CyberStore Ecommerce 2023 Documentation
Description of Security Practices for Dovetail Private Cloud Hosting Environment
CyberStore Oasis sites have routine procedures to ensure the hosting environment is kept secure and free of issues. Key procedures include daily backup, firewall protections such as DOS & DDOS and intrusion detection, network segmentation of the production environment and segregation of duties with limited system administration access and routinely scheduled patch maintenance.
CyberStore Oasis sites are managed in a private cloud of web and database servers running on a VMWare based server cluster. The primary cluster is located in a Tier 1 datacenter in a space specifically assigned to the CyberStore Oasis. This allows us to maintain oversight of changes in the environment and maintain tight control of who has access to the environment.
Backup and restore procedures are in place for all production servers. CyberStore Oasis sites leverage Barracuda Backup technology that provides daily Encrypted backups with Inline Deduplication, Offsite Vaulting with data Recovery, LiveBoot and Instant Replacement options.
In addition to the built-in verification technology, full server restore tests are performed periodically. And although no issues have been found, any test failures would be addressed right away.
To protect against large scale Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks CyberStore Oasis sites use Barracuda Next Generation/CloudGen Firewalls that profile standard traffic patterns and identifies attack traffic, filtering it out while allowing legitimate traffic through.
In today’s world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, the firewall effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network. Additionally, the firewalls allow the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets. The integrated environmental monitoring feature of the firewalls diagnose such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.
CyberStore Oasis sites leverage Barracuda NextGeneration/CloudGen firewall technology to provide Intrusion Detection and Prevention Systems (IDS/IPS). These systems enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:
As a result, the firewalls are able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.
We perform patch maintenance such as Microsoft Windows patching monthly on all production servers. Underlying and supporting devices are patched and updated on a semi-annual or annual basis depending on the release cycles of the vendor. Whenever, a critical security patch is released it is evaluated for relevance to the hosting environment, tested and deployed right away.