Security Journal on Ulitzer
So you’ve bought into the idea of service-orientation. Congratulations.
You’ve begun to create services throughout your internal corporate network.
Some of these run on .NET servers; others are Java services; still others are
Ruby-on-Rails—in fact, one day you woke up and discovered you even have a
mainframe service to manage. But the question you face now is this: how can
all of these services be made available to consumers on the Internet? And
more important, how can you do it securely?
Most organizations buffer their contact with the outside world using a DMZ.
Externally facing systems, such as web servers, live in the DMZ. They mediate
access to internal resources, implementing—well, hopefully implementing—a
restrictive security model. The DMZ exists to create a security air gap
between protocols. The idea is that any system deployed ... (more)
Many things are intended to work together, but require specific knowledge to
get the outcome you desire. Automobiles and trailers, for example, require a
trailer hitch, and not just any trailer hitch, but one with a ball the
correct size to work with the trailer, and wire connectors that will plug in.
It’s all in the interface, but once you have the knowledge and get it all
hooked up, you can haul a lot more with the combination than with the vehicle
There are, of course, many similar examples in the world, and ours is
somewhat rudimentary, but does get the point across. ... (more)
What is this application delivery thing that everyone keeps telling me I
need? Isn’t that just the latest marketing term for load balancing?
A recently released Forrester report concludes that “firms must develop and
integrated strategy for application delivery.” We don’t disagree with
that, or with the Gartner report claiming that “Load Balancing is Dead,
Time to Focus on Application Delivery.” Application delivery is the next
step in the logical evolutionary path from the tactical solution of load
balancing to a comprehensive application infrastructure strategy.
Forrester’s re... (more)
Like most application servers, WebSphere 8.5 has a rich management
infrastructure based on JMX, or Java Management Extensions. In fact, the
WebSphere administration console uses JMX to connect to the server to issue
queries and perform administrative operations. In a previous post I showed
you how to secure JBoss’ JMX connector. While there is a lot of information
out there on how to connect to WebSphere via JMX, most of the examples
involve either disabling SSL, or worse – disabling security globally. So
let’s see how we can access WebSphere’s JMX connector remotely in a
This will probably be a short post since there are not that many security
terms that begin with the 17th letter of our alphabet. However, keeping
Quiet is a common theme in security.
As mentioned numerous times, locking passwords, logins, and other sensitive
information in your mouth vault keeps them from leaking to others. Social
Engineering has always been about compromising that vault. Recently there
was a post by Roger Thompson, AVG’s Chief Research Officer, which actually
suggested to Write Down your passwords, especially complex, hard to remember
While this ... (more)
Yesterday GoGrid and EdgeCast Networks jointly announced the availability of
the GoGrid CDN (Content Delivery Network). With the GoGrid CDN (currently in
beta), GoGrid customers can scale their web presence as well as accelerate
the delivery of web content using the GoGrid CDN global infrastructure.
What is unique about the GoGrid CDN (powered by EdgeCast Networks) is that it
is a pay-as-you-go service with no contracts or usage requirements. Also, the
CDN boasts 16 Points-of-Presence (PoPs) on 4 continents. There is no need to
set up specific zones as your coverage is truly globa... (more)