Monday, May 13, 2019

When is FTP over port 21 secure?

Port 21 is the control port for the original and unsecure FTP protocol.   Credentials and payload are exchanged over the network unencrypted.

However file transfer over port 21 can be made secure with the newer FTPS protocol. FTPS or  FTP over SSL/TLS can enable encryption of both the Control and Data Connections.  Port 990 and 889 are defined for 'implicit' FTPS whereby both Control and Data are encrypted: port 990 for Control, 889 for Data.   If the client connects on port 990 the assumption is that SSL/TLS encryption will be performed i.e. the port number signifies security. 

However 'explicit' FTPS runs over port 21 (the port used by original and unsecure FTP protocol).  FTP clients who connect on port 21 and require encryption, must send AUTH SSL or AUTH TLS to the server. If the server complies it will take steps to complete an SSL/TLS handshake.   Selective use of encryption enables transfers to be secured according to need, with benefit of greater speed for unencrypted exchanges.

Thursday, April 11, 2019

DKIM, SPF, and DMARC Email authentication

Sender Policy Framework (SPF).

Publishes a list of servers that are authorised to send email on behalf of a domain. SPF is akin to path based authentication.


Domain Keys Identified Mail (DKIM).

A tamper proof domain seal to an email. DKIM is akin to signature based authentication.


Domain-based Message Authentication, Reporting and Conformance (DMARC).

Creates a link between a domain and an email, and validates SPF and DKIM authenticated headers match the from header domain.   DMARC builds upon SPF and DKIM authentication. Anyone can buy a domain and put SPF and DKIM in place. However DMARC closes off this problem by checking the SPF and DKIM authenticated headers ALSO match the domain found in the from header.  This is termed 'Identifier Alignment'.


Once an email domain owner is confident that they’ve deployed SPF and DKIM across all of their email streams, the domain owner can then tell the world to act against email that is not compliant with DMARC.  Not just gentlemanly but ensures brand protection and effective email delivery (by helping to prevent SPAM filter false positives).


DMARC is a freely available technical specification. DMARC records are published with DNS Domain.


Examples of DMARC Matching

From:   SPF:             DKIM: (none)               DMARC Match?  Yes

From:   SPF:    DKIM: (none)               DMARC Match?  Yes

From:   SPF:   DKIM: (none)               DMARC Match?  No

From:   SPF:   DKIM:           DMARC Match?  Yes

From:   SPF:    DKIM:   DMARC Match?  Yes

From:   SPF:       DKIM:        DMARC Match?:  No

From:   SPF:            DKIM: (none)               DMARC Match?:  No

Thursday, October 18, 2018

AWS Further Info

TCO Calculator

AWS Support Plans Overview

Various expertise is available
·         Technical Account Manager
·         Trusted Advisor
·         Support Concierge

4 levels are available
·         Basic Support
·         Developer Support
·         Business Support
·         Enterprise Support

AWS Well architected framework

AWS define 5 pillars


Operational excellence
Using scripting
Frequent, small, reversible change
Test failure

Strong identity foundation: least privilege, and separation of duties, audit logs
Apply security at all layers i.e. defense in depth
Automate security best practice
Protect data in transit and at rest i.e. use encryption, tokenisation

Test recovery procedures
Configure and automate recovery
Use KPI to trigger failover, and recovery
Scale horizontally to reduce failure
Monitor and forecast capacity
Manage change

Performance efficiency
Deploy globally to decrease latency
Use serverless architecture
Experiment with different architectures to discover best fit models

Cost optimisation
Adopt a consumption model. Stop resources when not in use
Analyse and attribute expenditure.
Use managed services to reduce operational cost