Intrusion Detection News
| Who will trust open source security from the government The Open Information Security Foundation, headed by Mark Jonkman of
Emerging Threats and Victor Julien of the Vuurmuur firewall project, are
offering an intrusion detection and prevention engine with
multi-threading automatic protocol detection for a wide variety of protocols.
www.zdnet.com |
7/21/10 1:47 PM
Juniper Networks Protects Customers From New Microsoft Vulnerabilities Disclosed Today JNPR ) today confirmed its Intrusion Detection and Prevention (IDP)
security systems and Integrated Security Gateway (ISG) firewall/virtual
private network (VPN) systems with IDP offer protection for ...
story.venezuelastar.com |
7/13/10 9:40 PM
RandomStorm Adds Log Management to Integrated Network Security Management and Compliance Platform StormAgent is based on industry standard, open source intrusion detection technology and has been designed to monitor access and changes to system and application log files across the entire corporate infrastructure, alerting network managers whenever unauthorised activity is detected. www.topix.net | 6/29/10 11:31 AM Marketwatch: Threats Create Opportunities A decade ago, a company looking to secure its computer systems would have purchased antivirus software, a firewall, and perhaps an intrusion detection system. Today, the growing variety of attacks has given rise to nearly 70 different security niches, including markets for firewalls that specifically protect Web-based applications and for systems that prevent data loss across an enterprise. Meanwhile, each submarket is getting increasingly complex. In 2009 one of the biggest security companies, Symantec, generated 2.9 million separate signatures, or digital patterns associated with malicious software--an increase of 71 percent over the previous year. www.technologyreview.com | 6/22/10 5:00 AM Altor Testing Cloud Security Altor Networks, the three-year-old start-up with the patent-pending
hypervisor-based security for virtual data centers and clouds, is beta
testing the next iteration of its purpose-built virtual server security
product. It expects to release Altor 4.0, code named Duvel, in early Q3.
Altor started out with a stateful high-performance firewall and on-board
intrusion detection and has added complete 360 degree virtual network
visibility and monitoring, automated security and compliance assessment
and reporting. It argues that security and compliance concerns are
holding back virtualization and has moved to address the safety of the
traffic between VMs. java.sys-con.com |
6/12/10 5:15 PM
Intrusion detection system at Delhi airport stuck The installation of the perimeter intrusion detection system (PIDS),
which is armed with thermal-imaging cameras, video-recorders and radars
to detect movement of individuals and vehicles at the airport, has been
delayed because of last-minute chan-ges in the original project.
www.dnaindia.com |
6/1/10 8:06 PM
Juniper Networks Protects Customers From New Microsoft Vulnerabilities Disclosed Today JNPR ) today confirmed its Intrusion Detection and Prevention (IDP)
security systems and Integrated Security Gateway (ISG) firewall/virtual
private network (VPN) systems with IDP offer protection for ...
story.venezuelastar.com |
5/11/10 7:49 PM
Thirty-Five Antivirus Programs Share Common Hole
(PC Magazine) PC Magazine - A security firm has discovered a new attack technique that
could allow a program to bypass the host intrusion detection and certain
other protections provided by common Windows security software. The
report lists 35 security products on which they tested it; it worked on
all of them.
us.rd.yahoo.com |
5/10/10 11:06 AM
Amazon Opens Virtual Private Cloud in Europe Amazon has taken its Virtual Private Cloud (VPC) to Europe. Customers
can now seamlessly connect their IT infrastructure via an encrypted
IPsec Virtual Private Network (VPN) connection to Amazon resources in
the European Union, keeping their data in the EU and lowering latency.
Until Tuesday VPC, a bridge between a company’s existing IT
infrastructure and a set of isolated Amazon compute resources in the
Amazon cloud, was only available in the US. With VPC customers can use
their existing management capabilities such as security services,
firewalls and intrusion detection systems on their Amazon resources. ajax.sys-con.com |
5/5/10 1:30 PM
Securing the Public Cloud Security is paramount when it comes to
enterprise data in public clouds. Encryption, intrusion detection and
ID management all need to be part of the evaluation and deployment processes. www.linux.com |
4/27/10 6:41 PM
HP Declares War on Cisco with a Faster Data Center Just months after its 3Com acquisition, Hewlett-Packard made an
announcement Monday aimed at Cisco Systems. HP said its new Cisco-free
internal data center is seeing faster information throughput and lower
energy consumption running entirely on HP networking equipment. Located in Houston, the new data center is one of six internal facilities running HP's worldwide business operations. The new center includes 34 3Com core routing devices, more than 300 HP ProCurve switches, and four TippingPoint intrusion-detection and protection devices. "This networking technology provides a true competitive choice in a space that has needed more choices for almost two decades," said Randy Mott, executive vice president and chief information officer at HP. "These new products, along with HP's Converged Infrastructure portfolio, are something every CIO should be taking advantage of." Assaulting Cisco Mott's comments are a direct assault on Cisco. The new HP Networking portfolio, which integrates 3Com's portfolio, paves the way for twice the port and capacity density and a 50 percent reduction in power consumption from previous solutions. Using an architecture built on open standards, HP said its global IT organization worked with HP Networking teams to redesign the architecture with new products. "We're not locked into proprietary protocols that many in the IT industry are familiar with, and this gives us more flexibility to change as our business grows," said Ken Gray, vice president of infrastructure at HP. "We're Cisco-free in this data center and have a plan to extend this freedom across all of our internal IT data centers next year." Gray's war-like comment -- and its validity -- may concern Cisco. Zeus Kerravala, a vice president at the Yankee Group, said 3Com's data portfolio is strong and the majority of the lineup has been built out over the past couple of years with a differentiating philosophy of openness. "While a lot of the... www.cio-today.com | 4/19/10 7:50 PM Product How-to: Use multicore flow processing to boost network router/security appliance throughput In many network and security appliances, the need for regular expression matching is an essential requirement, specifically for deep packet inspection applications such as intrusion detection and prevention systems , content firewalls, virus scanning, data loss prevention , and lawful intercept applications. www.topix.net | 4/2/10 11:22 AM Anti-intrusion system for Delhi international airport next month The mechanism known as the Perimeter Intrusion Detection System (PIDS)
will be deployed by mid-April this year along the 37 km of the airport periphery.
www.dnaindia.com |
3/8/10 1:01 PM
Homeland Chief Outlines U.S. Cybersecurity Strategy U.S. Department of Homeland Security Secretary Janet Napolitano outlined
the steps DHS is taking to secure cyberspace at the RSA Conference 2010
in San Francisco on Wednesday. The former governor of Arizona also
called upon experts and the public to contribute ideas to improve the
nation's cybersecurity. "All Americans have an important role to play in securing our computer systems and cyber networks," Napolitano said. "We are challenging our nation's best and brightest to utilize their expertise and creativity to devise new ways to engage the public in the shared responsibility of safeguarding our cyber resources and information." Boosting Infrastructure Security In her keynote address, Napolitano stressed DHS's dedication to recruiting and retaining the cybersecurity employees needed to confront terrorist and criminal threats. Moreover, she emphasized the department's commitment to supporting innovations such as EINSTEIN -- an intrusion detection program originally developed by US-CERT, the department's computer emergency readiness team. "In the past year we've deployed the second phase of EINSTEIN to 11 federal agencies, and we will be growing to 21 this year," Napolitano noted. "And now we are testing the technology for the third phase of EINSTEIN," which will give DHS "the ability to detect malicious activity and disable attempted intrusions before harm is done to our critical systems." Ensuring U.S. government continuity as well as private-sector services and information -- even as it protects privacy -- are among the important tasks DHS now faces, Napolitano said. To meet these challenges, DHS has developed "a national cybersecurity incident response plan in full collaboration with the private sector" that will be tested during an exercise in September. What's more, DHS efforts continue to focus on "providing the ability to bounce back even more quickly should a large-scale attack -- or really an attack of any size -- occur," Napolitano said. To this end,... www.cio-today.com | 3/4/10 7:15 PM Comprehensive National Cybersecurity Initiative On Tuesday, the White House published an unclassified summary of its
Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt
made the announcement at the RSA Conference. These are the 12
initiatives in the plan: Initiative #1. Manage the Federal Enterprise
Network as a single network enterprise with Trusted Internet. Initiative
#2. Deploy an intrusion detection system of sensors across the
Federal... U.S. Declassifies Part of Secret Cybersecurity Plan The Obama administration declassified part of the government’s
cybersecurity plan Tuesday, publishing parts of it that discuss
intrusion detection systems for federal computer networks and the g...
story.venezuelastar.com |
3/3/10 6:28 AM
Alert Logic to Present at Cloud Expo April 19-21 in New York City The emergence of the Infrastructure-as-a-Service (IaaS) and
Platform-as-a-Service (PaaS) models are just two of the many inflection
points as IT migrates away from the traditional data centers and into
the cloud, shifting more control over security from the enterprise to
the service provider. How will your security and compliance strategy
change when this transformation is complete? Misha Govshteyn is
co-founder and responsible for product development and strategy at Alert
Logic, a Software-as-a-Service based security solutions provider. In
this capacity, Govshteyn regularly consults with service providers and
enterprises on securing cloud-based applications. Prior to co-founding
Alert Logic, Govshteyn served as a Director of Managed Services for
Reliant Energy Communications. In this role, he developed and
successfully launched five major product lines including Managed
Intrusion Detection services and managed enterprise firewall/VPN products. linux.sys-con.com |
2/19/10 12:45 AM
Alert Logic to Present at Cloud Expo April 19-21 in New York City The emergence of the Infrastructure-as-a-Service (IaaS) and
Platform-as-a-Service (PaaS) models are just two of the many inflection
points as IT migrates away from the traditional data centers and into
the cloud, shifting more control over security from the enterprise to
the service provider. How will your security and compliance strategy
change when this transformation is complete? Misha Govshteyn is
co-founder and responsible for product development and strategy at Alert
Logic, a Software-as-a-Service based security solutions provider. In
this capacity, Govshteyn regularly consults with service providers and
enterprises on securing cloud-based applications. Prior to co-founding
Alert Logic, Govshteyn served as a Director of Managed Services for
Reliant Energy Communications. In this role, he developed and
successfully launched five major product lines including Managed
Intrusion Detection services and managed enterprise firewall/VPN products. linux.sys-con.com |
2/19/10 12:45 AM
Botnets Found in Government and Business Systems A new Zeus botnet has been discovered affecting 75,000 systems in 2,500
organizations around the world. Both corporate and government networks
have become victims of the severe cyberattack dubbed the Kneber attack,
named after the username linked with the attack. The attack was first discovered in January while a security analyst at Hernon, Va.-based NetWitness was installing a monitoring system for a client. In investigating the discovery, the company found Kneber had compromised 68,000 corporate log-ins; access to various e-mail systems, including Yahoo and Hotmail; access to online banking sites; and access to social-networking sites, including Facebook. All of this was done in a four-week period. Kneber has been identified as a botnet, where compromised computers run software remotely. "Systems compromised by this botnet provide the attackers not only user credentials and confidential information, but remote access inside the compromised networks," said Amit Yoran, CEO of NetWitness and former director of the National Cyber Security Division. Damage Done The Kneber botnet is not stopped by traditional malware protection or other intrusion-detection systems, and NetWitness analysts fear organizations will not see the damage from this attack until it has already occurred. More than half the infected machines were also infected with a peer-to-peer botnet dubbed Waledac, a worm that is capable of collecting and forwarding password information. It's also capable of receiving commands from a remote server, including to upgrade malware components or send information from the infected computer. Used together, the botnets have the potential to enable hackers to collaborate in what NetWitness said may be a "criminal underground." "On a microlevel, there are new versions of Trojans and viruses that come out all the time and some gain traction while others do not," said Matthew Prince, cocreator of Project Honey Pot, a spam tracking network. "On the macrolevel it is really scary." Cybercriminal Revolution The... www.cio-today.com | 2/18/10 6:51 PM Einstein 2: U.S. government's 'enlightening' new cybersecurity weapon The Department of Homeland Security is detecting new patterns of
cyberattacks from foreign adversaries -- some targeted at particular
agencies and others aimed at the entire U.S. government -- due to to
special-purpose intrusion-detection systems that will be widely deployed
in federal networks during 2010.
www.networkworld.com |
2/11/10 12:00 PM
Juniper Networks Protects Customers From New Microsoft Vulnerabilities Disclosed Today JNPR ) today confirmed its Intrusion Detection and Prevention (IDP)
security systems and Integrated Security Gateway (ISG) firewall/virtual
private network (VPN) systems with IDP offer protection f...
story.venezuelastar.com |
2/9/10 8:06 PM
Amazon?s Virtual Private Cloud Computing Floats into Beta Amazon Web Services (AWS) sent its enterprise-directed Virtual Private
Cloud (VPC) widgetry into full public beta Monday. The thing’s
been in limited public beta since the summer and before that it was in
private beta. VPC is Amazon’s way of creating hybrid clouds by
letting an enterprise connect its existing infrastructure to a set of
isolated AWS compute resources via a virtual private network (VPN)
– a bog standard encrypted IPsec tunnel – and use its own
existing security services, firewalls and intrusion detection systems
for the EC2 instances and traffic. Ditto whatever third-party management
software it’s using. wireless.sys-con.com |
12/16/09 11:45 PM
Amazon?s Virtual Private Cloud Computing Floats into Beta Amazon Web Services (AWS) sent its enterprise-directed Virtual Private
Cloud (VPC) widgetry into full public beta Monday. The thing’s
been in limited public beta since the summer and before that it was in
private beta. VPC is Amazon’s way of creating hybrid clouds by
letting an enterprise connect its existing infrastructure to a set of
isolated AWS compute resources via a virtual private network (VPN)
– a bog standard encrypted IPsec tunnel – and use its own
existing security services, firewalls and intrusion detection systems
for the EC2 instances and traffic. Ditto whatever third-party management
software it’s using. web2.sys-con.com |
12/16/09 6:00 AM
The Application Delivery Spell Book
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Detect Invisible (Application) Stalkers School of Magic: Abjuration (Protective Spells) Components: Somatic (requires gestures), Material (requires physical component) Casting Time: special Range: Layers 3-7 Area: global Duration: Until discharged Saving Throw: Special Spell Resistance: No
THE FIRST STEP IN ANY SOLUTION IS ALWAYS RECOGNIZING THERE IS
A PROBLEM There are a few attacks today that just can’t be detected by applications. Layer 7 DoS can’t be detected from within an application because the code that executes does so in the context of a single request and a DoS implies many requests from many sources. The only way for a developer to detect this attack is to be able to view the single request that is typical of an application in the context of all requests across all instances of the application – even across machines – and that’s simply not possible from within the application. Similarly, web scraping attacks are nearly impossible for a developer to detect because there is nothing in the request that would indicate anything is out of the ordinary. Nothing. No special code, no special characters, no odd manifestations within the headers or network data. In order for the developer to detect such an attack s/he would need to be able to determine whether the client is manned by a human being or is a script/bot. And no, using User-Agent headers isn’t going to work on this one because miscreants have figured out that too many security devices are able to block their attacks based on that value and thus have learned to circumvent it by scripting real browsers or manipulating the HTTP headers such that their bots/scripts appear to be valid user-driven browsers. But that’s what a web application firewall (WAF) was designed to do: to watch, to evaluate requests in context, across all instances and all requests. It has the visibility, it has the capability, and it can detect attacks that are not easily if at all detected from within the application. Even if the WAF isn’t blocking the attacks, it can at least tell you they are happening, which is something the developers need to know if they’re going to put in place solutions to prevent them. “Security manager, ‘J.F. Rice,’ whose name and employer have been disguised for obvious reasons” explains his need to “see” inside connections and understand what is happening in his environment. Web application security requires visibility as well as the expected defensive capabilities. A web application firewall can provide both capabilities even though you may not leverage both at the same time or at all. Using a WAF as a mechanism to determine what kind of attacks are being directed at your web applications is just as valuable a proposition as enabling its preventative capabilities. Either way, knowing is the first step to moving forward on a strategy to address it. Related blogs & articles:
Technorati
Tags: MacVittie,F5,web
application security,security,web 2.0,web scraping,ASM,web
application firewall,WAF,D&D,ADSB The Application Delivery Spell Book
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Detect Invisible (Application) Stalkers School of Magic: Abjuration (Protective Spells) Components: Somatic (requires gestures), Material (requires physical component) Casting Time: special Range: Layers 3-7 Area: global Duration: Until discharged Saving Throw: Special Spell Resistance: No
THE FIRST STEP IN ANY SOLUTION IS ALWAYS RECOGNIZING THERE IS
A PROBLEM There are a few attacks today that just can’t be detected by applications. Layer 7 DoS can’t be detected from within an application because the code that executes does so in the context of a single request and a DoS implies many requests from many sources. The only way for a developer to detect this attack is to be able to view the single request that is typical of an application in the context of all requests across all instances of the application – even across machines – and that’s simply not possible from within the application. Similarly, web scraping attacks are nearly impossible for a developer to detect because there is nothing in the request that would indicate anything is out of the ordinary. Nothing. No special code, no special characters, no odd manifestations within the headers or network data. In order for the developer to detect such an attack s/he would need to be able to determine whether the client is manned by a human being or is a script/bot. And no, using User-Agent headers isn’t going to work on this one because miscreants have figured out that too many security devices are able to block their attacks based on that value and thus have learned to circumvent it by scripting real browsers or manipulating the HTTP headers such that their bots/scripts appear to be valid user-driven browsers. But that’s what a web application firewall (WAF) was designed to do: to watch, to evaluate requests in context, across all instances and all requests. It has the visibility, it has the capability, and it can detect attacks that are not easily if at all detected from within the application. Even if the WAF isn’t blocking the attacks, it can at least tell you they are happening, which is something the developers need to know if they’re going to put in place solutions to prevent them. “Security manager, ‘J.F. Rice,’ whose name and employer have been disguised for obvious reasons” explains his need to “see” inside connections and understand what is happening in his environment. Web application security requires visibility as well as the expected defensive capabilities. A web application firewall can provide both capabilities even though you may not leverage both at the same time or at all. Using a WAF as a mechanism to determine what kind of attacks are being directed at your web applications is just as valuable a proposition as enabling its preventative capabilities. Either way, knowing is the first step to moving forward on a strategy to address it. Related blogs & articles:
Technorati
Tags: MacVittie,F5,web
application security,security,web 2.0,web scraping,ASM,web
application firewall,WAF,D&D,ADSB Review: HP blade takes a stab at Cisco HP has an alternative to the many security appliances that combine
firewall, intrusion detection and VPN functions: Just put a single blade
in the vendor's ProCurve switch and be done with it.
www.networkworld.com |
10/5/09 12:38 PM
Cloud Security on Ulitzer: Cloud Computing and Self-Service Security So here’s the rub, if
MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo
mature enterprise customers to use their services, they are leaving
money on the table and not fulfilling customer needs by failing to roll
out complimentary security capabilities which lessen the compliance and
security burdens of their prospective customers. While many provide
commoditized solutions such as anti-spam and anti-virus capabilities,
more complex (but profoundly important) security services such as DLP
(data loss/leakage prevention,) WAF, Intrusion Detection and Prevention
(IDP,) XML Security, Application Delivery Controllers, VPN’s, etc.
should also be considered for roadmaps by these suppliers. ajax.sys-con.com |
10/3/09 7:30 PM
Cloud Security on Ulitzer: Cloud Computing and Self-Service Security So here’s the rub, if
MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo
mature enterprise customers to use their services, they are leaving
money on the table and not fulfilling customer needs by failing to roll
out complimentary security capabilities which lessen the compliance and
security burdens of their prospective customers. While many provide
commoditized solutions such as anti-spam and anti-virus capabilities,
more complex (but profoundly important) security services such as DLP
(data loss/leakage prevention,) WAF, Intrusion Detection and Prevention
(IDP,) XML Security, Application Delivery Controllers, VPN’s, etc.
should also be considered for roadmaps by these suppliers. ajax.sys-con.com |
10/3/09 7:30 PM
Lifecycle of a network security vulnerability Rating: --- The chapter below walks you through the process of providing network intrusion detection system coverage for a security vulnerability from start to finish, using practical examples and highlighting popular and useful open source tools. www.topix.net | 9/16/09 5:47 AM Cloud Computing Best Practices Some of the key things to think about when putting your application on the cloud are discussed below. Cloud computing is relatively new, and best practice is still being established. However we can learn from earlier technologies and concepts such as utility compute, SaaS, outsourcing and even internal enterprise centre management, as well as from experience with vendors such as Amazon and FlexiScale. Licensing: If you are using the cloud for spikes or overspill make sure that the products you want to use in the cloud can be used in this way. Certain products restrict their licenses to be used from a cloud perspective. This is especially true of commercial Grid, HPC or DataGrid vendors. Data transfer costs: When using a provider like Amazon with a detailed cost model, make sure that any data transfers are internal to the provider network rather than external. In the case of Amazon, internal traffic is free but you will be charged for any traffic over the external IP addresses. Latency: If you have low latency requirements then the Cloud may not be the best environment to achieve this. If you are trying to run an ERP or some such system in the cloud then the latency may be good enough but if you are trying to run a binary or FX Exchange then of course the latency requirements are very different and more stringent. It is essential to make sure you understand the performance requirements of your application and have a clear understanding of what is deemed business critical. One vendor who has focused on attacking low latency in the cloud is GigaSpaces and so if you require cloud low latency then these are one of the companies you should evaluate. Also for processing distributed data loads there is the map reduce pattern and Hadoop. These type of architectures eliminating the boundaries created by scale-out database based approaches. State: Check whether your cloud infrastructure providers have persistence.When an application is brought down and then back up all local changes will be wiped and you start with a blank slate. This obviously has ramifications with instances that need to store user or application state.To combat this on their platform Amazon delivered EC2 persistent storage in which data can remain linked to a specific computing instance. You should ensure you understand the state limitations of any Cloud Computing platform that you work with. Data Regulations: If you are storing data in the cloud you may be breaching data laws depending where your data is stored i.e. which country or continent.To combat this Amazon S3 now supports location constraints, which allow you to specify where in the world to store data for a bucket and provides a new API to retrieve the location constraint for an existing bucket. However if you are using another cloud provider you should check where your data is stored. Dependencies:Be aware of dependencies of service providers. If service ‘y’ is dependant on ‘x’ then if you subscribe to service ‘y’ and service ‘x’ goes down you lose your service. Always check any dependencies when you are using a cloud service. Standardisation: A major issue with current cloud computing platforms is that there is no standardisation of the APIs and platform technologies that underpin the services provided. Although this represents a lack of maturity you need to consider how locked in you are when considering a Cloud platform or migrating between cloud computing platforms will be very difficult if not impossible. This may not be an issue if your supplier is IBM and always likely to be IBM, but it will be an issue if you are just dipping your toe in the water and discover that other platforms are better suited to your needs. Security: Lack of security or apparent lack of security is one of the perceived major drawbacks of working with Cloud platform and Cloud technology. When moving sensitive data about or storing it in public cloud it should be encrypted. And it is important to consider a secure ID mechanism for authentication and authorisation for services. As with normal enterprise infrastructures only open the ports needed and consider installing a host based intrusion detection systems such as OSSEC. The advantage of working with an enterprise Cloud provider, such as IBM or Sun is that many of these security optimisations are already taken care of. See our prior blog entry for securing n-tier and distributed applications on the cloud. Be sure to check out Amazon’s new VPC inititative as well as looking at VPN-Cubed by CohesiveFT if you have to tie together public Clouds with private applications, services or infrastructure. If you need to keep costs down and evaluate free then look at OpenVPN. Compliance:Regulatory controls mean that certain applications may not be able to deployed in the Cloud. For example the US Patriot Act could have very serious consequences for non-US firms considering U.S. hosted cloud providers. Be aware that often cloud computing platforms are made up of components from a variety of vendors who may themselves provide computing in a variety of legal jurisdictions. Be very aware of the dependencies and ensure you factor this into any operational risk management assessment. See also my prior blog entry on this topic Quality of service: You will need to ensure that the behaviour and effectiveness of the cloud application that you implement can be measured and tracked both to meet existing or new Service Level agreements. We have discussed previously some of the tools that come with this option built in (GigaSpaces) and other tools that provide functionality that enable you to use this with your Cloud Architecture (RightScale, Scalr etc). Achieving Quality of Service will encompass scaling, reliability, service fluidity, monitoring, management and system performance. System hardening: Like all enterprise application infrastructures you need to harden the system so that it is secure, robust, and achieves the necessary functional requirements that you need. See my prior blog entry on system hardening for Amazon EC2. Content adapted from my book “TheSavvyGuideTo HPC, Grid,
DataGrid, Virtualisation and Cloud Computing” available
on Amazon.  Cloud Computing Best Practices Some of the key things to think about when putting your application on the cloud are discussed below. Cloud computing is relatively new, and best practice is still being established. However we can learn from earlier technologies and concepts such as utility compute, SaaS, outsourcing and even internal enterprise centre management, as well as from experience with vendors such as Amazon and FlexiScale. Licensing: If you are using the cloud for spikes or overspill make sure that the products you want to use in the cloud can be used in this way. Certain products restrict their licenses to be used from a cloud perspective. This is especially true of commercial Grid, HPC or DataGrid vendors. Data transfer costs: When using a provider like Amazon with a detailed cost model, make sure that any data transfers are internal to the provider network rather than external. In the case of Amazon, internal traffic is free but you will be charged for any traffic over the external IP addresses. Latency: If you have low latency requirements then the Cloud may not be the best environment to achieve this. If you are trying to run an ERP or some such system in the cloud then the latency may be good enough but if you are trying to run a binary or FX Exchange then of course the latency requirements are very different and more stringent. It is essential to make sure you understand the performance requirements of your application and have a clear understanding of what is deemed business critical. One vendor who has focused on attacking low latency in the cloud is GigaSpaces and so if you require cloud low latency then these are one of the companies you should evaluate. Also for processing distributed data loads there is the map reduce pattern and Hadoop. These type of architectures eliminating the boundaries created by scale-out database based approaches. State: Check whether your cloud infrastructure providers have persistence.When an application is brought down and then back up all local changes will be wiped and you start with a blank slate. This obviously has ramifications with instances that need to store user or application state.To combat this on their platform Amazon delivered EC2 persistent storage in which data can remain linked to a specific computing instance. You should ensure you understand the state limitations of any Cloud Computing platform that you work with. Data Regulations: If you are storing data in the cloud you may be breaching data laws depending where your data is stored i.e. which country or continent.To combat this Amazon S3 now supports location constraints, which allow you to specify where in the world to store data for a bucket and provides a new API to retrieve the location constraint for an existing bucket. However if you are using another cloud provider you should check where your data is stored. Dependencies:Be aware of dependencies of service providers. If service ‘y’ is dependant on ‘x’ then if you subscribe to service ‘y’ and service ‘x’ goes down you lose your service. Always check any dependencies when you are using a cloud service. Standardisation: A major issue with current cloud computing platforms is that there is no standardisation of the APIs and platform technologies that underpin the services provided. Although this represents a lack of maturity you need to consider how locked in you are when considering a Cloud platform or migrating between cloud computing platforms will be very difficult if not impossible. This may not be an issue if your supplier is IBM and always likely to be IBM, but it will be an issue if you are just dipping your toe in the water and discover that other platforms are better suited to your needs. Security: Lack of security or apparent lack of security is one of the perceived major drawbacks of working with Cloud platform and Cloud technology. When moving sensitive data about or storing it in public cloud it should be encrypted. And it is important to consider a secure ID mechanism for authentication and authorisation for services. As with normal enterprise infrastructures only open the ports needed and consider installing a host based intrusion detection systems such as OSSEC. The advantage of working with an enterprise Cloud provider, such as IBM or Sun is that many of these security optimisations are already taken care of. See our prior blog entry for securing n-tier and distributed applications on the cloud. Be sure to check out Amazon’s new VPC inititative as well as looking at VPN-Cubed by CohesiveFT if you have to tie together public Clouds with private applications, services or infrastructure. If you need to keep costs down and evaluate free then look at OpenVPN. Compliance:Regulatory controls mean that certain applications may not be able to deployed in the Cloud. For example the US Patriot Act could have very serious consequences for non-US firms considering U.S. hosted cloud providers. Be aware that often cloud computing platforms are made up of components from a variety of vendors who may themselves provide computing in a variety of legal jurisdictions. Be very aware of the dependencies and ensure you factor this into any operational risk management assessment. See also my prior blog entry on this topic Quality of service: You will need to ensure that the behaviour and effectiveness of the cloud application that you implement can be measured and tracked both to meet existing or new Service Level agreements. We have discussed previously some of the tools that come with this option built in (GigaSpaces) and other tools that provide functionality that enable you to use this with your Cloud Architecture (RightScale, Scalr etc). Achieving Quality of Service will encompass scaling, reliability, service fluidity, monitoring, management and system performance. System hardening: Like all enterprise application infrastructures you need to harden the system so that it is secure, robust, and achieves the necessary functional requirements that you need. See my prior blog entry on system hardening for Amazon EC2. Content adapted from my book “TheSavvyGuideTo HPC, Grid,
DataGrid, Virtualisation and Cloud Computing” available
on Amazon. Cloud Computing Best Practices Some of the key things to think about when putting your application on the cloud are discussed below. Cloud computing is relatively new, and best practice is still being established. However we can learn from earlier technologies and concepts such as utility compute, SaaS, outsourcing and even internal enterprise centre management, as well as from experience with vendors such as Amazon and FlexiScale. Licensing: If you are using the cloud for spikes or overspill make sure that the products you want to use in the cloud can be used in this way. Certain products restrict their licenses to be used from a cloud perspective. This is especially true of commercial Grid, HPC or DataGrid vendors. Data transfer costs: When using a provider like Amazon with a detailed cost model, make sure that any data transfers are internal to the provider network rather than external. In the case of Amazon, internal traffic is free but you will be charged for any traffic over the external IP addresses. Latency: If you have low latency requirements then the Cloud may not be the best environment to achieve this. If you are trying to run an ERP or some such system in the cloud then the latency may be good enough but if you are trying to run a binary or FX Exchange then of course the latency requirements are very different and more stringent. It is essential to make sure you understand the performance requirements of your application and have a clear understanding of what is deemed business critical. One vendor who has focused on attacking low latency in the cloud is GigaSpaces and so if you require cloud low latency then these are one of the companies you should evaluate. Also for processing distributed data loads there is the map reduce pattern and Hadoop. These type of architectures eliminating the boundaries created by scale-out database based approaches. State: Check whether your cloud infrastructure providers have persistence.When an application is brought down and then back up all local changes will be wiped and you start with a blank slate. This obviously has ramifications with instances that need to store user or application state.To combat this on their platform Amazon delivered EC2 persistent storage in which data can remain linked to a specific computing instance. You should ensure you understand the state limitations of any Cloud Computing platform that you work with. Data Regulations: If you are storing data in the cloud you may be breaching data laws depending where your data is stored i.e. which country or continent.To combat this Amazon S3 now supports location constraints, which allow you to specify where in the world to store data for a bucket and provides a new API to retrieve the location constraint for an existing bucket. However if you are using another cloud provider you should check where your data is stored. Dependencies:Be aware of dependencies of service providers. If service ‘y’ is dependant on ‘x’ then if you subscribe to service ‘y’ and service ‘x’ goes down you lose your service. Always check any dependencies when you are using a cloud service. Standardisation: A major issue with current cloud computing platforms is that there is no standardisation of the APIs and platform technologies that underpin the services provided. Although this represents a lack of maturity you need to consider how locked in you are when considering a Cloud platform or migrating between cloud computing platforms will be very difficult if not impossible. This may not be an issue if your supplier is IBM and always likely to be IBM, but it will be an issue if you are just dipping your toe in the water and discover that other platforms are better suited to your needs. Security: Lack of security or apparent lack of security is one of the perceived major drawbacks of working with Cloud platform and Cloud technology. When moving sensitive data about or storing it in public cloud it should be encrypted. And it is important to consider a secure ID mechanism for authentication and authorisation for services. As with normal enterprise infrastructures only open the ports needed and consider installing a host based intrusion detection systems such as OSSEC. The advantage of working with an enterprise Cloud provider, such as IBM or Sun is that many of these security optimisations are already taken care of. See our prior blog entry for securing n-tier and distributed applications on the cloud. Be sure to check out Amazon’s new VPC inititative as well as looking at VPN-Cubed by CohesiveFT if you have to tie together public Clouds with private applications, services or infrastructure. If you need to keep costs down and evaluate free then look at OpenVPN. Compliance:Regulatory controls mean that certain applications may not be able to deployed in the Cloud. For example the US Patriot Act could have very serious consequences for non-US firms considering U.S. hosted cloud providers. Be aware that often cloud computing platforms are made up of components from a variety of vendors who may themselves provide computing in a variety of legal jurisdictions. Be very aware of the dependencies and ensure you factor this into any operational risk management assessment. See also my prior blog entry on this topic Quality of service: You will need to ensure that the behaviour and effectiveness of the cloud application that you implement can be measured and tracked both to meet existing or new Service Level agreements. We have discussed previously some of the tools that come with this option built in (GigaSpaces) and other tools that provide functionality that enable you to use this with your Cloud Architecture (RightScale, Scalr etc). Achieving Quality of Service will encompass scaling, reliability, service fluidity, monitoring, management and system performance. System hardening: Like all enterprise application infrastructures you need to harden the system so that it is secure, robust, and achieves the necessary functional requirements that you need. See my prior blog entry on system hardening for Amazon EC2. Content adapted from my book “TheSavvyGuideTo HPC, Grid,
DataGrid, Virtualisation and Cloud Computing” available
on Amazon. Amazon Offers a VPN Bridge To Secure Cloud Resources There's a new bridge to Amazon's clouds. Amazon Web Services (AWS)
announced Wednesday the availability of its virtual private cloud (VPC),
which it said provides "a secure and seamless bridge between a
company's existing IT infrastructure and the AWS cloud." Using the VPC, an enterprise can connect its computing infrastructure to isolated computing resources at Amazon via a virtual private network (VPN) that includes security services, firewalls and intrusion-detection systems. Pay for Resources Used Currently, the Amazon VPC integrates with the company's EC2 computing services, and it will migrate to support other AWS services at some point. EC2, the abbreviation for the Amazon Elastic Compute Cloud, provides expandable computing capabilities in the cloud. As with AWS, users pay only for resources used, with no minimum or start-up charges. Andy Jassy, AWS senior vice president, said as enterprises increasingly use cloud computing, they want to integrate seamlessly with their existing IT structure and "use the security and management controls that their IT teams already know." AWS customers can utilize isolated cloud-based computing resources as if they were part of their own data center, using an encrypted IPsec VPN connection. With a few API calls, the IP address range can be chosen, the isolated network created, and EC2 instances launched. Users can then create a VPN to connect those services to their own computing resources. Any traffic in the cloud heading for the Internet is sent over the VPN, and must traverse the user's own security protections before continuing to the open Net. Private Cloud 'Still Evolving' For users inside the enterprise, the AWS cloud resources are transparently available as if they were within their own IT infrastructure. Amazon pointed to major customers who are currently using AWS securely between internal resources and Amazon resources. They include Intuit, Citrix Systems, and CA. Pharmaceuticals giant Eli Lilly said in a statement... www.cio-today.com | 8/26/09 4:08 PM A decade of open source IPOs Red Hat is celebrating the 10 year anniversary of its initial public
offering. An anniversary to be proud of for Red Hat, but one that has
given The VAR Guy pause for thought about the relative success of open
source in the past 10 years. “Would anyone have predicted that no
additional open source companies would launch IPOs over the next decade?
Ten years without an open source IPO … amazing and somewhat
depressing for open source business advocates,” writes the VAR
Guy. It is somewhat depressing that there are not more public open
source vendors. However, the statement that there have been no open
source IPOs is simply not true. In fact there have been six open source
IPOs since Red Hat. These are covered in detail in our recent CAOS
report, Open to Investment, but the edited version is as follows: VA
Linux/VA Software/SourceForge (Nasdaq:LNUX) The next open source vendor
to go public after Red Hat was VA Linux, which was then offering
Intel-based servers designed to run Linux. VA Linux became VA Software
in December 2001, having moved away from system hardware, and focused
its attention on the SourceForge.net development repository and the
SourceForge Enterprise development product, as well as media services
such as Slashdot, Linux.com and Freshmeat. In 2007, VA Software sold its
SourceForge Enterprise Edition software product to CollabNet and changed
its name to SourceForge Inc. Caldera/SCO Group (in Chapter 7) The last
open source vendor to go public before the dot-com bust was Linux
distributor Caldera. The company acquired the Unix assets of Santa Cruz
Operation in 2000 and changed its name to The SCO Group in 2002. The
less said about it after that the better, probably. Turbolinux (OSE
:3777) Having canceled its IPO in late 2001, Turbolinux eventually found
its way to the stock market in September 2005 via an IPO on the Japanese
Osaka Securities Exchange. Between those events, the Japanese Linux
distributor was owned by Software Research Associates and then Livedoor.
Turbolinux’s shares continue to be traded on the Osaka Securities
Exchange. Mandrakesoft/Mandriva (Euronext: FR0004159382) French Linux
distributor Mandrakesoft, which listed its shares on the Euronext Marche
Libre in July 2001. Mandrakesoft acquired Brazilian Linux distributor
Conectiva in February 2005 and changed its name to Mandriva before
purchasing desktop Linux specialist Lycoris in July of the same year
Trolltech (acquired) Linux application tools vendor Trolltech made its
name with its Qt application development platform and Qtopia mobile
device platform. The company made its debut on the Norwegian Oslo Bors
in July 2006. In January 2008, it was acquired by Nokia for $153m and
renamed Qt Software. Sourcefire (Nasdaq:FIRE) Sourcefire, which makes
internal security products and sponsors the open source Snort intrusion
detection engine, made its debut on the Nasdaq in March 2007, pricing
its offering at $15 a share, giving it an opening market capitalization
of $350m. There have admittedly been just a handful of IPOs involving
open source vendors. The lack of IPOs is due in part to the relative
immaturity of commercial open source business strategies, the
attractiveness of open source vendors as acquisition targets (MySQL was
on the brink of an IPO when it was acquired) and the fact that the
trajectory of these vendors has been impacted by two global economic
crises (the dot com bust put pay to the IPOs of Linuxcare and
Turbolinux, while there are a couple of vendors that might have been in
a position to go public this year or next were it not for the current
malaise. Our CAOS report includes a list of the vendors we think are
best positioned for a run at an IPO in the 12-24 months after the
downturn ends.
blogs.the451group.com |
8/13/09 8:30 AM
InfoQ: Presentation:Securing A Cloud Infrastructure George Reese discusses the number one challenge faced by cloud computing
- security. He discusses transparency, credential management, and
identity management, intrusion detection, perimeter security,
compliance, and the "biggest security hole in the cloud - the
custom Web application." The nature of each concern along with
appropriate responses are discussed. By George Reese www.infoq.com |
8/7/09 12:05 AM
|
