Ads 468x60px

11 de diciembre de 2017

AWS Elastic Load Balancing



AWS Cloud has firewalls, load balancers, WAF and many other interesting services which can be used easily and freely for the first year or paying as we use. I work with Load Balancers from time ago and AWS Elastic Load Balancing is an Amazon Service I’m working on right now. I have already talked about the Benefits of Layer 7 Load Balancing such as making decisions based in requests and responses of applications, modifying data in transit, redirecting, showing messages, caching, compression, encrypting as well as better availability and performance.

AWS Elastic Load Balancing (ELB) is not like a traditional load balancing appliance because I don’t know whether it supports MultiPath TCP, SACK, Nagle’s Algorithm, Long Fat Networks, prevents Web Scraping, etc but AWS ELB is enough for most companies. For instance, we can use AWS Application Load Balancer (ALB) for HTTP and/or HTTPS load balancing which also supports WebSockets and HTTP/2, path-based routing, health checks customization, SSL Offloading as well as integration with other AWS Services like AWS Certificate Manager (ACM), Amazon CloudWatch, AWS WAF, AWS CloudFormation, Amazon CloudFront, etc, etc, etc.


Comparison of Elastic Load Balancing Products

When we configure AWS ALB, we always have to choose at least two Availability Zones (AZ) to increase the fault tolerance of our applications. Therefore, Amazon recommends to have the same amount of EC2 instances in each AZ to distribute incoming application traffic across multiple zones. As a result, if one Availability Zone becomes unavailable, the load balancer can continue to route traffic to another Availability Zone.

AWS ELB + Web App + Multi-AZ

What we know as real servers at Radware or nodes at F5 BIG-IP, Amazon call them as Targets, which are EC2 instances with listening ports. In addition, we should configure our own custom health checks to route incoming traffic to healthy instances thus unhealthy instances, which application is not behaved properly, are not used by AWS ELB till they are alive again. What’s more, Stickness can be also configured into Targets to bind a client’s session to a specific instance within the target group.

Path-and Host-Based Routing
 
On the other hand, what we know as virtual servers at F5 BIG-IP, Amazon call them as Listeners, which are a set of protocol and port as well as the default target group to route requests to the targets in that default target group. Furthermore, if we choose HTTPS protocol into the listener, we can upload our own SSL Certificate or we can also use AWS Certificate Manager (ACM) to provision, manage, deploy and renew SSL Certificates.

AWS ELB Architecture
 
Eight years ago, I read, for the first time, about AppDirector and vDirect from Radware which allow us to create virtual machines automatically as services have more and more connections. As a result, virtual machines are powered on and powered off automatically when we need more resources and this is integrated into the load balancing to distribute traffic properly. This is what Auto Scaling can also do for us along with AWS Elastic Load Balancing.

AWS Auto Scaling
 
To sum up, we have today a reliable platform into AWS Cloud with lots of services where we can deploy our applications easily and inexpensively.

Regards my friends and keep studying!!

4 de diciembre de 2017

OWASP Top 10 - 2017



I wrote about OWASP at University nearly five years ago and, today, I don’t know yet if there is some subject about it to learn main web issues and how to keep them away thus we’ll have many Web Application Vulnerabilities if web engineers don’t study, and they don’t know, how to develop secure Web Services and WebSockets. Once web applications are developed, with vulnerabilities or not, there should be mandatory to install a Web Application Firewall to protect our organization of new vulnerabilities, DoS attacks, Web Scraping, etc.

When I was at University, I learnt to develop with Pascal, C/C++ and Assembly languages, although I learnt a little bit about PHP, HTML, JavaScript and Java as well. I developed applications without thinking about publishing to Internet, just basic web pages, but, today, web applications are behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. In addition, microservices written in node.js and Spring Boot are replacing traditional monolithic applications which have security challenges like establishing trust between microservices, containers, secret management, etc. On the other hand, modern web frameworks have been released such as Bootstrap, Electron, Angular and React which run functionalities on the client-side while traditional frameworks run functionalities on the server-side.

The difference between the monolithic and microservices architecture

Many changes have had over the last years and, therefore, OWASP Top 10 has been updated. For instance, we have a new category called A4 – XML External Entities (XXE) because new issues have been identify in older or poorly configured XML processors when they evaluate external entity references within XML documents.

A4 – XML External Entities (XXE)

Insecure Direct Object References and Missing Function Level Access Control have been merged into A5 – Broken Access Control where restrictions on what authenticated users are allowed to do are often not properly enforced.

A5 – Broken Access Control

A8 – Insecure Deserialization is another new category into OWASP Top 10, which, initially, is difficult to exploit. However, a successful exploitation could lead to remote code execution and it can also be used for replay attacks, injection attacks, and privilege escalation attacks.

A8 – Insecure Deserialization

Last change to the OWASP Top 10 has been to add the category A10 – Insufficient Logging and Monitoring because many organizations don’t have security tools and processes to detect malicious activities and data breaches and, as a result, they become aware of a security breach by external parties with more than an average of 200 days of delay.

A10 – Insufficient Logging and Monitoring

This has been an overview of changes in OWASP Top 10 – 2017 where there is also to highlight other security risks like Injection or Cross-Site Scripting (XSS) which keep the importance into the OWASP Top 10.

What changed from 2013 to 2017?

Regards my friends, protect your web servers and keep studying!!
Related Posts Plugin for WordPress, Blogger...

Entradas populares