You are here
Security Guide
The MyConnection Server (MCS) security model was designed from the outset to eliminate the need for commercial web service assets such as Apache or IIS. Instead, the MCS security framework is based on a whitelist-only approval process to mitigate threats from commercial web servers and operating systems. This whitelist methodology establishes the concept of a Web Application Firewall (WAF). The WAF approach ensures that MCS can immediately reject—and more importantly, audit for security improvements—all ingress requests that do not conform to the MCS whitelist policy rules. Additionally, the WAF framework enables MCS to adapt to new threats, such as injection attacks and other vulnerabilities identified by OWASP and similar security-focused organizations. Integrated into the MCS architecture is an extensible Access Control List (ACL) policy engine, allowing MCS administrators to customize and extend the security framework. For instance, the ACL can restrict access to specific MCS administrative functions by IP address or subnet.
Well-established threats, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery, and Code Injection (both simple and complex), that are not adequately addressed by browsers, are incorporated into the core MCS WAF engine by design. The integrated WAF approach ensures that the security rules applied to MCS ingress transactions remain uncompromised by the variety of browser applications and versions, including those used by malicious actors. For example, consider the use of recursive file syntax such as ../../ in file requests, a common tactic used by hackers to exploit access to sensitive files within the OS system root. While modern browsers may prevent such hacks, older browser versions or custom-built hacker applications may not. Additionally, the MCS WAF engine is designed to be extensible, allowing MCS to quickly adapt as new threats emerge (e.g., those identified by OWASP).
The NCS (network connection satellite) framework extends the MCS security model to address the security challenges of large enterprise global networks as well as global cloud service networks. The NCS technology is specifically designed to provide client or server points-of-presence (PoPs) that securely deliver connection testing services in both public and private environments. To achieve a secure client and server framework, the NCS implements an extremely 'thin' application that eliminates both operating system and data asset threats within a unified architecture.
The ACS satellite is a custom hardware solution designed and built by Visualware to eliminate the cyber threats commonly associated with commercial operating systems. The ACS provides a solid-state solution that is both portable and rack-mountable—portable for service delivery at client or network edge points-of-presence (PoPs) and rack-mountable for datacenter services. The ACS solid-state framework offers the capability to accurately measure user service delivery for both low-bandwidth (single user/home demand) and very high-bandwidth (business/concurrent user demand) scenarios. Additionally, the elimination of operating system and filesystem overheads significantly enhances the accuracy and security of the measurement process. The ACS architecture delivers a PoP hosting platform that supports both client and server roles.
The NQC Satellite delivers the same architecture as the ACS Satellite but as a software solution. The software-based NQC Satellite also employs an ultra-thin framework by eliminating filesystem access on commercial operating systems, including iOS and Android. The NQC Satellite solution takes advantage of the cost-effectiveness and distribution benefits of virtual machine platforms such as Azure and AWS.
For further information please see the security architecture and ACS documentation.
The MCS approach to protecting sensitive data assets is simple: do not collect any sensitive data. For example, consider the extensive PCI standards for protecting credit card information. Visualware, which operates an eCommerce platform for MCS services that includes credit card processing, has a strict policy of not retaining any persistent credit card data during transactions. This exclusion of private data collection is also integral to the MCS security framework. Moreover, Visualware's testing standards and methods include extensive penetration test profiles for all Release Candidate (RC) and General Availability (GA) cycles.
For more information see Risk Mitigation Procedures (includes Penetration and Conformance Testing).