A web architecture combining performance and security
Our web architecture schema is the result of extensive research, continuous testing, the choice of the best hardware, and very strict operational procedures. Ongoing software and hardware updating campaigns ensure that it is kept in operational condition.
Web infrastructure head: how does web traffic flow at NBS System?
All incoming and outgoing client platform traffic passes through our routers, which direct it to our firewalls.
These firewalls provide a first level of traffic filtering without any impact on your platform’s performance. Without public exposure, your web servers have a certain level of security by default. Our restrictive filtering rules can be made even more strict according to the level of security of the chosen environment.
The cleaned traffic then arrives at our Load Balancers, which distribute it evenly across our reverse proxies. Reverse proxies are a “second layer” of protection to avoid exposing your servers to the Internet. They allow us to set up filtering in your web access and to perform Virtual Patching on high-security web environments.
Once it goes through this equipment, the web traffic passes through Load Balancers once more. They will again distribute the traffic evenly, this time between your servers. This prevents an imbalance in their use, which could result in a loss of performance for some of your users.
Minimise burdens on your web servers
This infrastructure head was designed to better adapt to e-commerce sites, which are very resource-intensive and demanding in terms of performance. It ensures that your servers will not be overloaded, for better performance.
However, if you have specific or complex projects that are not compatible with this model, our pre-sales experts can adapt to meet your needs thanks to our RED team (Research & Expertise Department).
IT security, even on a standard environment
The goal of our infrastructure: to isolate your servers from direct exposure to the Internet. This is a guarantee of security to avoid certain computer attacks and to provide a degree of protection to your digital data and infrastructure.
Moreover, NBS System is committed to securing its hardware in its datacenters. For this purpose, two major types of technical security have been put in place:
- IT infrastructure protections (implemented at the infrastructure level)
- System protections (adapted to your secure VPS server)
The environmental protections dedicated to our infrastructure include in particular:
- Our dynamic firewall: to block attacks in real time
- Our WAF (Web Application Firewall) NAXSI: to protect your Web applications, for example with our virtual patching technique, to protect security vulnerabilities that may be present in your CMS waiting to be updated
- Our Anti-DDoS: to ward off denial-of-service attacks up to 10 Gbps
- Our separate VLANs: to isolate your environments from those of our other clients
- Concurrent session limiters: to avoid application DoS
- Our SIEM: to record all security events
Local IT protections
In the local protections adapted to your servers, here are some examples of what is put in place:
- Grsecurity: which is a system to strengthen the Linux kernel, including PaX, a security reinforcement patch, making it possible to withstand a large number of attacks, in particular Overflow attacks
- Watchfolder: which constantly checks and records changes to files, access rights, etc.
- Snuffleupagus: which analyses all files sent to PHP, their type, their content, and indicates whether they are dangerous
- PHP Malware Finder: which detects malicious code present in your applications
- Toughened configurations of the Linux system and its daemons
Peering by Ielo, Zayo, and Nerim
An IT infrastructure offering very high availability
Each piece of hardware in our infrastructure head is N+1 redundant by data center (firewall, router, switch, load balancer, reverse proxy), and our NetAPP drive bays are themselves redundant locally and remotely between each data center. Our network transit is provided by two different suppliers, and the failover is managed automatically by our routers.
Performance involves in particular the level of availability of the web infrastructure on which your environments are hosted, which is why NBS System offers redundant infrastructure thanks to our two data centers (Equinix PA3 & Iliad DC3). They both have the top certifications (Tier 3+) and are connected by dark fibres operated by us.
Setups in two datacenters for a very high availability
NBS System has its own cages in the datacenters, which allows us to control our hardware as well as its performance and security updates. They are more than 25 km from each other, making us one of the “multi-home” hosts able to provide very high availability. To minimise SPOFs (Single Points of Failure), our engineers have designed a redundant architecture at all levels.
Technical focus: autonomous system (AS) and IP addresses
NBS System communicates its IP addresses via its AS (Autonomous System), which has the identifier AS51335. Our infrastructure is thus a member of the DFZ (Default Free Zone), which consists of organisations that have no default route since they are connected to the Internet “live” and contribute to its networking. Our IP address ranges represent several thousand addresses, including an IP (Independent Provider) class and many addresses geolocated by country (UK, ES, CH, BE, etc.).
A closer look at our teams in charge of NBS System’s infrastructure
NBS System’s teams consist of experts in system and network engineering and IT security. Solution designers, open source contributors, or simply enthusiasts, our engineers can roll out personalised infrastructure or clouds to fit your needs.