27 Dec 2011

Secure Linux in the Balanced Cloud

A recent client project required a resilient framework from which to deliver their secure web facing application. Their initial request was for a load balanced, Linux AWS EC2 platform with MySQL replication and https (SSL) access, what we delivered provided all this, but with the added bonus of Intrusion Detection and self monitoring, self healing servers with eMail alerting. Below is a schematic displaying the build and server relationships. A detailed explanation follows.



The project was completed in a mere five days from initial consultation on-site, to actual go-live on the fifth day, both ourselves and the client were very pleased with the outcome.

Technology breakdown

  • Instances used were all based on the x64 bit Ubuntu 10.04LTS EC2 EBS image (Canonical supplied) which we tailored to specific server functions as required. To cater for the nature of load, and to provide dynamic capacity for future expansion, x64 bit instances are preferred as related EC2s can be self upscaled to higher capacity instances in a matter of minutes with no requirement to re-install the build into a new image. Using Ubuntu also opens up potential for EBS (Root volume) expansion using resize2fs.
  • We used the Cherokee webserver on the application boxes. Cherokee offers a huge upscale in configurability and admin above basic Apache whilst concurrently providing a much wider range of web utilities and services.
  • Load balancing was configured for application side sticky sessions set to client specifics.
  • Rsync was was used via configured cron jobs for application data pool mirroring with MySQL master/slave replication configured accordingly to provide realtime database backup.
  • Instances were double firewalled at both AWS security group and operating system level with all IPs nailed down between respective servers only.
  • OSSEC was used for intrusion detection with remote agents applied to all servers and MONIT installed on each configured to dynamically alert and restart any failed services.
  • Authorised SSL client connectivity was provided from a single SSL CA applied to the AWS load balancer, this gives the advantage of being able to use a single cert across multiple IPs/servers, something which can, and does, give problems in other virtual hosting platforms where a single IP per server model is used. Load balancer traffic was secured between hosted instances only using a combination of tied IPs and self signed certs, the AWS load balancer has no problems with self-signed CAs and accepts them readily on port 443 without warning.
  • Extra security measures included SSH lockdown (root disabling etc) plus non-default port configurations for all services.

If you are interested in the above, would like further information on the specifics, or require a load balanced, resilient platform for your own web application, we would be more than happy to help and advise. Simply get in touch via the contact page from the main website - http://cirronix.com

Cirronix are based in Leeds, West Yorkshire, and you would be most welcome to visit us at the office to discuss your requirements, alternatively we can come and see you, although we work in the cloud it's always nice to hook up in the real world.

No comments:

Post a Comment