I am developing Side by side extension application on SAP BTP Cloud foundry environment ,application business api's are provided by Java microservices on frontend via SAP CF Approuter, my requirement is to capture certain malicious activity by logged in user in terms of flooding the services calls via some BOT via some rate limiting or DOS attack prevention mechanism ,is there any way SAP BTP CF environment can handle this requirement by design or through some settings for the underlying applications build on top of it?
Yes, SAP BTP has built in support to protect applications from Denial of Service (DoS) attacks.
SAP BTP uses below security features to safeguard applications against DoS attacks :
Rate limiting
Auto-scaling
Network protection
Apart from that , SAP BTP provides cloud infrastructure security measures and network protection against malicious traffic, helping to prevent DoS attacks. However, the exact features and the level of protection may vary depending on the specific SAP BTP service used.
SAP BTP Cloud Foundry does, unfortunately, not provide any built-in mechanism to protect your application from misuse in form of Denial of Service (DOS) attacks at this point in time.
That said, you would need to either implement a rate limiter yourself, or take advantage of an existing solution (such as the Spring Cloud Zuul RateLimit).
Related
I am developing a website using which is based on a microservices architecture which is containerized with docker. Now I want to communicate with microservices using rest API. I read some articles which show some diagrams that API gateway make some connections to microservices. I am confused about the main purpose of the API gateway.
Gateways are used for cross cutting concerns like authentication, logging and redirect to respective backend services. They are usual the single point of entry for applications and are exposed publicly. the rest of the services can sit behind the firewall that your gateway has access to making backend services secure. you also write your resiliency logic in the gateway by implementing retry or circuit breaker patterns etc.
Since gateway has advantages but it can be single point of failure. so make sure it's highly available by deploying redundant copies
We want to deploy our application on a cloud inside our corporate network so that it can be used to test APIs that exist within that network. We do not want to allow public access to this application nor to the internal APIs.
I've looked at deploying ICP internally onto resources (VMs) we've made available, but am wondering if IBM Cloud Dedicated is the better solution since I believe it's closer to IBM Cloud, which is where we've deployed our public-facing application.
IBM Cloud Dedicated is a single-tenant cloud environment, but it's hosted in an IBM data centre, so it might not meet your requirements. It can use VPN to securely connect to the local data centre - but that's also possible with public cloud, using the Secure Gateway. Depending on the sensitivity of the application, public cloud and secure gateway could be a good solution.
If you do want something inside the corporate nework, IBM Cloud Private (ICP) is a good choice. It's a significant part of IBM's hybrid cloud guidance so I personally wouldn't worry too much about technical differences between it and the public cloud.
We have following structure for my application. currently we have used Any for both source and destination (on port 3389) while defining NSG rule for our Service Fabric to allow calls from mobile app. But our security team has raised concerns on Any-Any rule. Is there any way to optimize this?
Note: our mobile app is public and anyone can download from app store.
Any to Any rule open SF for attach really so you should limit the IP from your traffic manager given your current model.
Azure API management already have build in support for Service Fabric so my suggestion is to remove the traffic manager between then API management and SF. Then you can do is to limit the traffic to SF only from the API management which is much easier.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-api-management-overview
Authentication requirement you can delegate that to the API management ie validate JWT token
I've been reading security articles for several days, but have no formal training in the field. I am developing a configuration and management application for an IoT device. It is meant to be run either on an internal network, or accessed over the web.
My application will be used by IT admins, managers, and factory-floor workers. Depending on the installation, there will be varying levels of infrastructure in place. It could run on a laptop on the floor itself, on a server, or hosted in the cloud. For this reason, we can not assume that our clients will have the kind of infrastructure you might find at a datacenter or in the cloud, for example CAS or NTP.
Our application provides a REST API for client applications to gather data. We'd like to use roles to restrict what data users can access. I've gathered that a common solution for authentication is to encode the username/pass in the REST Header. However, this is completely insecure unless sent over a secure channel.
As I understand it, SSL Certification Authorities grant certs for a specific domain. Our application will have no set domain, and a different IP depending on the installation. Many web applications do not trust self-signed certs. It's not clear to me whether a self-signed application is good enough for a typical application-developer who will be consuming our interface.
With this being the case:
1) What are my options to set up a secure channel, internally or via the web?
2) Am I making assumptions about how our product will be used that damage our users' security unnecessarily?
Well you can use custom encryption to encrypt the data being sent to the applications.
You can also use JSON web tokens to secure your REST API. https://en.wikipedia.org/wiki/JSON_Web_Token. The JSON tokens could be generated by a centralized authentication server and included in all requests sent by the client applications to the server
I understand that Citrix NetScaler usually sits in front of citrix servers. Does it also sit in front of non-citrix servers?
>Does it also sit in front of non-citrix servers?
Yes. It is a full-blown load balancer. Or using the newer, fancier, term an "Application Delivery Controller".
It will do all the typical work
distributing to backend
monitoring backend (using several included service monitors)
arrange persistence to backend
offload authentication to frontend and authenticate to backend
offload SSL/TLS from backend
And also:
SSL-VPN gateway
Web cache
Web front end optimization (compression, JavaScript-minification, Sharding, etc.)
Web application firewall
There are several editions and only the most expensive one will give you all the features. Also SSL-VPN is licensed by concurrent users.
It can be used for all other servers for various purposes.
depends on how its configurated, you can use for Loadbalancing level 4( At Layer 4, a load balancer has visibility on network information such as application ports and protocol (TCP/UDP), Reverse Proxy, Storage, etc.