Security
NIS2 - An Introduction to the EU Directive
NIS2 - An Introduction to the EU Directive on Network and Information Security
The Network and Information Security Directive 2 (NIS2) is an EU directive that will be transposed into German legislation by the end of 2024. The full directive can be found at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32022L2555#ntr5-L_2022333DE.01008001-E0005. As the successor to NIS1, which came into effect on June 29, 2017 (see https://www.bsi.bund.de/DE/Das-BSI/Auftrag/Gesetze-und-Verordnungen/NIS-Richtlinie/nis-richtlinie_node.html), NIS2 aims to strengthen cybersecurity in businesses, minimize risks, and avoid damage from cyberattacks.
Although NIS1 has been in existence for many years, NIS2 is now gaining increased attention because the draft will significantly obligate a larger number of companies to implement the prescribed measures. Companies should assess early on whether they are affected, as the implementation of the directive may take several months to years.
centron provides support for the security of IT infrastructures by offering computing power and data storage from an ISO 27001 certified data center according to the BSI IT basic protection standard (https://www.centron.de/warum-iso-27001-zertifiziert/). As a strong partner, centron can help overcome one of the most significant hurdles in the implementation of a successful Information Security Management System (ISMS).
The Federal Office for Information Security (BSI) provides an introduction to the topic of ISMS at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/BSI_Standards/standard_200_1.html?nn=440524. An ISMS includes basic components such as management principles, resources for information security, employee involvement in the security process, security process, security concept, and security organization.
An Introduction to Proxies
Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
An Introduction to Proxies: Forward and Reverse Proxies
A proxy, also known as a proxy server, is software that acts as an intermediary between a client and a server on the internet. Without a proxy, a client would send a request for a resource directly to a server, and the server would send the resource directly back to the client. Although this approach is simple to understand and implement, proxies offer benefits in terms of increased performance, privacy, security, and more. As an additional pass-through layer, a proxy acts as a gatekeeper of the Internet between clients and servers.
The Role of Proxy Servers
In general, the combined package of server hardware with proxy software installed is also often referred to as a proxy server. In this article, however, we will focus on proxies, which are traditionally defined as software and in the context of web servers. We will get a breakdown of the two main types, the forward proxy and the reverse proxy. Each type has a different use case that is often confused due to the similar naming conventions.
Understanding Forward Proxies
A forward proxy, also known as an open proxy, acts as a proxy for a client attempting to send a request over the Internet to an origin server. In this scenario, all attempts by the client to send requests are sent to the forward proxy instead. The forward proxy will check the request instead of the client. First, it will determine if this client is authorized to send requests through this particular forward proxy. It will then reject the request or forward it to the origin server. The client has no direct access to the Internet; it can only reach what the forward proxy allows it to.
A common use case for forward proxies is to gain increased privacy or anonymity on the Internet. A forward proxy accesses the Internet instead of a client and can use a different IP address than the client’s original IP address.
Depending on the configuration, a forward proxy can grant a number of functions, including:
- Avoidance of ad tracking.
- Bypassing monitoring.
- Identifying restrictions based on your geolocation.
Forward proxies are also used in systems for centralised security and access control, such as a workstation. If all Internet traffic passes through a common forward proxy layer, an administrator can allow only certain clients to access the Internet through a common firewall. Instead of maintaining firewalls for the client layer, which may include many machines with different environments and users, a firewall can be placed on the forward proxy layer.
Note that forward proxies must be set up manually to be used, while reverse proxies can go unnoticed by the client. Depending on whether a client’s IP address is passed from the forward proxy to the origin server, privacy and anonymity can be granted or remain transparent.
There are several options for forward proxies:
- Apache or Nginx: Two popular open source web servers with forward proxy functionality.
- Squid: An open source forward proxy that uses the HTTP protocol. This option does not include a full web server solution.
- Dante: A forward proxy that uses the SOCKS protocol instead of HTTP, making it more suitable for use cases such as peer-to-peer traffic.
Understanding Reverse Proxies
A reverse proxy acts as a proxy for a web server and processes incoming requests from clients on its behalf. This web server can be a single server or multiple servers and can also be an application server such as Gunicorn. In either case, a request would come in from a client over the Internet. Normally, this request would go directly to the web server that provides the resources that the client is requesting. Instead, a reverse proxy acts as an intermediary and isolates the web server from direct interactions with the open Internet.
From the client’s perspective, interacting with a reverse proxy is no different from interacting with the web server directly. It is functionally the same, and the client cannot tell the difference. The client requests and receives a resource without requiring any additional configuration.
Reverse proxies provide features such as:
- Centralised security for the web server layer.
- Direction of incoming traffic based on configurable rules.
- Additional functionality for caching.
While centralised security is an advantage of both forward and reverse proxies, a reverse proxy provides this at the web server level rather than the client level. Instead of focusing on maintaining firewalls at the web server level, which may contain multiple servers with different configurations, the majority of firewall security can be focused on the reverse proxy level. It also allows the responsibility for interacting with a firewall and interacting with client requests to be removed from the web servers, allowing them to focus solely on provisioning resources.
With multiple servers existing behind a reverse proxy, the reverse proxy also handles the routing of requests to specific servers. Multiple web servers can provide the same resource, provide different types of resources, or be a combination of both. These servers may use the HTTP protocol as the conventional web server, but may also include application server protocols such as FastCGI. You can configure a reverse proxy to route clients to specific servers depending on the resource requested or to follow specific traffic volume rules.
Reverse proxies can also benefit from their position in front of the web servers by providing caching capabilities. Large static resources can be configured with caching rules to avoid accessing the web servers for every request. Some solutions even provide the ability to serve static resources directly without even touching the web server. In addition, the reverse proxy can handle the compression of these resources.
The popular Nginx web server is also a popular solution for reverse proxies. While the Apache web server also has a reverse proxy feature, it is an additional feature for Apache, while Nginx is originally designed for and focused on reverse proxy functionality.
Differentiating the Use Cases
Because “forward” and “reverse” have connotations of direction and misleading comparisons with “inbound” and “outbound” traffic, these terms can be confusing because both types of proxies handle requests and responses. Instead, it is better to distinguish between forward and reverse proxies based on the requirements of the application you are developing.
A reverse proxy is useful if you are creating a solution for deploying web applications on the Internet. They represent your web servers in any interaction with the Internet.
A forward proxy is useful when placed in front of client traffic for your personal use or in a work environment. They represent your client traffic in any interaction with the Internet.
Differentiating by use case instead of similar naming conventions helps you avoid confusion – An Introduction to Proxies
Unlock the Power of Proxies with Our Cloud Services!
Ready to experience the benefits of proxies in action? Sign up for our trial today and explore how our cloud services can enhance your online experience, improve security, and boost performance. Get started now and discover the difference.
You might be interested in:
Comprehensive Guide to Cloud Server Architecture
Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
Comprehensive Guide to Cloud Server Architecture
A cloud server provides computing resources remotely. But when is a cloud server the right choice? We explain the basics of cloud server architecture and also show you possible alternatives.
The world of cloud servers can seem intimidating at first, but don’t worry – we’re here to help you understand the basics. In this article, we’ll give an overview of cloud servers, what they are, how they work and whether they’re the right choice for your website or web application.
What is a Cloud Server?
It is an internet infrastructure that provides remote computing resources to users. You can think of a cloud server as a private computer that you can set up and control just like an on-site computer, such as a laptop or desktop. Typically, cloud servers are virtual machines running in large server clusters called virtualization. This article explains the main components of cloud server architecture, the difference between cloud servers and other cloud offerings, and how to find out which cloud offering best suits your website or web application.
Cloud Software
To understand them, it’s helpful to know what kind of software runs in the cloud. Here are some important components:
- Operating systems: To one set up, you first need to install an operating system. Today, most cloud customers use a Linux-based operating system such as Ubuntu or Rocky Linux due to its broad support, free or flexible licensing and general prevalence in the server computing world.
- Server-side software: This is a type of software designed to run in a cloud environment that does not have a desktop environment or display. Typically, this means that the software is installed and configured through a command line interface and then accessed by normal users through a web browser or other application.
- Web server: This software allows it to communicate with users or applications on the Internet using the HTTP protocol. If you are setting up a cloud server from scratch to host a website or web application, you will probably need to install and configure server software. The two most popular options are Nginx and the Apache HTTP Web Server.
- API server: APIs (Application Programming Interfaces) are a type of software mediator that allows applications to communicate with each other. A web server is a type of API server that implements the HTTP APIs. There are many different types of APIs that allow your cloud server to exchange data with external applications and data sources.
- Database servers: Database servers are another type of API server. Unlike web servers, which can be called via a web browser and usually provide an HTML user interface, database servers are usually called via a database query API.
Their Alternatives
It is essentially a virtual computer, other cloud product offerings can be understood in relation to them. For example, some cloud providers offer dedicated web hosting or dedicated database hosting. Any product offering that provides a database or web server on its own effectively abstracts the actual cloud server out of the equation.
Should I Use one?
They typically have a variety of security features, and it is not necessary to provision a large-scale production deployment to safely and securely run open source software on a cloud server.
Overall, cloud servers offer a wide range of options and flexibility. Whether you should use a cloud server depends on the specific requirements of your project and your capabilities. Comprehensive Guide
Start Your Free Cloud Server Trial Today!
Dive into the world of advanced cloud computing with our free trial. Experience the power and flexibility of our cloud server solutions, perfectly tailored for your web applications. Don't miss out on the opportunity to enhance your IT infrastructure with state-of-the-art virtualization and robust server architecture. Sign up now and take the first step towards a more dynamic and scalable cloud experience.
You might be interested in:
MongoDB Encryption Guide: Secure Your Data
Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
MongoDB Encryption Guide: Secure Your Data
Protect your MongoDB data by encrypting it. We show you how to do this with examples.
Securing Data in Transit
To protect the communication between your MongoDB instance and the clients or applications that need to access it from potential hacker attacks, you can encrypt them. Configure them to require connections that use Transport Layer Security (TLS). Like its predecessor, Secure Sockets Layer (SSL), TLS is a cryptographic protocol that encrypts data as it is transmitted over a network.
Note that TLS only encrypts data as it is transmitted over a network – also known as data in transit. Even if you have configured MongoDB to require connections to be made using TLS, the static database data on the server, also known as data at rest, remains unencrypted. It is not possible to encrypt data at rest with the free Community Edition of MongoDB, but this is possible with the paid subscription-based Enterprise Edition of Mongo.
Encryption at Rest and In Transit
Even if both encryption at rest and encryption in transit are enabled, an unauthorised user could potentially still access your sensitive data. For example, imagine that you have deployed a sharded NoSQL document database to store data for an ice cream delivery application you have developed. The database management system allows you to encrypt data at rest, which you enable, and you also configure it to require encrypted TLS connections between shards as well as clients.
Example of a Security Vulnerability
In this example, when a customer places an order, they are asked to enter some sensitive information such as their home address or credit card number. The application then writes this information into the database into a document, such as:
<
"name" : "Andreas Müller",
"address" : {
"street" : "Heganger 29",
"city" : "Hallstadt",
"state" : "Bayern",
"zip" : 96103
},
"phone" : "0123 456789-0",
"creditcard" : "1231231231231231"
}
This is a potential security vulnerability: Anyone with permissions could access the database, see your clients’ sensitive information and misuse it.
Client-Side Field Encryption
To minimise this risk, since version 4.2 the official MongoDB drivers allow client-side field encryption to be performed. This means that an application, if properly configured, can encrypt certain fields within a document before the data is sent to the database. Once the data is written to the database, only applications or clients that can present the correct encryption keys can decrypt and read the data in those fields. Otherwise, the data document would look similar to this example (assuming the street, city, postcode, phone and credit card fields were encrypted on the client side):
"name" : "Andreas Müller",
"address" : {
"street" : BinData(6,"eirefi3eid5feiZae9t+oot0noh9oovoch3=iethoh9t"),
"city" : BinData(6,"xiesoh+aiveez=ngee1yei+u0aijah2eeKu7jeeB=oGh"),
"state" : "Bayern",
"zip" : BinData(6,"CoYeve+ziemaehai=io1Iliehoh6rei2+oo5eic0aeCh")
},
"phone" : BinData(6,"quas+eG4chuolau6ahq=i8ahqui0otaek7phe+Miexoo"),
"creditcard" : BinData(6,"rau0Teez=iju4As9Eeyiu+h4coht=ukae8ahFah4aRo=")
}
MongoDB stores encoded values as binary data, as indicated by the BinData class labels in the example above. The 6 in each value represents the binary subtype in which the data is stored and indicates what type of binary data has been encoded. Values that have been encoded using Mongo’s client-side field encoding always use subtype 6. Guide: Secure Your Data
Start Your Free Trial and Secure Your MongoDB Databases Today
Embark on the path to ultimate data security with our cloud-based MongoDB solutions. Sign up for a free trial and gain access to top-tier encryption for data at rest and in transit. Don't let your valuable data be vulnerable to threats. Secure your databases with our cutting-edge encryption technology now and experience peace of mind with our cloud services.
You might be interested in:
Infrastructure as Code (IaC) - an introduction
Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
Unlocking the Power of Infrastructure as Code (IaC) for Automated Cloud Environments
Cloud computing offers flexible computing resources in the cloud. Infrastructure as Code (IaC) automates the provisioning and modification of these resources using code.
With IaC, you can quickly create as many instances of your entire infrastructure as you need, in different provider regions, from a single source of truth: Your declarative code. This has many benefits, ensuring that you create resources consistently and without errors, while reducing management and manual setup time.
The Key Benefits of IaC
- Fast deployment: Automation speeds up the deployment process.
- Hassle-free recovery: Configuration errors can be fixed quickly.
- Consistency: Resources are consistent and less vulnerable.
- Rapid changes: Modifications can be implemented quickly.
- Reusability: Parts of the infrastructure can be reused in other projects.
- Version control: Code is stored in versioning systems.
- Visibility: The code acts as documentation.
Key IaC Tools
IaC provides an efficient way to manage cloud infrastructures. With the right tools, you can take full advantage of it.
First up is Terraform – an open source tool that manages IaC deployments. It supports multiple cloud providers and ensures that the cloud state matches the code.
Other tools that use IaC include Docker, Kubernetes, Hashicorp Packer, Ansible, Chef, and Puppet. Each of these tools uses the IaC methodology to define and manage the infrastructure desired in their respective domains. Unlocking the Power of Infrastructure as Code (IaC) for Automated Cloud Environments
Experience the Future of Cloud Computing
Ready to unlock the full potential of cloud computing? Join our trial today and explore the seamless, scalable, and secure world of our cloud services. Discover what's possible with our advanced cloud solutions. Don't miss out on the future – start your trial now.
You might be interested in:
MongoDB Security Best Practices
Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
MongoDB Security Best Practices
Security considerations should be a top priority, especially when dealing with the MongoDB database management system. We assist you in managing ongoing security concerns within MongoDB.
Importance of Data Security in MongoDB
The security of our data is of paramount importance, and this holds true for MongoDB, a widely used NoSQL database. In this article, we will discuss how to continuously manage the security of your MongoDB installation, as it’s inevitable that new security vulnerabilities will emerge over time.
Regular Update Checks
Securing your MongoDB database begins with selecting the right settings, but that alone is not sufficient. Equally important is conducting regular inspections and diagnostics to determine the status of your system’s security. An initial step is checking for new updates. MongoDB regularly releases new versions, and it’s crucial to ensure that the version you’re using does not have any unpatched vulnerabilities. MongoDB versions are formatted as X.Y.Z, where X is the major version number, Y is the version or development series number, and Z is the revision or patch number. It is recommended to always update to the latest stable revision within your version series, as it typically includes backward-compatible patches to address issues.
Reconsider Server-Side Script Execution
MongoDB provides the ability to execute server-side JavaScript functions, enhancing query flexibility. For instance, you can use the `$where` operator to employ JavaScript expressions for querying documents. While this offers advantages, it also poses risks as it can potentially enable malicious code. For this reason, MongoDB recommends disabling server-side script execution when not actively in use.
Maintain Input Validation
MongoDB validates user inputs by default to ensure that faulty BSON documents cannot be inserted into the database. While this may not be necessary for every use case, it is advisable to keep input validation enabled to protect the integrity of your database.
Conclusion
In conclusion, it is vital to continuously monitor the security of your MongoDB installation. By regularly updating, reconsidering server-side script execution, and maintaining input validation, you can safeguard your database against potential security threats and preserve the integrity of your data. Security Best Practices The Module Design Pattern in JavaScript: Explained with Examples
Ready to Enhance Your MongoDB Security?
Experience top-notch security with our cloud solutions. Start your MongoDB security trial today and ensure your data stays protected. Get in touch with us to get started.
You might be interested in:
MongoDB Security Best Practices for Network Access Control
Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
MongoDB Security Best Practices for Network Access Control
To ensure the security of data stored in MongoDB, it’s important to restrict network access to the server running the database. This post is intended to assist you in this regard.
Starting with Network Access Restriction
Securing the data stored in MongoDB begins with limiting network access to the server hosting the database. One way to achieve this is by setting up a Virtual Private Network (VPN). A VPN presents a connection as if it were a local private network, facilitating secure communication between servers within it. By using a VPN for MongoDB, you can block access from machines not connected to the same VPN.
Enhancing Security with a Firewall
However, a VPN alone may not be sufficient to prevent unauthorized access to your MongoDB installation. There might be many individuals who require access to your VPN, but only a few of them need access to your MongoDB database. You can further refine control over who can access your data by configuring a firewall on your database server.
A firewall enhances network security by filtering incoming and outgoing traffic based on custom rules. Firewall tools typically allow precise rule-setting, giving you the flexibility to permit connections from specific IP addresses to specific ports on your server. For instance, you can establish rules that only permit an application server to access the port used by your MongoDB installation on your database server.
Limiting Exposure with IP Binding
Another way to limit your database’s network exposure is to configure IP binding. By default, MongoDB is bound to “localhost” after installation. This means that a fresh MongoDB installation will only accept connections from “localhost” or the same server where the MongoDB instance is installed.
This default setting is secure since the database is only accessible to those who already have access to the server it’s installed on. However, it can cause issues when you need to access the database remotely from another computer. In such cases, you can additionally bind your instance to an IP address or hostname from which the remote computer can reach the database server. MongoDB Security Best Practices
Secure Your Cloud: Start Your MongoDB Security Today!
Ready to elevate the security of your MongoDB databases? As a leading cloud provider, we understand the importance of protecting your data. Join our Test Phase program and gain access to cutting-edge security features designed for MongoDB. Take the first step towards bulletproof database protection – sign up now and secure your data with confidence!
You might be interested in:
Distinction between Free Software and Open Source Software
Building Cloud Expertise with centron - Our Tutorials
Whether you are a beginner or an experienced professional, our practical tutorials provide you with the knowledge you need to make the most of our cloud services.
Distinction between Free Software and Open Source Software
The terms “Free Software” and “Open Source Software” both refer to software with few restrictions on its use and distribution. However, there are subtle differences.
Understanding the Nuances
Most people use the terms “Free Software” and “Open Source Software” interchangeably, but there are nuanced distinctions. The first emphasizes the ethical aspects associated with the freedom to use, modify, and share software. On the other hand, “Open Source Software” focuses on the technical advantages and collaboration in development.
Historical Background
The history of these terms is convoluted. The Free Software Foundation (FSF) under Richard Stallman pioneered “Free Software.” Later, the term “Open Source” gained popularity to underscore business suitability and technical efficiency. The Open Source Initiative (OSI) formulated the Open Source Definition, which outlines ten principles for Open Source licenses.
Practical Implications
In practice, it often means the same thing whether software is labeled as “Free” or “Open Source,” as many licenses are recognized by both groups. Ultimately, the choice between these terms depends on whether you emphasize ethical values or practical benefits.
Terminology and Public Perception
Additionally, alternative designations like “Free and Open Source Software” (FOSS) have been suggested to settle the debate. It is important to note that Free and Open Source Software should be distinguished from public domain software, as the latter does not have the same licensing requirements.
Conclusion
Overall, while the terms have different connotations, they are often interchangeable in practice, depending on individual priorities and requirements in software development.
Join Our Cloud Trial: Experience the Freedom of Open Source Today
Dive into the world of innovative software with our cloud-based solutions. Try our platform for free and see how the power of Free and Open Source Software can transform your development journey. Start your trial now and unleash the potential of a truly open cloud environment!