Protecting truckloads of data on the information superhighway

SSL Journal

Subscribe to SSL Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get SSL Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Like most application servers, WebSphere 8.5 has a rich management infrastructure based on JMX, or Java Management Extensions. In fact, the WebSphere administration console uses JMX to connect to the server to issue queries and perform administrative operations. In a previous post I showed you how to secure JBoss’ JMX connector. While there is a lot of information out there on how to connect to WebSphere via JMX, most of the examples involve either disabling SSL, or worse – disabling security globally. So let’s see how we can access WebSphere’s JMX connector remotely in a secure way. Like most things WebSphere, this could look very daunting at first, but once done, you will have a reliable and secure setup. First, a Little Background Historically most JMX implementations used the simple JMXMP protocol as the underlying transport. The newer versions of the the JMX Spe... (more)

Five Lessons The League Can Teach Us about Cyber Security

Lessons from the hit show, The League The 2013 NFL season kicks off tonight with the defending Super Bowl champion Baltimore Ravens visiting the Denver Broncos. For many of us, the start of football season means lazy chicken wing and pizza-filled Sundays in front of the TV. But, it also means it’s time to scramble together and pick your fantasy football team. If you participate in fantasy football, you may be a fan of the hit FX television show, The League which premiered last night. Don’t worry – there are no spoilers here. The League follows a group of old friends in a fantasy football league that seems to bleed into every aspect of their lives. Even if you don’t like fantasy football, or football for that matter, this show is likely to have you either laughing or turning away from the television in disgust at their attempts to make each other’s lives miserable. A... (more)

Dear Slashdot: You Get What You Pay For

Open Source SSL Accelerator solution not as cost effective or well-performing as you think o3 Magazine has a write up on building an SSL accelerator out of Open Source components. It's a compelling piece, to be sure, that was picked up by Slashdot and discussed extensively. If o3 had stuck to its original goal - building an SSL accelerator on the cheap - it might have had better luck making its arguments. But it wanted to compare an Open Source solution to a commercial solution. That makes sense, the author was trying to show value in Open Source and that you don't need to shell out big bucks to achieve similar functionality. The problem is that there are very few - if any - commercial SSL accelerators on the market today. SSL acceleration has long been subsumed by load balancers/application delivery controllers and therefore a direct comparison between o3's Open ... (more)

WebLogic Server - Identity vs Trust Keystores

In computing most technologies have lots of terms and acronyms to learn, it's par for the course, you get used to it. However in computer security the frustration is multiplied as there are often many different terms that mean the same thing. It makes implementing security hard, because understanding it is hard, and I'm not surprised why security is considered badly implemented because the average Joe will struggle (and for the record I'm the average Chris so I struggle too ;-). I've been trying recently to get straight in my head what is stored in the WLS identity and trust keystores, and what the difference between identity and trust is anyhow. Thanks to kind assistance from Gerard Davison, I think I can now post my understandings, and as usual, hopefully the post is helpful to other readers. As noted however security to me is a difficult area, and so be sure to c... (more)

Jill Tummler Singer of the CIA Speaks on "Cloud Safety" : +1

I saw this tweet this morning and I thought "+1" (I guess I am a geek if I am thinking in Digg/Slashdot shorthand). The problem is that in Information Security, "security" is all-too-often used to mean only encryption. A line is considered "secure" if it's encrypted. But often, the real "security" requirements are much broader and include management (as in access management, identity management), business continuity defense against denial-of-service, and privacy. I think language is a big issue here. I've always found it interesting that in German, the words for "security" and "certainty" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are also the same (sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can s... (more)

This Time, It’s Personal

Nearly 80% of companies reported an increase in the number of employees wanting to bring their own devices into the workplace in the last 6-12 months according to ‘The Device Dilemma,’ a report by Vanson Bourne and Good Technology. In addition, two thirds of IT Managers have been under more pressure to increase compatibility with people’s personal handsets in the workplace with 82% saying the most requested device is the iPhone. Personal devices pose a difficult challenge to IT departments and it’s not just iPhones/personal cell phones; mp3/music players, portable video/game consoles, personal laptops and just about anything with an internet connection or USB hookup can pose a risk.  The age of social networks, streaming video, tele-work lifestyle and the basic computing power of mobile devices have made them constant companions in our daily lives since they do mor... (more)

Does Cloud Computing Exacerbate Security and File Transfer Issues?

SOA Security at Cloud Expo Here is an interesting article by Rob Barry titled: "In SOA, cloud resources may exacerbate security and file transfers issues." It highlights significant requirements for Federated SOA especially around large file transfer using SOAP Attachments. The article makes the following interesting points: With increasing cloud adoption, there is an increase of large file transfers to external cloud providers such as Amazon S3 or Rackspace CloudFiles or to a company's internally hosted cloud.  The file size increase is driven by the a low-hanging use case for S3 and CloudFiles:  securely archiving rarely used corporate data in the cloud.  The result of such archiving of batch data is an ever-growing file transfer over HTTP as a MIME of MTOM attachments.  Consider the opposite scenario:  if the data is real-time the transaction rate is higher but t... (more)

DevCentral Top5 01/22/2010

Wow! What a whirlwind it's been the past few weeks. Between holidays and vacation and people traveling out of town, it's been an absolute zoo around here. Though I've been out the past week or so there has been an avalanche of content. I've hemmed and hawed and finally managed to slim my picks down to just five, though there are at least a dozen awesome things worth checking out on DevCentral in the past week or so. So don't be shy, get out there and poke around for yourself. For now, though, here are my top 5 picks for the week: v10.1 - The table Command - The Basics http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2375 The new table command introduced in 10.1 is so hawesome and powerful it's hard for me to decide where to even begin describing the grandeur that is the table command. I've decided to begin at the beginning, and point y... (more)

Use SOAPbox to Send Attack Vectors to a Web Service

SOA & WOA Magazine on Ulitzer SOAPbox is a handy tool for testing a Web Service. It does stress testing, functional testing, authentication testing (e.g. handling mutual SSL), and vulnerability assessment. The vulnerability assessment piece is provided by the "attack vector" feature. You can access the attack vector functionality in the SOAPbox product by following these steps: First if you don’t have it already, download a free copy of SOAPbox from here. Next, in the “Classic” mode of SOAPbox (selected using the tabs in the top-right), load in the WSDL of the service you want to test (using the icon shown in the “WSDL_Import” screenshot attached). This will allow you to load in a particular operation of the WSDL. Press the green triangular “play” button on the SOAPbox toolbar to send the request through once, to make sure it is hitting the Web Service. You should... (more)

Nimbus Technology Launches New Cloud Storage Solution Powered by the Mezeo Cloud Storage Platform

Nimbus Technology (www.nimbustech.co.uk), a leading infrastructure hosting and cloud computing provider, today announced the launch of the Nimbus Cloud Storage Service powered by the Mezeo Cloud Storage Platform. Developed by Mezeo Software (www.mezeo.com), the Mezeo Cloud Storage Platform is a Web Services API-based cloud storage platform purpose-built for service providers. The Mezeo Service Provider Alliance Program offers service providers an accelerated time to market, providing complete support to deploy and monetize their cloud storage service, including branding support, training resources and marketing assistance. The announcement was released in conjunction with Parallels Summit 2010 at the Fontainebleau Miami Beach in Florida. Mezeo is a Bronze Sponsor of the event, and is exhibiting in booth 9. The Nimbus Cloud Storage solution is hosted by the UK-base... (more)

Lori MacVittie Interview at Cloud Connect

I got a chance to sit down with another member of the Technical Marketing Team at F5, Lori MacVittie at the Cloud Connect conference in Santa Clara this week.  We chat about Web 2.0, Infrastructure 2.0, dynamic networks, cloud interoperability standards, what 3.0 looks like and a few other things.  Thanks Lori! ... (more)