Author Archive: Seth Janowiak

June 22, 2015

3 Reasons Citrix NetScaler Should Be in Your PCI DSS Compliant Application Stack at SoftLayer

Whether you already process credit card information or are just starting to consider it, you’ve likely made yourself familiar with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS’s 12 requirements (plus one appendix for service providers) outlines what you need to do to have a compliant workload and to pass your audits.

While SoftLayer handles the physical access and security aspects on our platform, we also offer tools to supplement your internal tools and processes to help you maintain PCI-DSS compliance such as the Citrix NetScaler VPX and MPX Platinum Edition product line.

Unique Features NetScaler Offers That Support PCI-DSS

  1. Mask Payment Account Numbers (PANs)
  2. With NetScaler Platinum Edition it’s possible to configure the device to block or mask PANs to prevent leakage of cardholder data—even if your application is attempting to present the data to a user. This is extremely useful when adhering to PCI-DSS Section 3.3—the first six and last four digits are the maximum number of digits to be displayed.

    NetScaler provides reporting as well so that your developers can tighten up that aspect of your application for more identification protection.

  3. Detect and Prevent Web-based Attacks
  4. By deploying a Web application firewall into your application stack, you can fully comply with PCI-DSS Section 6.6, which requires addressing new threats and vulnerabilities on an ongoing basis and ensuring these applications are protected against known attacks. The NetScaler Application Firewall module included in Platinum Edition provides continuous protection and can dynamically adjust to changes in your application code.

  5. Prevent Buffer Overflow, XML Security, Cross Site Scripting, & SQL Injection
  6. The NetScaler Web Application Firewall helps close the door on many common coding vulnerabilities outlined in PCI-DSS Section 6.5. By utilizing XML security protections, form tagging, dynamic context sensitive protections, and deep stream inspection, you can block, log, and report on these common security vectors and ensure your development team can shore up you applications

How to Order
SoftLayer offers Citrix NetScaler VPX Standard and Platinum Editions in multiple bandwidth packages—10Mbps, 200Mbps, and 1Gbps. Order these quickly and easily from your customer portal devices page (click order devices, scroll to networking devices, and select Citrix NetScaler).

SoftLayer also provides the NetScaler MPX for customers that require a dedicated hardware appliance running the NetScaler OS that can handle thousands of concurrent SSL transactions. To order the MPX product, chat with one of our sales advisors.

Be sure to take a look at some of the other features included with Citrix NetScaler.

Learn More About PCI-DSS
SoftLayer supports PCI workloads by providing the physical security required in the DSS. Within the customer portal you’re able to pull our most recent SOC 2 Type II audit report. You can use this as part of your compliance strategy. The rest is up to you to take advantage of the tools and services to make sure you meet the remaining PCI standards. Additionally, when you’re working with your PCI-DSS qualified security assessor, we can also provide an Attestation of Compliance.

For more information on compliance standards, check out http://www.softlayer.com/compliance.

-Seth

Categories: 
January 6, 2015

Three Ways to Enhance Your SoftLayer Portal Account Security

We’ve recently discussed how to craft strong passwords and offered advice on choosing a password manager, but we haven’t yet touched on multi-factor authentication (MFA), which has been available to our customers for many years now.

What is MFA?
MFA is another line of defense for securing your user accounts within the customer portal. The concept behind MFA is simple: Users present two (or more) ways to authenticate themselves by providing something known such as a user name and password and providing something possessed such as a one-time password generated by a device or software application.
Why is MFA important?
Keeping passwords secure has always been a moving target. While you can train staff and enforce complex password policies, it’s difficult to prevent users from writing passwords down, saving them to files, or sharing them with others. By adding MFA, simply having a user password doesn't grant access to the resource. A user will need the user password in addition to a MFA token device, smartphone, or application.
What MFA options are available at SoftLayer?
SoftLayer offers three MFA methods to enhance portal account security:
Symantec Validation and ID Protection (VIP) – After downloading this app to a smartphone, when accessed, it will generate a one-time password. This product can be used to securely access the SoftLayer portal. The app is $3 a month per user.

PhoneFactor – A unique system where a one-time password is texted to a mobile phone. Users also have the option of receiving a phone call to input a PIN before receiving a one-time password. This can be used to access the portal as well as the SoftLayer SSL VPN. PhoneFactor costs $10 a month per user.

Google Authenticator – Another smartphone application with generated one-time passwords, can also be used to securely access the SoftLayer portal. This can be added for any user on an account free of charge.

Quickly Add MFA to SoftLayer Portal Users Today
It’s easy to add any of these MFA services to portal user accounts.

To add Symantec VIP or PhoneFactor:
  1. Log in to SoftLayer portal as the master user.
  2. Under the Account Tab click on Users.
  3. In the right hand column for each user, click the Actions icon and select Add External Authentication. You’ll then be able to subscribe to Symantec or PhoneFactor for that user.
To add Google Authenticator:
  1. Log in to SoftLayer portal as the master user.
  2. From the Accounts dropdown menu, select Users and then select your user account name.
  3. Scroll down and click the link to Add Google Authenticator to your account.
  4. From there, just snap the QR code with your GA application and you’re all set. The next time you log in you’ll be prompted to enter your authentication code after entering your username and password.

Any of these three MFA solutions will help ensure that your portal user accounts are secure, are easy to set up, and quick to install. Feel free to reach out if you have any suggestions or questions about MFA with SoftLayer.

- Seth

Categories: 
October 14, 2014

Enterprise Customers See Benefits of Direct Link with GRE Tunnels

We’ve had an overwhelming response to our Direct Link product launch over the past few months and with good reason. Customers can cross connect into the SoftLayer global private network with a direct link in any of our 22 points of presence (POPs) providing fast, secure, and unmetered access to their SoftLayer infrastructure from their remote data center locations.

Many of our enterprise customers who’ve set up a Direct Link want to balance the simplicity of a layer three cross connection with their sophisticated routing and access control list (ACL) requirements. To achieve this balance, many are using GRE tunnels from their on-premises routers to their SoftLayer Vyatta Gateway Appliance.

In previous blogs about Vyatta Gateway Appliance, we’ve described some typical use cases as well as highlighted the differences between the Vyatta OS and the Vyatta Appliance. So we’ll focus specifically on using GRE tunnels here.

What is GRE?
Generic Routing Encapsulation (GRE) is a protocol for packet encapsulation to facilitate routing other protocols over IP networks (RFC 2784). Customers typically create two endpoints for the tunnel; one on their remote router and the other on their Vyatta Gateway Appliance at SoftLayer.
How does GRE work?
GRE encapsulates a payload, an inner packet that needs to be delivered to a destination network, within an outer IP packet. Between two GRE endpoints all routers will look at the outer IP packet and forward it towards the endpoint where the inner packet is parsed and routed to the ultimate destination.
Why use GRE tunnels?
If a customer has multiple subnets at SoftLayer that need routing to, these would need multiple tunnels to each if they were not encapsulating with GRE. Since GRE encapsulates traffic within an outer packet, customers are able to route other protocols within the tunnel and route multiple subnets without multiple tunnels. A GRE endpoint on Vyatta will parse the packets and route them, eliminating that challenge.

Many of our enterprise customers have complex rules governing what servers and networks can communicate with each other. They typically build ACLs on their routers to enforce those rules. Having a GRE endpoint on a Vyatta Gateway Appliance allows customers to route and manage internal packets based on specific rules so that security models stay intact.

GRE tunnels can allow customers to keep their networking scheme; meaning customers can add IP addresses to their SoftLayer servers and directly access them eliminating any routing problems that could occur.

And, because GRE tunnels can run inside a VPN tunnel, customers can put the GRE inside of an IPSec tunnel to make it more secure.

Learn More on KnowledgeLayer

If you are considering Direct Link to achieve fast and unmetered access with the help of GRE tunnels and Vyatta Gateway Appliance but need more information, the SoftLayer KnowledgeLayer is continually updated with new information and best practices. Be sure to check out the entire section devoted to the Vyatta Gateway Appliance.

- Seth

Categories: 
Subscribe to Author Archive: %