Physical security
Location
Colocation hosting is only offered in the Samrand facility.
The following applies specifically to the Samrand Data Centre.
The facility is not in a direct flight path or low lying area and is centrally located between Johannesburg and Pretoria with a major power substation close by. A geotechnical audit has been done to ensure ground stability.
Surveillance
The Samrand data centre uses 45 internal and external surveillance cameras, as well as 10 perimeter cameras, which are strategically placed and monitored around the clock to ensure that all servers remain off-limits to anyone without security clearance. High-voltage security fences and a 24/7 security presence help to deter any opportunistic crimes.
Access control
Customers, employees and contractors have varying levels of authorised access to different areas of our facility, controlled by high-tech biometric scanning systems, with 20 devices and pin-coded keypads.
Colocation customers have 24/7 unattended access to their POD and a unique pin to each of their racks.
Fire prevention
The facility is custom-designed for low fire risk, with a Very Early Smoke Detection Apparatus (VESDA) installed to trigger alarms at even the slightest hint of smoke particles.
There are no flammable materials present in the ‘white space’ in the Data Centre and all cabling is fire-retardant.
Power outages
An 11kV power supply from the municipal power utility energises a fault-tolerant, medium-voltage ring that powers two separate low-voltage 2MVA energy centres. These A- and B feeds power mission-critical infrastructure such as IT load, air conditioning, security systems and emergency lighting. They provide seamless electrical failover with their own emergency backup power systems in the event of a power failure.
The data centre have on-site fuel storage sufficient to run our generators for 7 days’ continuously. The data centre UPS’s provide always-on power, with battery standby time of 30 minutes.
Connectivity
The data centre network is multi-homed with multiple uplinks per data centre via at least two Tier 1 upstream providers and peering partners. Should a network failure occur, traffic is automatically rerouted via alternate uplinks, significantly increasing our network resilience.
Connectivity is provided through diverse, redundant fibre routes connecting the facility to a 10Gbps fibre ring.
Network security
Network level security consists of three main components:
- DDoS mitigation
- VLAN reverse path forwarding protection
- Juniper firewall rules at the network edge and core
DDoS mitigation
A DDoS detection and mitigation system is deployed in both the Cape Town and Samrand data-centres. DDoS attack traffic is diverted to a filter/scrubbing server that can distinguish between valid and malicious traffic. Malicious traffic is scrubbed off while valid traffic is re-injected into the network. The victim IP is not affected during the DDoS attack. DDoS detection and mitigation is fully automated and traffic diversion occurs automatically.
Small DDoS attacks are scrubbed locally in the data-centre by the mitigation system. For larger attacks, traffic is diverted to an international DDoS mitigation provider which then sends the clear traffic on to South Africa.
VLAN Reverse path forwarding protection
Reverse path forwarding protection is enabled for all VLANs in our data centres. This policy ensures that only the subnets allocated to a VLAN can generate traffic for that VLAN. This helps to mitigate two kinds of malicious traffic:
- Source-spoofed traffic where a host is sending out traffic for subnets that do not belong to the VLAN.
- Inter-VLAN subnet spoofing, where a host in one VLAN uses IP addresses from another VLAN using source-spoofing.
Juniper firewall rules
Firewall rules on the data centre network edge and at the core are used to protect the network in a number of ways:
- Rate-limiting of certain protocols to protect the network infrastructure.
- Blocking of certain protocols and destination IP addresses to protect our operational systems.
- Restricting access to certain hosts and protocols to defined lists of source addresses.
- Blocking of abusive IP addresses and hosts.
Monitoring
All servers managed by us are monitored 24/7 for all critical services and hardware health. The data centre reactive system administrators react to monitoring alerts as they are identified and escalate issues to data centre staff or platform engineers.
Platform security
Servers
All servers used to provide our managed hosting service, both for shared web hosting and managed servers are physical servers exclusively provisioned and managed by us.
The data centre Self-managed servers are provisioned by us, while the software is maintained by the customer.
Servers are designed to provide redundancy and reliability, including multi-core, multi-CPU systems, ECC (Error-Correcting Code) memory modules to detect and correct data corruption in real-time and enterprise grade storage that includes hard disk and solid state drives.
All data is stored on dedicated, robust RAID storage arrays providing data redundancy and integrity.
Additionally, our TruServ Commerce range of Self-Managed servers include a Battery Backup Unit (BBU) which protects and maintains the data on RAID cards.
Security response policy
All relevant security advisories are evaluated weekly. The data centre make use of Debian Linux and trust their security response to all CVEs.
Note: Debian is a slow moving distribution, which means that versioning misinterpretation regarding security vulnerabilities may occur when looking at the output of a typical automated security scan. Debian don’t upgrade major versions for any releases once they move into the stable release phase, but they do apply security patches. Therefore it may appear that the old stable release of Debian is running an insecure version of certain software packages e.g. OpenSSL (1.0.1t-1). However, once the Debian patch version is applied (1.0.1t-1+deb7u3), the vulnerability is addressed. This indicates the Debian maintainer’s ongoing commitment to patching security related issues on all supported versions of Debian.
The data centre are committed to updating all software to the latest stable versions within 7 days of their release, and within 24 hours for critical software updates.
Remote access
Access to managed servers is limited by means of Linux firewall software. All managed servers make use of the same incoming firewall rules and we do not allow any deviation from the standard rulesets