Monthly Archives: September 2008

Application Firewalls ( technical recipe)

I have harped enough about managing teams and innovation and open source and what have you. Here is then a recipe for a little more meatier dish, a completely FLOSS application level firewall. Schematics on the right.

The problem: protect N internal web servers and applications from internet attacks not only at the connection level, but also at application level.

The ingredients:
A firewall ( redundant for a richer result),
Apache in accelerator mode with SSL capability.
The N servers and their applications.
Mod_security: the inline apache protection module.
A relatively secure internal network.

The recipe: First of all obtain a wildcard chain certificate from an accredited organization such as digicert or thawte. The certificate will be in the form of *.yourdomain.com which will allow you to map hostnames to Virtual SSL hosts to internal servers. You can do that because apache has a little backdoor that will allow multiple virtual SSL hosts with the same certificate , the wildcard one.

Now to cook things up, first of all install mod_security on your server, this will allow you to block SQL injection attacks in real time and other nasties as well. Then season with SSL virtual hosts with the following incantation, some people claim that it works better if done in the whee hours of the morning.

<VirtualHost IP1:443 IP2:443 IP3:443 IP4:443>
DocumentRoot “/var/www/proxy_dir1”
ServerName portal.yourdomain.com:443
SSLEngine on
SSLCertificateFile /etc/httpd/certs/star_domain.crt
SSLCertificateKeyFile /etc/httpd/certs/wilddomain.key
SSLCertificateChainFile /etc/httpd/certs/TrustedRoot.crt
ProxyRequests off
ProxyPreserveHost On
ProxyPass / http://server1.yourdomain.com/
ProxyPassReverse / http://server1.yourdomain.com/
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
.
.
.

<VirtualHost IP1:443 IP2:443 IP3:443 IP4:443>
DocumentRoot “/var/www/proxy_dir1”
ServerName billing.yourdomain.com:443
SSLEngine on
SSLCertificateFile /etc/httpd/certs/star_domain.crt
SSLCertificateKeyFile /etc/httpd/certs/wilddomain.key
SSLCertificateChainFile /etc/httpd/certs/TrustedRoot.crt
ProxyRequests off
ProxyPreserveHost On
ProxyPass / http://server2.yourdomain.com/
ProxyPassReverse / http://server2.yourdomain.com/
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

Make sure that the server running apache in accelerator mode can resolve server1.yourdomain.com and server2.yourdomain.com. Now you see 4 IP addresses in the Virtualhost statement because you MUST use at least a two node cluster, and since I like my dishes spicy I have employed and active active scheme utilizing the old and proven hearbeat, which makes it a total of 4 ip addresses utilized in the cluster.

To top it off enter the following configuration in the regular virtual hosts section of the apache server to allow for transparent end user transport to the SSL encrypted site.


<VirtualHost *:80>
DocumentRoot “/var/www/proxy_dir”
ServerName portal.yourdomain.com
RedirectMatch (.*) https://portal.yourdomain.com
</VirtualHost>
.
.
.

<VirtualHost *:80>
DocumentRoot “/var/www/proxy_dir”
ServerName billing.yourdomain.com
RedirectMatch (.*) https://billing.yourdomain.com
</VirtualHost>

Now what we have achieved is:

  1. Inline blocking of malicious attacks by mod_security irrespective of encryption.
  2. Protection of production servers from DDOS and like attacks.
  3. SSL encryption on the users’ end to ensure that their data is safe.
  4. Transparent fall through from clear text to SSL site.
  5. SSL off loading to front end servers, it helps OWA tremendously!
  6. Freedom to move about production servers and services with just a change in the internal DNS.
  7. Back end servers do not need certificates.
  8. Disengage application programmers from interfacing with systems guys for changes on the production servers.
  9. Acceleration of applications with minimal fuss.
  10. Concentration of access logging and monitoring.

What we have then is an application multiplexer/accelerator/encryptor/protector for free!. Beware your mileage may vary.

Advertisements

Fear vs anger as drivers in Open Source adoption

If one could measure these two conflicting emotions in CxOs, namely fear and anger, one could predict the adoption rate of open source.

Fear is a very basic emotion, fear of not having support for your crucial business applications is a considerable driving force. Fear of not having a job tomorrow because the master billing system might blow up. Fear that what you spent a fortune on today might be obsolete before it had a chance to make up for its cost. This fear keeps CIOs pegged to certain vendors often with good and valid reasons but as equally often irrationally.

As strange as it might seem, anger is the opposite of fear in this arena. Anger of support costs that reach highway robbery levels, like being charged by the CDR for billing software. Anger of not owning the software one paid for out right, but only the right to use. Anger that the multimillion software just blew up – hello London Stock Exchange. It goes on and on like this.

When anger becomes stronger than fear CxOs look for alternative routes; open source being the one. To give you an example consider database systems. Commercial databases are great products yet can be an overkill under certain conditions. Imagine now a company that has a number of small applications each with its own instance of a commercial grade DB. Now suppose that company suddenly decides to cut costs and sees the licensing fees of said DB engine, calculated by CPU clock and number of cores. It is easy to see that they would be angry for the money they pay for licenses and that they would overcome their fear of open source and start looking into alternatives such as mysql,postgresql etc. etc.

One could replay this see-saw of emotions into many anecdotal situations and even pepper it with side emotions such as desparation on one end or giddiness on the other end. Feel free to send me your favorite feelings.

Please sit comfortably on the couch

Oh I love it, all these mentors and effectiveness teachers and emotional quotient lessons, I mean it maaaaam – to quote the Sex Pistols.

Oh come on , what has happened to us for some “professional” to be able to sell us psycho babble about listening to our colleagues? Have we grown up without friends and now we have to be told, taught more like it, how to be respectful of others? Are we in danger of our private space to be violated by any and all so we shut down the blinds and some grifter has to be paid to find out the person hiding inside our armor?

What I see is a whole class of people who feel terrified of losing their status, be it jobs positions or privileges, so that they shut everybody out. They draw a veil over themselves, they cast a shadow over their soul to maintain distance and clout. That is probably the sure most way for one to lose what is most valuable in life, what the french call “joie de vivre”, and sometimes I moniker “the vibrancy of sharing achievements and also failures if need be”. Unfortunately this life under the shadow eclipses the soul totally, it stops one from partaking in life.

Was it not Shakespeare that claimed that life is a stage and us actors in it? Let’s then be like actors. Let us expose ourselves, free ourselves from the shadow, not feel guilty or sorry for our shortcomings. Oh I forget, of course we do not have shortcomings us the leaders of people, we are superhuman, we share nothing in common right ? Wrong we are probably much more vulnerable than every body else because we have to bear the burden to support for our ranks like generals and fathers/mothers at the same time.

I admit it, I do not only love the technology, I love interfacing with people with their fully personality turned on. Not all attempts to communicate are successful, there are ornery and closed people out there. Yet the ones that manage to integrate into more than a working environment to a business camaraderie form invariably forces to reckoned with.