1. Home
  2. Services
  3. Security

Security

Pipe Ten’s focus and approach to security services, by the nature of its business and its operating environment are constantly evolving and generally operate on the bleeding edge of emerging threats.

Whilst the infrastructure and associated underlying software security is important and must be considered, the nature of today’s complex interconnected applications and resulting threats and attack vectors means a holistic approach must be taken balancing the needs and priorities of all.

Our security services aim to improve the Confidentiality, Integrity and Availability of own and our customer’s environments, exceeding the requirements of compliance whenever feasible and useable.

Anti-Virus

Pipe Ten are software agnostic and have experience with most of the main Anti-Virus applications. However, we have been an ESET partner and user for the past 10 years and found it to be the most reliable that we’ve used right across all platforms. It offers a highly advanced level of scheduled and real-time threat protection for web, database, laptop, mobile and more.

Our ESET partner status allow us preferential access to support, volume pricing and additional services.

Management of Anti-Virus configuration and patching can be self-enabled or managed through Pipe Ten’s patching services.

Alerts generated by Anti-Virus can be self-responded or escalated to Pipe Ten engineer via our Monitoring & Response services.

Encryption

Encryption In-Transit

When data is in transit between applications, systems or locations it is best protected using appropriate technologies and standards taking into account confidentiality, integrity and availability. For example:

Between …

  • User and Application / Browser and Server
    • TLS/SSL
    • OpenVPN
  • Administrators and Systems
    • TLS/SSL
    • OpenVPN
  • Application and Application / Server to Server / Site to Site
    • TLS/SSL
    • IPSec VPN
  • Application and Database / Server to Server / Site to Site
    • Database Engine
    • TLS/SSL
    • IPSec VPN
  • Backup and System / Site to Site
    • TLS/SSL
    • IPSec VPN
  • Physically / Data to Drive
    • diskAshur Pro2 SED
    • DESLock+ Pro SW

… can be applied.

Please see SSL, VPN and Licensing for more details.

Other Encryption

Application Encryption

Although encryption at other levels is equally important, Encryption/Hashing and Encryption/Decryption of sensitive information is ideally first (after transit) handled by the application layer during input and output, even better if the user can control the keys; reducing the risks/vectors and potential impacts at all other levels.

Database Encryption

Much like application encryption, but often handled within the database engine itself, table/column/field level encryption reduces the risks/vectors and potential impacts at all other levels.

File Level Encryption

Encryption of the files at the operating system level using supported software to encrypt a virtual folder, drive or set of files with decryption occurring on boot or mount until unmounted. This can be provided using the DesLock+ Pro and Enterprise Server licensed products through Pipe Ten’s partnership with ESET.

Full Disk Encryption

Much like File Level encryption full physical or virtual drive encryption at a software level with decryption on boot or mount, can be provided using the DesLock+ Pro and Enterprise Server licensed products through Pipe Ten’s partnership with ESET.

Self Encrypting Disks

In scenarios where critical privacy is required, self encrypting disks provide a hardware device level solution to data at-rest and can out-perform software based solutions. Pipe Ten deploys SED by way of diskAshur Pro2 SED coded storage to address DR scenarios where bulk data collection and physical transit needed, with enterprise server SED drives also supportable.

Transaction Encryption

Pipe Ten has experience in the sourcing and configuration of Thales and similar HSM necessary for communication and transacting with financial markets, services and networks such as Faster Payments or SWIFT.

Firewalls

Pipe Ten takes a multi-tiered approach to firewalling and access control which includes:

  • Edge network profiling and ACLs
  • Distribution network profiling and ACLs
  • Distribution firewalling and ACLs
  • Customer / Service Edge network profiling and ACLs
  • Customer / Service Edge firewalling with inbound/outbound filtering
  • Local/Internal firewalling with inbound/outbound filtering

Pipe Ten has been working with the FreeBSD based open-source firewall called pfSense for over 10 years, enabling cost effective, flexible and frequently updated stateful packet protection for its customers.

Pipe Ten has also worked for many years with other firewalling software and hardware from various manufacturers such as Cisco or CheckPoint providing advanced level of protections.

Wherever possible Pipe Ten firewalls are deployed in high availability active/active or active/passive modes, the ease and safety of maintenance and availability benefits almost always makes it a cost effective choice.

Our Intrusion Detection services can be combined with Firewall services and optionally Monitoring & Response services to provide Intrusion Prevention with active response to Threats or Problems.

VPN

Pipe Ten supports all major VPN (Virtual Private Network) technologies to encapsulate data in-flight between users, servers and networks.

Permanent VPN connections between servers or networks is often handled on the firewall level using IPSec VPN.

Temporary VPN / Road Warrior connections between users and services are typically provided using OpenVPN or L2TP over IPSec.

Pipe Ten firmly believes communication should be secure by default (using TLS/SSL or other prominent technologies) and wherever possible further/double encapsulate through the use of VPN services (VPN is primarily used to protect insecure services, but should also be considered for use to doubly protect secure services).

Inclusive OpenVPN Service

An inclusive shared OpenVPN service is provided by Pipe Ten for customers wishing to securely access services hosted on Pipe Ten networks.

Traffic using the OpenVPN service is encapsulated / privacy protected between Customers endpoint (desktop, laptop and/or mobile where the VPN software is installed) and the Pipe Ten VPN service (what the VPN software connects to), which helps protect against threats on the customer’s network or general Internet.

Dedicated OpenVPN (or L2TP over IPSec) Services

Where privacy of traffic is required fully between customer’s endpoint (desktop, laptop and/or mobile where the VPN software is installed) and the customer’s services hosted on a Pipe Ten network, or where a volume of users required then dedicated VPN services are required.

Provisioned as a resource dedicated and bespoke to the customer and their hosting environments, Pipe Ten’s dedicated OpenVPN services can provide a high level of assurance and also support higher user volumes than can otherwise be achieved using a shared or free VPN service.

Where OpenVPN AS is used licensing may be purchased via Pipe Ten, or directly with OpenVPN.

Dedicated IPSec Services

Permanent VPN connections are typically deployed at the customer firewall level using IPSec for the purposes of connecting and encapsulating data between networks in different locations or with different providers.

SSL

Pipe Ten supports the community goal of https:// (SSL/TLS) by default and being provider agnostic by supporting wherever possible the use of both free and commercial SSL certificate authorities. In the simplest terms, protecting a website involves:

Prepare: Configure the hosting and generate an SSL CSR keeping the KEY private.

Purchase: Purchase commercial or generate free SSL certificate / CRT, providing the CSR to authority provider when promoted.

Validate: Prove your domain’s authenticity and control as prompted by an SSL authority provider which is typically via email, DNS or http (EV certificates require additional validation steps and documentation).

Apply: Configuring a load balancer or web server with previously KEY and newly generated CRT, when received from the SSL authority provider.

Optimise: Configure the website or hosting to redirect to https:// by default, checking code and content for absolute references to http:// and replace, verifying TLS settings are appropriate.

Manage: Securely store CRT, KEY and other CA files should restore be needed, then monitor and renew prior to expiry.

If you understand the process we recommend self-service SSL where Pipe Ten just handles the purchasing and automation of validation at minimal cost, however we also offer an assisted SSL service where our engineers will handle every step of the signing and installation process on your behalf.

Security Monitoring

Pipe Ten’s security monitoring services are intended to provide audit, insight and alert generation to the environments current security configuration and activity. The service is tailored to your specific environment and need, but in the simplest terms:

    • Devices and Operating Systems are monitored by way of security agent or configuration
    • Activity, Configuration, Data including Files and Logging is constantly checked and flagged for audit requirements or suspicion of unwanted activity possibly intrusion.
    • Audit and suspiciously flagged data is immutably logged to an isolated off-solution location
    • Web Interface is provided for flagged data correlation and audit retrieval needs
    • Suspiciously flagged data is analysed, verified and alerted for further attention (HIDS and NIDS)

The service typically involves and is packaged as:

  • Agent installation, configuration, maintenance and patching with optional snort licensing.
  • Server installation, configuration, maintenance and patching with optional backup.
  • Optional additional response service, whereby Pipe Ten monitors the logs and alerts on the customers behalf.

After successful deployment, configuration and optimisation; the security monitoring service may optionally be extended to include prevention (HIPS and NIPS) in addition to detection for automated protection.

Security Scanning

Nessus Scanning

Pipe Ten performs at least weekly network scans of all public facing networks, for the purpose of protecting the Pipe Ten network against attack or exploit which could threaten not only the stability of the Pipe Ten network on which it replies, but also the networks to which we connect and the entire Internet community to which we belong.

We are able to extend this automated scanning service for bespoke customer use such as:

  • Custom and Guaranteed Scanning Schedules
  • Web Application Scanning
  • Local Network Scanning
  • Agent OS Scanning

This scanning of Pipe Ten networks although conducted to PCI DSS standards, lacks the third party independence necessary for use of its reporting to satisfy PCI DSS ASV requirements.

PCI ASV Scanning

Pipe Ten through its partnership with SecurityMetrics is able to offer easy access to quality third party ASV reporting necessary for PCI DSS compliance.

Customers taking SecurityMetrics via Pipe Ten benefit from preferential pricing, single supplier and inclusive Monitoring & Response to changes in PCI compliance by Pipe Ten engineers for swift escalation/remediation action by Pipe Ten or customers teams.

SecurityMetrics is charged per domain and/or per IPv4/6 per year and features unlimited free manual rescans.

Vault

Pipe Ten uses HashiCorp Vault OS extensively for securely managing access to tokens, passwords, certificates, encryption keys and other certificates within its administrative and development environments.

This experience with vault technologies and credential management is now available for Pipe Ten customers. We provide highly secure hosting environments for vault instances and end-to-end assistance with making the best use of secret engines and their access methods.

Storage engines include specifically designed implementations of AD, AWS, Azure, Databases, Identity, Keys, Kubernetes, LDAP, PKI, RabbitMQ, SSH, Terraform and others.

Access methods include UI, CLI, or HTTPS API.

Help  Policy ASK

Click here for full details

Classification: Public
Last saved: 2024/03/11 at 22:29 by Carl