SSL Certificates, Firewalls & DDoS Protection
At Autoize, we take security very seriously. Taking control of your data with a self-hosted app is a responsibility. With threats such as man-in-the-middle (MITM), downgrade and denial of service (DDoS) attacks, a bad actor could be listening in to your communications or bring your business to its knees.
A properly configured SSL certificate, firewall and DDoS protection are important components for securing any Internet-facing web application. Keeping open source software patched and up-to-date is also essential.
Fortunately for small businesses without a dedicated security team, there are a few cloud based services that can keep you safe with minimal ongoing cost. Our consultants strongly suggest considering these security products when you hire us for an open source software implementation.
Cost: Free to $1,000 per year
Recommendation: All websites and web applications should be served over HTTPS with a secure cipher suite.
In layman’s terms, SSL certificates are the “padlock” when you visit a secure site in your browser. They are issued by a trusted Certificate Authority (CA) to ascertain the identity of a remote server to the user, i.e. you are securely communicating with who the website claims to be.
Not all certs are created equal, but there’s also less of a difference than most people realize between the ordinary and most pricey offerings. So long as you use any CA trusted by the major browsers (Chrome, Firefox, IE or Edge), most of the difference in security depends on the configuration. If your HTTPS website is scoring any less than an A or A+ on Qualys SSL Labs’ test, you should be concerned.
We have implemented anything from auto-renewing, free certificates issued by Let’s Encrypt, to commercial wildcard and Extended Validation (EV) certificates for our customers. A security consultant can help you identify how many subdomains you need to protect, and whether you need a domain and extended validation certificate.
Standard SSL certificates are domain validation (DV) certificates, where the CA merely verifies you have control over the Common Name (CN) domains or subdomains in the certificate. This is usually done by uploading a file to your server, a DNS entry or clicking a confirmation link sent to a WHOIS email. Domain validation certificates tend to be inexpensive at $15 – 20 per year and can be issued in minutes.
The process of obtaining an Extended Validation (EV) certificate is more involved, because it certifies that you represent your organization, in addition to the domain. It can take several business days to issue one because a human needs to verify your corporate documents and contact information with public records. Most browsers display the organization name, in addition to the padlock for an EV secured website. The price is typically $300 – $900 per year.
Software, Network and Web Application Firewalls
Cost: Free to $8,000 or more per year
Recommendation: Implement a software and network firewall, and optionally a Web Application Firewall (WAF).
Firewalls come in many types, but what the typical small business needs is a properly configured software and network firewall. Host your app in the cloud? A firewall such as iptables or ufw combined with VPC firewall rules, go a long way towards keeping you secure with no additional cost. When we deploy an application, we design the architecture to minimize the number of ports left open to maximize your security.
If your app is already up & running, it’s worth another look to see if any unnecessary ports were left open when your app was being installed or maintained. Carefully considering which corporate IPs need access to administration protocols, such as SSH or RDP, can also greatly improve security. Rearchitecting your network with new security groups, private subnets and “jump boxes” can minimize the risk in case a single server is compromised.
Web Application Firewalls with stateful packet inspection features are available for enterprises with special security needs. WAFs use advanced heuristics and AI technology to block zero-day attacks, such as SQL injection and XSS (cross site scripting) exploits. Depending on your needs, prices range from $20/month with CloudFlare’s Pro plan to $8,000+/yr for Barracuda’s Virtual Appliance. For AWS CloudFront or Application Load Balancer users, their WAF is available for $5 per ACL, $1 per rule monthly and $0.60 per million web requests.
Cost: Free to $200 per month
Recommendation: Have DDoS protection in place before an attack occurs.
The goal of a distributed denial of service (DDoS) attack is to immobilize your infrastructure by flooding it with traffic, for instance, until your web servers crash. The traffic usually originates from botnets, comprised of innocent computers commandeered by malware. A DDoS protection service may use a combination of blacklists, pattern based inspection and challenge pages to block automated requests to your website, while preserving access for legitimate visitors and search engine robots.
The best time to put your website behind a DDoS protection service is before you’re targeted for an attack. If your website is vital to your economic interests and/or addresses controversial content, you are undoubtedly a target.
CloudFlare is a popular DDoS protection provider that can protect a variety of applications hosted on any cloud from Layer 3, Layer 7 and DNS attacks. With 10 Tbps in network capacity, CloudFlare is believed to be able to mitigate DDoS attacks up to 10X larger than the most severe one ever recorded.
As a content delivery network (CDN), your application sits behind their points of presence (edge nodes) around the world. Using Page Rules, you can enable caching of static content for a performance boost, in addition to security. If you enable CloudFlare from day one, the IP of your server will remain unknown to your attackers, preventing them from going around the CDN to assault you directly. CloudFlare’s plans start from free, to $200/month and up for the Business and Enterprise plans for features such as custom SSL certificates, additional page rules and PCI compliance.
If you aren’t already using a CDN such as AWS Cloudfront with built-in DDoS protection, you need to seriously consider adding CloudFlare to your arsenal to prevent costly downtime. You need to switch over your DNS to CloudFlare, a process that our team can help you carefully manage to ensure the transition is seamless.