All communication with the outside world passes through access-list enabled firewalls. This configuration blocks the majority of unwanted traffic, as well as network-based attacks. It also serves to protect the next few layers of security mechanisms from overload. Traffic that has been allowed to pass through the routers is screened by network firewalls to ensure that only legitimate protocols are used and that session integrity is maintained. Only HTTP (80) and HTTPS (443) protocols are allowed into the network. The firewalls direct acceptable protocols to the servers, and block all others.
Dapresy has two ways of accessing the servers. One is by using computers in the offices with the help of the IPSec tunnel that connects us with the datacenter. The second option is using SSL VPN to connect to the servers. The SSL VPN access list is always kept up-to-date. VPN is required to administrate servers, either via SSL VPN orIPSec. Advanced OS Logging is performed during remote access sessions. All unnecessary services/ports are removed, with only authorized access allowed.
Firewalls, DMZs and IDS/IPS
Dapresy uses the Firewall and IDS/IPS services provided by Data Center partners. Firewalls are configured to use tasteful packet inspection and cannot be dedicated per client basis. Firewall notifications are only available to data center staff. A standard WAN-DMZ-LAN architecture is the standard for all Dapresy data centers. The IDS/IPS system at the data center logs everything and provides notification to Data Center staff.