Security Focus
Metawerx has a strong background in computer and network security, which started as an interest in the late 1980's. These days, we provide security consultancy services to both hosted, and external clients in Melbourne, focusing on web-based application issues such as cross scripting, HTML and SQL injection, session hijacking and security auditing for web applications, SSL hardening and intrusion detection.
The features we have in place to protect our server equipment, your data and privacy, are detailed below. If you have questions about any of the items below, or your specific security requirements, we would be happy to discuss them with you in more detail.
- Your data and privacy will always be handled with the highest regard
- Local backup data is kept under the same conditions as live data
- Offsite database and subversion backups are encrypted with AES encryption
- Offsite filesystem data is encrypted with AES encryption, including the filenames and filesystem layout
- Customer data is completely removed on request, and automatically removed 30 days after cancellation
- All metawerx personnel are under strict Non-Disclosure Agreements
- A personal accounts manager deals with all clients and is trained to determine differences in client behaviour, per-client, when that client is requesting access to confidential information or changes in authentication/access
- Strict "No Level-1 staff" policy - all staff with access to customer data are trained in security procedures, reception staff cannot access servers
- Password change, access to customer data or accounts data requires a 4-part authorization process (you ask, we contact the authorised billing contact, confirmation is received, we validate the confirmation against previously received communications from the company/individual for consistency, then we allow access)
- See our Privacy Policy for more information on how we protect your information
- Keeping software up-to-date is one of the most important ways to reduce security risks, on your home and office PC(s) and especially on your server(s)
- We update the operating systems on all our servers regularly
- We upgrade to the latest builds of Java, Tomcat, MySQL and MariaDB after verifying that nothing is going to break
- We receive update alerts for all our supported platforms via SecurityTracker and other sources, read and act on them
- Please check the versions your current host is running, notably versions of popular systems such as WordPress, cPanel, phpMyAdmin and MySQL and then do a check on Google for the release dates and vulnerabilities of those versions. This will become an even more critical area as VPS and Cloud VPS systems are more frequently deployed.
- Our Control Panel (SiteWinder) and other online tools only allow access over SSL/TLS
- SSL/TLS available on all mail services (SMTP, POP3, IMAP, Webmail)
- SSL/TLS/SSH encrypted transfer for sensitive data access and file transfer via RSync, FTP(ES) or SFTP
- Firewalled databases, database are not exposed to the internet as they are with other hosts
- Rapidly patched, firewalled operating systems
- Brute-force protection on externally exposed systems, including FTP, Mail Servers, Subversion, Tomcat Manager and customer control panels
- Metawerx Anti-Port-Scan system
- AutoShun and OpenBL brute-force black-list firewall integration
- Redundant Intrusion Detection Systems (IDS): Metawerx IDS, AIDE
- Secure sandboxing of all user accounts
- Enhanced AppArmor profiles for Java to further sandbox Tomcat, TomEE, GlassFish, JBoss and Command Line JVMs, including our own sites and customer applications
- Enhanced AppArmor profiles for Apache to further sandbox non-Java control panels (phpMyAdmin, phpPgAdmin, Webmail etc..)
- Enhanced AppArmor profiles for FTP, MySQL, MariaDB, MongoDB, CouchDB and PostGreSQL to protect against privilege-elevation and buffer-overflow attacks
- Fine-tuned java security policies per VM (Managed VMs)
- Digest-HTTP for Tomcat Manager to prevent transmission of plaintext passwords, even when not using SSL
- Redundant sandbox layers - Java Security Policy, Linux file permissions, AppArmor - if any one of these become unavailable due to staff, user or script error, customer accounts remain sandboxed and protected against other users
- AppArmor is used around the Metawerx account signup system and all control panel tools, just like with your own JVM
- Enhanced Crypto is employed on all Metawerx forms and customer tools
- Metawerx UrlSecurityFilter forces HMAC signatures and AES-128 encryption on all GET and POST actions on Metawerx-Workflow systems (Domain Administration, Mail Reseller Admin, Tomcat Realms Administrator, Subversion Administration, Payments System)
- Customer-login-based actions are logged to enable forensic analysis
- Backups are read-only from control panel servers (a web-server breach cannot affect your backups)
- Payment information is deleted after it has been used (card information is deleted after a payment is complete, automatic-payment data is retained and encrypted using AES-256 - see our Privacy Policy for details)
- File permissions and configuration risks are automatically reviewed multiple times per hour
- Inconsistencies are automatically corrected on all servers according to our pre-defined policies
- Inconsistencies are reported to system administrators to manually address the cause
- Metawerx staff are sent details of any inconsistency directly to their smartphones
- 256 bit SSL/TLS encryption enabled for Java
- Option to select between 40bit+, 128bit+ or enforced 256bit+ TLS encryption for maximum security for private systems (enforced 256bit will not work with IE6, WinXP and older browsers)
- Weak/Medium ciphers and SSLv2/SSLv3 disabled by default (Tomcat 4.1.32+/5.5.17+, option to re-enable for older browsers in Export-Restricted countries)
- 4096 bit private key automatically generated when generating your CSR (industry standard is 1024 or 2048 bit)
- Secure SSL renegotiation
- TLSv1.2 protocol support available on Java 7+
- PCI compliant, FIPS-ready SSL setup available (according to tests at Qualys SSL Labs, where we were first in the world to achieve the maximum possible score of 100)
- BEAST, CRIME and LUCKY13 attack resistance on Java 6+ (by the way Java 6 is EOL - time to upgrade to Java 7 or Java 8!)
- Elliptic Curve Diffie-Helman Cryptography (ECDHE) enabled, for fast SSL decryption on newer browsers and mobile devices
- Galios/Counter Mode (GCM) ciphers available on Java 8+ and our Apache-based systems (eg: phpmyadmin)
- Automated systems block port-scans and brute-force attacks on services 24/7/365
- Action is taken on increased network activity, or suspicious probing activity
- Technicians are sent alerts if suspicious activity is taking place and will monitor, block or phyiscally disconnect hardware if necessary
- AIDE reports are sent to admins and flagged in our monitoring panel until resolved - if a new file is added to or changed on the host filesystem, we are alerted on our smartphones and we investigate
- AppArmor violations are sent to admins and flagged in our monitoring panel until resolved - if a customer or binary attempts to access a file or capability they are not permitted to access, we are alerted on our smartphones and investigate
- We receive, read and act on SecurityTracker, CERT and CVE security reports weekly and modify our systems to react to new threats
- Unlabeled servers, unlabeled racks, only metawerx and data centre staff know which servers are metawerx servers
- Locked server cages, with separate keys per rack segment, power and network segment
- Physical server intrusion alerting system - if a server panel is opened or a cable is disconnected without our consent, we are alerted on our smartphones and investigate
- Additional proprietary physical access security (details restricted)
- 24/7/365 security camera surveillance inside and outside data centre
- Over 30 cameras covering all rooms and racks
- Digital recording on motion
- No access permitted without prior arrangement
- Non ground-level server rooms, no unauthorized access to lifts or stairs
- Maximum-security data area, requiring visual meeting with data center staff and bio-metric palm / smart-card authentication
- Anti-pass-back system to server rooms, travel must be uni-directional
- Anti-tailgate system with man-trap, preventing access to server rooms, only one person may pass through at a time
- Interlocked doors
- See the Data Centre page for more information about our data centre
Contact us to discuss your requirements, or for a faster setup, select a plan from the Plan-based pricing pages.
We are often commended for our high quality services and fast delivery. Sign up and you will see why!
