[prev in list] [next in list] [prev in thread] [next in thread]
List: security-basics
Subject: Re: DDoS protection
From: Comp Pycho <computer.pycho () gmail ! com>
Date: 2014-06-25 14:23:58
Message-ID: 3B0724CB-AFFC-4682-95D8-5F80B70A7C7A () gmail ! com
[Download RAW message or body]
The concept of cloud computing did not get popular until NIST made it a standard and \
ordered the gov't to move 30% of their IT infrastructure to the cloud. Cloud was a \
concept of IBM sine 1984 it was not coined cloud computing by them but the concept is \
theirs. FedRamp is always based off the latest NIST controls so I don't understand \
your claim with that. FedRamp is a govt wide program that standardizes approach to \
security assessment, authorization and continuous monitoring for cloud products and \
services. This is from the GSA website whom provide the service by definitions it \
shoulda like a compliance standard. It applies the NIST 800- 53 controls.
Do what you know
-Dame Dash
> On Jun 25, 2014, at 9:36 AM, "Mikhail A. Utin" <mutin@commonwealthcare.org> wrote:
>
> Some remarks.
> 1. Cloud Computing, yes, is just about datacenters serving hosting, i.e. \
> application hosting service. 2. First appeared as Amazon AWS
> 3. CC is not actually IBM own concept as there is no concept in CC at all, see #1
> 4. NIST actually was far later than other parties in "cloudization" (I claim this \
> term :) ) 5. FedRAMP is not certification program at all. Plus, its security \
> controls list is outdated - it is based on NIST SP800-53 R3, pretty outdated \
> version. Current is R4. So, absolutely cannot be used for anything like \
> certification.
> Mikhail
>
> -----Original Message-----
> From: Comp Pycho [mailto:computer.pycho@gmail.com]
> Sent: Wednesday, June 25, 2014 8:52 AM
> To: Marios Stylianou
> Cc: Mikhail A. Utin; <Dominick.Sardina@pseg.com>; \
> <security-basics@securityfocus.com>
> Subject: Re: DDoS protection
>
> Cloud computing is an IBM concept that was blow up by NIST. NIST pushed this \
> "Cloud" BS for external parties to make money. The cloud is nothing but a data \
> center. The secure clouds are data centers which have gone through the FedRamp \
> certification program for security compliance.
> Do what you know
> -Dame Dash
>
>
> > On Jun 25, 2014, at 6:56 AM, "Marios Stylianou" <styllosmarios@gmail.com> wrote:
> >
> > You can try Incapsula services.
> >
> >
> > Mindbets
> >
> >
> > -----Original Message-----
> > From: listbounce@securityfocus.com
> > [mailto:listbounce@securityfocus.com] On Behalf Of Mikhail A. Utin
> > Sent: Monday, June 23, 2014 7:02 PM
> > To: Sardina, Dominick; security-basics@securityfocus.com
> > Subject: RE: DDoS protection
> >
> > Hello,
> > Yes, all has been known for a while. I got two presentations discussing partially \
> > "cloud" matter at OWASP AppSec DC 2012 and DeepSec 2012 and 2013. You can check \
> > both for presentations or ask me personally. Basically, all "clouds" are simply \
> > application hosting web sites. And technically a "cloud" is a datacenter. Whether \
> > such app is a virtual network or Mom&Dad Pizza shop HTML site does not matter. So \
> > named "cloud computing concept" has nothing in common with computing, and not a \
> > concept at all. Models are useless and in such case as "Community Cloud" and \
> > "Hybrid Cloud" is legal nonsense, simply because a service provider cannot have \
> > legal binding relationship (aka a contract) with a community, which is not a \
> > legal entity. I tried to dig out where "cloud" came from. It is an invention of \
> > IBM circle companies hosting site reselling IBM services. And in essence
> > is the replacement of Google and next IBM funded academic cluster
> > project "Academia Cluster Computing Initiative" or ACCI, see: Let a
> > Thousand servers bloom – Google official post, Posted by Christophe
> > Bisciglia, October 8, 2007
> > http://googleblog.blogspot.com/2007/10/let-thousand-servers-bloom.html
> > IBM circle guys replaced "cluster" with "cloud" and renamed ACCI as "Academia \
> > Cloud Computing Initiative". Bingo! Next they needed something looking like \
> > science in a form of "models". However, guys violated Google intellectual \
> > property rights on the original ACCI project name.
> > Regards
> >
> > Mikhail
> >
> >
> >
> > -----Original Message-----
> > From: listbounce@securityfocus.com
> > [mailto:listbounce@securityfocus.com] On Behalf Of Sardina, Dominick
> > Sent: Friday, June 20, 2014 2:49 PM
> > To: security-basics@securityfocus.com
> > Subject: RE: DDoS protection
> >
> > Brett, I have to agree 100%.
> >
> >
> > Regards,
> > Dominick
> >
> >
> > -----Original Message-----
> > From: listbounce@securityfocus.com
> > [mailto:listbounce@securityfocus.com] On Behalf Of Wagner, Brett
> > Sent: Friday, June 20, 2014 12:57 PM
> > To: Hartley, Christopher J.; Kellstr
> > Cc: security-basics@securityfocus.com
> > Subject: RE: DDoS protection
> >
> > IMHO - I am not a fan of all the mumbo jumbo that goes along with the "Cloud" \
> > like it is a new invention. I worked at GTE/BBN in 1999 and we were selling all \
> > the same crap back then. With that said and having worked at EMC for a while you \
> > can have a "Cloud" on premises just means you have the hardware in one of your \
> > company locations. You can have private, shared, public or a combo.
> > It is the same evolution as IT security circa 1970-80s (Rainbow Book Series \
> > days), then Information Security circa 1990s, then Information Assurance circa \
> > late 90s early 2000s and now Cyber Security. With each name change consultants \
> > and companies can charge more for the same ultimate goal with each name change.
> > OK I will now get off my soapbox.
> > -----Original Message-----
> > From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On \
> > Behalf Of Hartley, Christopher J.
> > Sent: Friday, June 20, 2014 10:48 AM
> > To: Kellstr
> > Cc: security-basics@securityfocus.com
> > Subject: Re: DDoS protection
> >
> > This is a little confusing; "cloud", "on-premise" etc… weird.
> >
> > By "Cloud," it seem like we mean "by provider" (makes sense).
> >
> > On-premise is the best way to detect an attack imo, since the victim network \
> > knows what's good and what's not (or should….).
> > So I think the best solution involves some kind of remote blackhole or ideally, \
> > perhaps flowspec.
> > I don't think it's a problem that requires spending significant money.
> >
> > Chris
> >
> > > On Jun 19, 2014, at 12:50 PM, Kellstr <kellstr@gmail.com> wrote:
> > >
> > > Disclaimer: I work for a company which offers a DDoS Protection Service.
> > >
> > > The advantage of a service "in the cloud" is that if an attack
> > > exceeds your circuit bandwidth the provider will be able to drop the
> > > malicious traffic. That cannot be done at your premise. Both Arbor
> > > and Radware offer strong appliances that can clean up smaller attacks
> > > at your premise and can send a signal to the provider if they support
> > > that service. You can block traffic using IPS's but keep in mind they
> > > are not designed for a volumetric attack and may be overwhelmed.
> > >
> > > On Wed, Jun 18, 2014 at 11:10 AM, Lance Lassetter
> > > <lancelassetter@gmail.com> wrote:
> > > > What about Suricata or Snort IDS in IPS mode?
> > > >
> > > > > On Jun 18, 2014 8:43 AM, "Mikhail A. Utin" <mutin@commonwealthcare.org> \
> > > > > wrote:
> > > > > As you indicated " Although we're small, We're an organization playing with \
> > > > > ($, ¥,€, £) exchanges" you are on client side rather than on server. If \
> > > > > that is right, you do not need to bother with DDoS protection, which is \
> > > > > against server side. Mikhail
> > > > >
> > > > > -----Original Message-----
> > > > > From: listbounce@securityfocus.com
> > > > > [mailto:listbounce@securityfocus.com] On Behalf Of
> > > > > kartik.netec@gmail.com
> > > > > Sent: Wednesday, June 18, 2014 12:49 AM
> > > > > To: security-basics@securityfocus.com
> > > > > Subject: Re: Re: DDoS protection
> > > > >
> > > > > Hi,
> > > > >
> > > > > Thanks for your replies.
> > > > >
> > > > > Noted the points raised by Jacint and Kelly Keeton. I appreciate that.
> > > > >
> > > > > May I be kind to seek an opinion/ arguments suggesting if the In-house \
> > > > > appliances are more "intelligent" thwarting the application level DOS/ DDoS \
> > > > > attacks as compared to ISP provided DOS protection wherein it may even fail \
> > > > > to detect them. or if there are other benefits owning an In-house product?
> > > > > As far as Cons are concerned, I feel that the appliance may add some \
> > > > > latency which may create issues wherein a latency of milliseconds count.
> > > > > Although we're small, We're an organization playing with ($, ¥,€, £) \
> > > > > exchanges and heavily regulated by the Government.
> > > > > Thanks,
> > > > > KT
> > > > >
> > > > > -------------------------------------------------------------------
> > > > > -
> > > > > ---- Securing Apache Web Server with thawte Digital Certificate In
> > > > > this guide we examine the importance of Apache-SSL and who needs an SSL \
> > > > > certificate. We look at how SSL works, how it benefits your company and \
> > > > > how your customers can tell if a site is secure. You will find out how to \
> > > > > test, purchase, install and use a thawte Digital Certificate on your Apache \
> > > > > web server. Throughout, best practices for set-up are highlighted to help \
> > > > > you ensure efficient ongoing management of your encryption keys and digital \
> > > > > certificates.
> > > > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6
> > > > > b
> > > > > e442f727d1
> > > > > -------------------------------------------------------------------
> > > > > -
> > > > > ----
> > > > >
> > > > >
> > > > > CONFIDENTIALITY NOTICE: This email communication and any
> > > > > attachments may contain confidential and privileged information for
> > > > > the use of the designated recipients named above. If you are not
> > > > > the intended recipient, you are hereby notified that you have
> > > > > received this communication in error and that any review,
> > > > > disclosure, dissemination, distribution or copying of it or its
> > > > > contents is prohibited. If you have received this communication in
> > > > > error, please reply to the sender immediately or by telephone at (617) \
> > > > > 426-0600 and destroy all copies of this communication and any attachments. \
> > > > > For further information regarding Commonwealth Care Alliance's privacy \
> > > > > policy, please visit our Internet web site at \
> > > > > http://www.commonwealthcare.org.
> > >
> > >
> > >
> > > --
> > > Laws alone cannot secure freedom of expression; in order that every
> > > man present his views without penalty there must be spirit of
> > > tolerance in the entire population. - Albert Einstein
> > >
> > > ---------------------------------------------------------------------
> > > -
> > > -- Securing Apache Web Server with thawte Digital Certificate In this
> > > guide we examine the importance of Apache-SSL and who needs an SSL certificate. \
> > > We look at how SSL works, how it benefits your company and how your customers \
> > > can tell if a site is secure. You will find out how to test, purchase, install \
> > > and use a thawte Digital Certificate on your Apache web server. Throughout, \
> > > best practices for set-up are highlighted to help you ensure efficient ongoing \
> > > management of your encryption keys and digital certificates.
> > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be
> > > 4
> > > 42f727d1
> > > ---------------------------------------------------------------------
> > > -
> > > --
> >
> >
> >
> > ----------------------------------------------------------------------
> > -- Securing Apache Web Server with thawte Digital Certificate In this
> > guide we examine the importance of Apache-SSL and who needs an SSL certificate. \
> > We look at how SSL works, how it benefits your company and how your customers can \
> > tell if a site is secure. You will find out how to test, purchase, install and \
> > use a thawte Digital Certificate on your Apache web server. Throughout, best \
> > practices for set-up are highlighted to help you ensure efficient ongoing \
> > management of your encryption keys and digital certificates.
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> > 42f727d1
> > ----------------------------------------------------------------------
> > --
> >
> >
> >
> > -----------------------------------------
> > The information contained in this e-mail, including any attachment(s), is \
> > intended solely for use by the named addressee(s). If you are not the intended \
> > recipient, or a person designated as responsible for delivering such messages to \
> > the intended recipient, you are not authorized to disclose, copy, distribute or \
> > retain this message, in whole or in part, without written authorization from \
> > PSEG. This e-mail may contain proprietary, confidential or privileged \
> > information. If you have received this message in error, please notify the sender \
> > immediately. This notice is included in all e-mail messages leaving PSEG. Thank \
> > you for your cooperation.
> > CONFIDENTIALITY NOTICE: This email communication and any attachments may contain \
> > confidential and privileged information for the use of the designated recipients \
> > named above. If you are not the intended recipient, you are hereby notified that \
> > you have received this communication in error and that any review, disclosure, \
> > dissemination, distribution or copying of it or its contents is prohibited. If \
> > you have received this communication in error, please reply to the sender \
> > immediately or by telephone at (617) 426-0600 and destroy all copies of this \
> > communication and any attachments. For further information regarding Commonwealth \
> > Care Alliance's privacy policy, please visit our Internet web site at \
> > http://www.commonwealthcare.org.
> >
> >
> > ----------------------------------------------------------------------
> > -- Securing Apache Web Server with thawte Digital Certificate In this
> > guide we examine the importance of Apache-SSL and who needs an SSL certificate. \
> > We look at how SSL works, how it benefits your company and how your customers can \
> > tell if a site is secure. You will find out how to test, purchase, install and \
> > use a thawte Digital Certificate on your Apache web server. Throughout, best \
> > practices for set-up are highlighted to help you ensure efficient ongoing \
> > management of your encryption keys and digital certificates.
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> > 42f727d1
> > ----------------------------------------------------------------------
> > --
>
> CONFIDENTIALITY NOTICE: This email communication and any attachments may contain \
> confidential and privileged information for the use of the designated recipients \
> named above. If you are not the intended recipient, you are hereby notified that \
> you have received this communication in error and that any review, disclosure, \
> dissemination, distribution or copying of it or its contents is prohibited. If you \
> have received this communication in error, please reply to the sender immediately \
> or by telephone at (617) 426-0600 and destroy all copies of this communication and \
> any attachments. For further information regarding Commonwealth Care Alliance's \
> privacy policy, please visit our Internet web site at \
> http://www.commonwealthcare.org.
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL \
certificate. We look at how SSL works, how it benefits your company and how your \
customers can tell if a site is secure. You will find out how to test, purchase, \
install and use a thawte Digital Certificate on your Apache web server. Throughout, \
best practices for set-up are highlighted to help you ensure efficient ongoing \
management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic