IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [architecture]

104 questions
2
votes
1 answer

Counting on firewalls only : sound security strategy to prevent intrusion?

I had this discussion with a friend of mine who is a windows sysadmin. He said to me that for his company's IT security, he is doing only updates on the windows server. But except these system updates that prevent any code injection and are not…
Andy K
  • 411
  • 1
  • 3
  • 11
2
votes
1 answer

Is it necessary to have security documentations, policies, DRP & BCP's at place in order to execute secure network architectural review?

One of my client has ISO 27001 audits at their disposal and they have been going through audits. Meanwhile, they are taking custom security services from our company where-in one of the deliverables happen to be Secure Network Architectural Review.…
Shritam Bhowmick
  • 1,602
  • 14
  • 28
1
vote
0 answers

Docker: Central daemon model is flawed?

I've read this article about CoreOS's new container runtime, rkt, and I'm curious about this section: Why not just fork Docker? From a security and composability perspective, the Docker process model - where everything runs through a central…
Elouan Keryell-Even
  • 173
  • 5
1
vote
2 answers

Separate web and app server windows authentication

I understand that separate web and app server can improve security. Your web server sits in a dmz and then there is firewall between it and the app server. We provide solutions to clients within an intranet using windows authentication. Our clients…
Jake
  • 181
  • 1
  • 3
1
vote
3 answers

Is this approach to backups secure?

I've got an existing (personal) backup service which I'm rewriting from the ground up to be secure. At present, I just store files (and diffs) in AWS S3 with no encryption. It works fine but I'd like to make sure my data can't be leaked. For the…
Basic
  • 1,190
  • 1
  • 6
  • 13
1
vote
1 answer

Difference between Architecture review and a Design review

As the question says, I would like to know the difference(s) between an Architecture review and a Design review. If someone could explain the two using an example, such as an Architecture review of a network and the Design review of the same…
JohnnyHunter
  • 233
  • 1
  • 7
1
vote
1 answer

How to respond to a request for information on a system's architecture without compromising security?

Let's say that I am a Federal CIO and need to respond to a request for information on the architecture of a financial management system. I want to demonstrate that the system is capable of supporting multiple customers, can scale to thousands of…
keruilin
  • 139
  • 5
1
vote
1 answer

Web application vs web service security

My question is about the difference between usual security expectations from a web application (intended to browser navigation) vs SOAP web service. For a web application, an acceptable solution for secure communication is HTTPS (tranport…
someone
  • 33
  • 6
1
vote
1 answer

End To End Encryption Model

I have an architecture which requires a certain subset of data to be more heavily secured and encrypted. The main parameters which I believe meet the scope of the project are as follows: Data should be encrypted in transit Data should be encrypted…
Eric Uldall
  • 113
  • 5
1
vote
2 answers

Refresh token replay detection

I'm trying to detect refresh token reuse / replay. A typical approach: send refresh token (on login or refresh) create refresh token as opaque value (e.g. buffer from a CSPRNG) base64 encode value and send to user salt and hash value, store in…
lonix
  • 363
  • 3
  • 11
1
vote
0 answers

Do i place this service in the DMZ or datacentre(internal)?

I have setup a VM on our internal network and it is assigned an internal IP address. The VM requires connectivity to a couple of internet sites mainly Microsoft and ports are generally 80 and 443. This is to run Power Automate. All connections are…
Architect
  • 631
  • 1
  • 6
  • 9
1
vote
1 answer

Should IDM be private or exposed for app login?

In the diagram below, I have two options for authenticating into a protected resource. Both options use an Identity & Access Management (IDM) tool (in this case keycloak) to store credentials and present as a JWT once properly authenticated. The…
Joe
  • 11
  • 2
1
vote
0 answers

Has hackers ever used a microarchitectural side channel to launch an attack?

I'm a student of computer architecture and I just got through a class on Hardware Security. We spent a considerable amount of time learning about microarchitectural side channels, reading papers on how researchers "stole" cryptographic keys from toy…
Cedar
  • 121
  • 2
1
vote
1 answer

Safety difference between running on localhost versus the private internal ip address?

I am wondering if there is any additional security increase by choosing to run your webserver on an internal private ip address and port like xyz.ab.cd.efg:8080 versus localhost:8080 or 127.0.0.1:8080 If so, what does this mitigate against? For this…
user1709076
  • 149
  • 7
1
vote
1 answer

Is it acceptable to have SPA + API from security point of view?

We are building something like specific blogging social platform. Architecture was originally intended as to have: single page application: all gui, rendered in the browser on the client frontend: mainly proxy layer, api for that SPA, accessible…
ooouuiii
  • 389
  • 2
  • 6
1 2 3
4
5 6 7