HOSTING SECURITY STATEMENT
Network security
Network level security consists of three main components:
- DDoS mitigation
- VLAN reverse path forwarding protection
- Firewall rules at the network edge and core
DDoS mitigation
A DDoS detection and mitigation system is deployed in both the Cape Town and Samrand data-centres. DDoS attack traffic is diverted to a filter/scrubbing server that can distinguish between valid and malicious traffic. Malicious traffic is scrubbed off while valid traffic is re-injected into the network. The victim IP is not affected during the DDoS attack. DDoS detection and mitigation is fully automated and traffic diversion occurs automatically.
Small DDoS attacks are scrubbed locally in the data-centre by the mitigation system. For larger attacks, traffic is diverted to an international DDoS mitigation provider which then sends the clear traffic on to South Africa.
VLAN Reverse path forwarding protection
Reverse path forwarding protection is enabled for all VLANs in our data centres. This policy ensures that only the subnets allocated to a VLAN can generate traffic for that VLAN. This helps to mitigate two kinds of malicious traffic:
Source-spoofed traffic where a host is sending out traffic for subnets that do not belong to the VLAN.
Inter-VLAN subnet spoofing, where a host in one VLAN uses IP addresses from another VLAN using source-spoofing.
Firewall rules
Firewall rules on the data centre network edge and at the core are used to protect the network in a number of ways:
Rate-limiting of certain protocols to protect the network infrastructure.
Blocking of certain protocols and destination IP addresses to protect Sizwe Africa IT Group operational systems.
Restricting access to certain hosts and protocols to defined lists of source addresses.
Blocking of abusive IP addresses and hosts.
Monitoring
All servers managed by Sizwe Africa IT Group are monitored 24/7 for all critical services and hardware health. Our reactive system administrators react to monitoring alerts as they are identified and escalate issues to data centre staff or platform engineers.
Platform security
-
Servers
All servers used to provide our managed hosting service, both for shared web hosting and dedicated managed servers are physical servers exclusively provisioned and managed by Sizwe Africa IT Group.
Servers are designed to provide redundancy and reliability, including multi-core, multi-CPU systems, ECC (Error-Correcting Code) memory modules to detect and correct data corruption in real time and enterprise grade storage that includes hard disk and solid-state drives.
All data is stored on dedicated, robust RAID storage arrays providing data redundancy and integrity. Additionally, our servers include a Battery Backup Unit (BBU) which protects and maintains the data on RAID cards. -
Security response policy
All relevant security advisories are evaluated weekly. We make use of Debian Linux and Microsoft and trust their security response to all CVEs (https://cve.mitre.org).
We are committed to updating all software to the latest stable versions within 7 days of their release, and within 24 hours for critical software updates. -
Backups
All Sizwe Africa IT Group Managed Servers are automatically backed up in the early hours of the morning. The backup includes all critical data required for disaster recovery.
Backups are made of the user’s home directory as well as databases. The user’s home directory will include site content, web logs and any mail that was on the server at the time that backup was completed.
Please note that Sizwe Africa IT Group does not guarantee backups. If you have critical data which you cannot afford to lose in the event of a disaster, keep a copy of your data locally (or at an alternate location) as well. -
Software development
Stack: We have a strong focus on Microsoft technologies and mainly use ASP and C# as our backend languages. Our frontend stack consists of HTML/HTML5, CSS/CSS3 and various JavaScript frameworks. We use varying database technologies including MS SQL.
Coding Practices: We follow an Agile development methodology and use best practices and industry- standard secure coding guidelines to ensure security is always top of mind. External penetration testing providers are used to validate that we are secure. -
Anti Virus
All Linux based run Clam anti-virus and Windows based servers run Webroot which is updated as new virus definitions are released. Servers are scanned daily.
-
User passwords
All customer passwords are stored in a one-way encrypted format. Sizwe Africa IT Group is not able to retrieve any passwords. Due to the broad technology implementation across our hosting software and platform, we employ a number of different password hashing algorithms e.g. bcrypt, sha-512. We implement industry standard practices for mitigating various password cracking methods e.g:
- Password salts to mitigate rainbow attacks
- Multiple password hashing rounds (key stretching) to massively draw out brute force attacks
-
Mail security
SSL is used for POP, IMAP and SMTP protocols for email, resulting in data encryption between our server and customers’ mail programmes. The use of strong passwords is enforced when creating or editing mailboxes via the mail admin tool. The following measures are used to mitigate spam and malware:
- Anti-virus and anti-spam scanning occur on all inbound and outbound email.
- Common malicious file extensions are blocked for both inbound and outbound email.
- Known malicious IP addresses are blocked by our firewall for incoming email.
-
Customer responsibilities
While we care for the hosting infrastructure including the network and servers, it is our customers responsibility to keep their data and hosting account secure.
- Use secure passwords and store them safely
- Ensure sufficient security for your web applications
- Ensure that CMS’ and plugins are always kept up-to-date
We remain committed to providing a reliable hosting service to businesses that are serious about uptime, 24/7 technical support, and are looking to benefit from evolving technologies.