• Something the user is or does (e.g., fingerprint or retinal pattern, DNA sequence, signature or voice recognition, unique bio-electric signals, or any other biometric identifier)

A few examples of the factors that could be used as SOMETHING THE USER HAS:

Tokens: The most common forms of the 'something you have' are smart cards and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area.
Biometrics: Vendors are beginning to add biometric readers on the devices, thereby providing multi-factor authentication. Users biometrically authenticate via their fingerprint to the smart card or token and then enter a PIN or password in order to open the credential vault.
Phones: A new category of T-FA tools transforms the PC user's mobile phone into a token device using SMS messaging or an interactive telephone call. Since the user now communicates over two channels, the mobile phone becomes a two-factor, two-channel authentication mechanism.
Smart cards
Smart cards are about the same size as a credit card and perform both the function of a proximity card and network authentication. Users can authenticate into the building via proximity detection and then insert the card into their PC to produce network logon credentials. They can also serve as ID badges.
Universal Serial Bus
A USB token has different form factor; it can't fit in a wallet, but can easily be attached to a key ring. A USB port is standard equipment on today's computers, and USB tokens generally have a much larger storage capacity for logon credentials than smart cards.
OTP Token: Some manufacturers also offer a One Time Password (OTP) token. These have an LCD screen which displays a pseudo-random number consisting of 6 or more alphanumeric characters (sometimes numbers, sometimes combinations of letters and numbers, depending upon vendor and model). This pseudo-random number changes at pre-determined intervals, usually every 60 seconds, but they can also change at other time intervals or after a user event, such as the user pushing a button on the token. Tokens that change after a pre-determined time are called time-based, and tokens that require a user event are referred to as sequence-based (since the interval value is the current sequence number of the user events, i.e. 1, 2, 3, 4, etc.). When this pseudo-random number is combined with a PIN or password, the resulting pass code is considered two factors of authentication (something you know with the PIN/password, and something you have from the OTP token). There are also hybrid-tokens that provide a combination of the capabilities of smartcards, USB tokens, and OTP tokens.

Advantages Of using 2/3 Factor Authentication:
1. Drastically reduce the incidence of online Identity Thefts, phishing expeditions and other online frauds.
2. Ensures that you have a very strong authentication method in place.
3. Increases the confidence and trust levels of the users interacting with your network.
4. Adheres to the compliance rules of various standards especially if you are in the financial domain.
5. Ensures that you have sufficient levels of security to thwart any attacks on your network.
6. It allows you to provide secure remote access to your network.

Reference: Wikipedia.
Image Source:

Tuesday, August 5, 2008

Keeping Away the Peeping Toms...With Mail Encryption

If you are mailing a Cheque/DD to somebody or a very important document to a family member or to your customer, do you send it by ordinary post? NO, in all probability you would either send it by courier or by registered post to ensure that the packet reaches the hands of the right and intended person only. Moreover, you will ensure that the envelope holding these items is not transparent or easily tamperable. This will help you to obfuscate or hide the contents even better. To ensure that it has been received by the intended person, you ask for an acknowledgement, the date when the delivery has taken place etc.

Why then would you send personal or confidential information in an unprotected email?

Why do I need to encrypt my emails?

Sending information in an unencrypted email is the equivalent of sending a cheque/DD in an unsealed envelope or writing confidential information on a postcard for all to see. This will allow anybody and everybody to take advantage of such information and use it to defraud us. We are all sure that none of us would like to encounter such a situation.

While in transit, e-mail messages are sent through one or more mail transfer agent servers until it reaches the destination e-mail server. Someone with access to this server can easily intercept and read the e-mail message. In addition, e-mail messages that travel through these mail transfer agent (mta) servers are very likely stored and backed up even after delivery to the recipient, and even if the recipient and the sender have deleted their copies of the message. This stored copy of the e-mail may be subject to snooping in the future, and persist indefinitely.
Additionally, the internet makes it easy to “spoof” the sender field of an email message, allowing nefarious individuals to misrepresent their identities. This has led to a phenomenon known as “phishing” and other forms of attacks over e-mail, underscoring the importance of the recipient being able to reasonably authenticate the sender's identity. That is the reason why we need to ENCRYPT OUR MAILS.

Techniques used to encrypt emails:
1. Symmetric Crypts: both recipient and sender share a common key or password that is used to decrypt/encrypt the message.

2. Asymmetric Crypts: here there are two keys used. One is a public key that can be shared with everyone and to encrypt the message. The other is the private or secret key known only to the recipient and used to decrypt the message. Both the keys are required in a transaction here.

E-mail encryption design approaches

1. The Client-Based Method suggests that the sender of the email should be responsible for e- encryption.

2. The Gateway-based Method suggests that the organization is responsible for e-mail security, and encryption should be performed on a server operating on the corporate network, based on the security and regulatory compliance needs of the company and its industry vertical.

Methods of Message Retrieval
1. The “in box” delivery model: the encrypted e-mail is delivered to the user’s email inbox, where they can open the encrypted message after providing the appropriate password or credentials.

2. The “mail Box” model: the user receives an e-mail with a hyperlink to the encrypted message. The user then follows the hyperlink to arrive at a website where they submit their credentials and are then able to view the decrypted message.

Standard approaches to e-mail encryption
The need for e-mail encryption has lead to a variety of solutions – some from standards bodies, and some from the marketplace. Below are a few of these approaches:

1. S/MIME : S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption signing e-mail. S/MIME was developed by RSA Data Security, Inc. S/MIME provides the cryptographic security services for authentication, message integrity, and non-repudiation by combining a digital signature with encryption. Before S/MIME can be used in an application, the user must obtain and successfully install a unique key/certificate from a Certificate Authority (CA) or from a public CA. Encryption requires storing the destination party's certificate, a process that is typically automated when receiving a message from the party with a valid signing certificate attached.
2. PGP and OpenPGP: Pretty Good Privacy (PGP) is a standard that delivers cryptographic privacy authentication. The first version of PGP, by designer and developer Phil Zimmermann, was released as an open standard. Zimmermann and others have developed subsequent versions. Eventually, the PGP secure e-mail offering was adopted as an Internet standards-track specification known as OpenPGP. OpenPGP is now an open standard with PGP. PGP and OpenPGP require a client or plug-in. PGP uses both public-key cryptography and symmetric key cryptography.
3. PostX Registered Envelope Encryption and Security: The PostX Registered Envelope is a secure delivery model for PostX Envelope. The Registered Envelope uses online authentication for decryption key retrieval to provide secure auditable message delivery. The Registered Envelope delivers both the encrypted payload and necessary decryption code via an e-mail attachment to the recipient. E-mail payload is encrypted with a unique (per message) secure random session key. The session key is stored in the PostX KeyServer (and is not sent with the message itself).
4. Identity-Based Encryption: In the 1980’s, identity based encryption (IBE) methods were developed for e-mail by RSA and others to communicate securely in ad hoc environments. In this model, the e-mail address of the recipient is used to perform the e-mail encryption. In order to provide the strength of a password or authentication, identity-based encryption requires client software.
5. Pull solution: In this model, the recipient is pulled into a secure message inbox. In this inbox, the recipient can perform all of the e-mail functions in a branded environment.


1. Encrypting your email will keep all but the most dedicated hackers from intercepting and reading your private communications.

2. Using a personal email certificate, you can digitally sign your email so that recipients can verify that its really from you as well as encrypt your messages so that only the intended recipients can view it. This will help stem the tide of spam and malware being distributed in your name.

3. When your contacts receive an unsigned message with your email id spoofed, they will realize that its not from you and will delete it.

4. Protect your integrity and confidentiality.

5. It will also help you to adhere to the compliance rules of most standards.

Reference: Wikipedia,

Image Source: