Network security begins with analyzing the potential threats that your network is designed to withstand. In the case of BluBØX’s hosted applications at our data center, we have built safeguards against all of the following types of threats:
• Denial of service (DoS) attacks
• Database attacks
• Cross-site scripting attacks
• Cross-site forgery attacks
• Web server exploits
• Malicious employees
• Applications server exploits
• Social engineering’ attacks
• Operating system exploits
The first line of defense that protects your data at BluBØX’s data center is a firewall. A firewall is a device which examines incoming and outgoing data traffic and decides whether it should be allowed or blocked, based on a set of rules programmed by the network administrator. At our data center, BluBØX’s firewalls are configured to screen out all types of traffic except for HTTP (for our public site) and HTTPS (once you have accessed your account). There are no other “services” available on the Internet-facing aspect of our transaction processing system.
This means that many of the common forms of gaining access to computer systems are blocked right at the firewall itself. For example, it is not possible to access BluBØX using FTP, Telnet, POP or IMAP mail protocols, instant messaging protocols, or any of the many other types of IP traffic common on the Internet today.
Denial of Service Attacks
Denial of Service (DoS) attacks are floods of traffic that slow down computers and networks to the point where they can no longer perform their primary functions. They come in two different forms: those that cripple an entire network, such as the Internet itself, and those that debilitate a specifically targeted computer system by forcing it to respond to too many requests.
While BluBØX can do nothing about DoS attacks that slow down the Internet itself, our data center resources are protected against DoS attacks at multiple layers. First, the firewalls block out the vast majority of types of traffic responsible for most widespread DoS attacks. The servers inside of the firewall never even see this traffic, and are thus unaffected by it. This would include all forms of attack that use protocols other than HTTP/S to achieve their effect.
A second line of defense is provided by the load balancers (see Figure 5: BluBØX Data Center Detail) used to spread traffic across multiple servers for scalability. The load balancers examine incoming traffic and make decisions about how (or whether) it should be routed. As part of this operation, they are also about to guard against a common form of attack known as a “SYN flood”, a technique whereby computers are disabled by trying to respond to connection requests.
Intrusion Prevention Systems
BluBØX uses an intrusion prevention system (IPS) to examine all incoming traffic for signs of hacking or other unauthorized access. An IPS is, in effect, a security guard that sits at the front door of the network and watches for “burglars.” If it sees one, it can directly respond to threats as well send out a notification that trigger human intervention.