Host for .gov Domain

A.Member · May 27, 2014, 09:58:06 PM

For those that have .gov domain for the website, who do you use for hosting?

Finding it a challenge for most hosts to agree to the following requirement (without undue added expense):

Quotethat the person or entity whose server you propose to use through the IP address in this application has agreed that the server hosting said IP address will be deemed part of the CAP.GOV or CAP.US system or network and that CAP will, from time to time, remotely scan the server at said IP address for security vulnerabilities so as to protect the integrity of the CAP.GOV or CAP.US network

from http://ns1.cap.gov/capgovform.html

Майор Хаткевич · May 27, 2014, 10:08:41 PM

You'd think they wouldn't mind...don't you have to give NHQ "keys" anyway in that case?

a2capt · May 27, 2014, 10:10:40 PM

.. it's why you see nothing but static HTML pages on anyone still using the .gov TLD.

Pretty much everyone has bailed, that wanted to do something more, with the exception being NER and NJWG, IIRC, which appear to be self hosted.

Between this and the latest proposal from this same directorate on requiring everyone to use the .gov hierarchy, but at the same time demanding that the provider take down the firewall to allow the box to be scanned.. kinda defeats the purpose. So, yup. IT directors have said screw it.

DreamHost will host a .gov domain, they have to add it manually to the account, and they will provide free hosting to Non-Profits .. use the IRS Determination Letter from NHQ. I stopped short of requesting a change from the CAP DNS administrator after talking with another Wing IT person on the hassle they went through, and switched to a .org TLD.

A.Member · May 27, 2014, 10:13:19 PM

Quote from: usafaux2004 on May 27, 2014, 10:08:41 PM
You'd think they wouldn't mind...don't you have to give NHQ "keys" anyway in that case?

Ah, yeah...they mind.

A host isn't giving you a dedicated server (unless you're paying for something well beyond your needs or your have some sweetheart deal). They are running a virtual server. They aren't going to be particularly open to the idea of some yahoos coming in and running scans that potentially impact their performance. They'd need to have some pretty clear guardrails on what those scans entail.

a2capt · May 27, 2014, 10:17:46 PM

..and I'm not even convinced that whole business is within the scope of requirements. I think it's more related to someone making a position for themselves.

Майор Хаткевич · May 27, 2014, 10:35:52 PM

What do we have worth stealing anyway?

dwb · May 27, 2014, 10:46:37 PM

The national CAP web site has been hacked a couple of times. I have screenshots of it from years ago kicking around on my computer somewhere. Some Wing web sites have also been defaced, as recently as this past year.

I suspect the .gov security scanning requirement might actually come from the federal government. Even if it doesn't, it's a good idea. It's embarrassing to CAP to have web sites hacked, and foreign hacker groups in particular relish in hacking anything that ends in .gov, not understanding (or not caring) that it's not actually the fedgov they're hacking.

Personally, I think every member should have a CAP-issued and managed E-mail address for CAP business, complete with templated web hosting for all units. Won't happen any time soon, but a guy can dream.

A.Member · May 28, 2014, 02:20:54 AM

Quote from: usafaux2004 on May 27, 2014, 10:35:52 PM
What do we have worth stealing anyway?

Names, addresses, etc. (ie. identities) for anywhere between 30 and 60,000 members depending on ~~how foolish you are~~ the size/scope of your unit...

Panache · May 28, 2014, 04:00:34 AM

Quote from: dwb on May 27, 2014, 10:46:37 PM
The national CAP web site has been hacked a couple of times. I have screenshots of it from years ago kicking around on my computer somewhere. Some Wing web sites have also been defaced, as recently as this past year.

Heck, back in February I helped UH60guy track down some malicious javascript code in the VAWG website...

Майор Хаткевич · May 28, 2014, 04:34:15 AM

Quote from: A.Member on May 28, 2014, 02:20:54 AM
Quote from: usafaux2004 on May 27, 2014, 10:35:52 PM
What do we have worth stealing anyway?
Names, addresses, etc. (ie. identities) for anywhere between 30 and 60,000 members depending on ~~how foolish you are~~ the size/scope of your unit...

Why would that be on the unit website?

A.Member · May 28, 2014, 04:50:25 AM

Quote from: usafaux2004 on May 28, 2014, 04:34:15 AM
Quote from: A.Member on May 28, 2014, 02:20:54 AM
Quote from: usafaux2004 on May 27, 2014, 10:35:52 PM
What do we have worth stealing anyway?
Names, addresses, etc. (ie. identities) for anywhere between 30 and 60,000 members depending on ~~how foolish you are~~ the size/scope of your unit...

Why would that be on the unit website?

Did you notice the strikethrough? You might be surprised at the information I've seen and continue to find on various unit sites; some of the larger offenders are up the food chain.

The question was what do we have worth stealing? Just look at the amount of information that we gather on our members; way, way too much...and most of it is not needed and some of it is quite sensitive. I'd argue there is no legitimate need to collect most of it - but that's getting a bit off topic.

Tim Day · May 28, 2014, 07:20:27 PM

I'm in the process of working with the cap.gov domain adminstrator to authorize a new web host for the vawg.cap.gov domain. The service will provide a virtual private server with 2 dedicated IP addresses.

We are coordinating with the technicians at the hosting service and working through a series of NESSUS (security) scans, improving a little with each one. This can be tricky because of the way the report describes the vulnerabilities.

Once we're authorized, we should be able to provide hosting to units within the wing. Cost is reasonable (< $500 per year) for a Wing, especially if we can alleviate some cost for subordinate units.

If we're able to pass the scans eventually, I'll be happy to pass the name of the host service via PM.

dwb · May 28, 2014, 07:47:25 PM

Quote from: Panache on May 28, 2014, 04:00:34 AM
Quote from: dwb on May 27, 2014, 10:46:37 PM
The national CAP web site has been hacked a couple of times. I have screenshots of it from years ago kicking around on my computer somewhere. Some Wing web sites have also been defaced, as recently as this past year.

Heck, back in February I helped UH60guy track down some malicious javascript code in the VAWG website...

I was being polite and not naming names...

A.Member · May 28, 2014, 07:49:29 PM

Quote from: Tim Day on May 28, 2014, 07:20:27 PM
I'm in the process of working with the cap.gov domain adminstrator to authorize a new web host for the vawg.cap.gov domain. The service will provide a virtual private server with 2 dedicated IP addresses.

We are coordinating with the technicians at the hosting service and working through a series of NESSUS (security) scans, improving a little with each one. This can be tricky because of the way the report describes the vulnerabilities.

Once we're authorized, we should be able to provide hosting to units within the wing. Cost is reasonable (< $500 per year) for a Wing, especially if we can alleviate some cost for subordinate units.

If we're able to pass the scans eventually, I'll be happy to pass the name of the host service via PM.

Send it, please. I'm glad you were able to actually get in touch with National. I've left 3 messages...all unreturned.

Tim Day · May 28, 2014, 08:11:00 PM

Quote from: Tim Day on May 28, 2014, 07:20:27 PM
I'm in the process of working with the cap.gov domain adminstrator to authorize a new web host for the vawg.cap.gov domain. The service will provide a virtual private server with 2 dedicated IP addresses.

We are coordinating with the technicians at the hosting service and working through a series of NESSUS (security) scans, improving a little with each one. This can be tricky because of the way the report describes the vulnerabilities.

Once we're authorized, we should be able to provide hosting to units within the wing. Cost is reasonable (< $500 per year) for a Wing, especially if we can alleviate some cost for subordinate units.

If we're able to pass the scans eventually, I'll be happy to pass the name of the host service via PM.

We've been approved. Here's the service I used: http://www.arvixe.com/vps_virtual_private_servers_hosting. CAP.gov domain administrator coordinated with me and the techs there by email over a span of days as we addressed each identified vulnerability.

A.Member · May 30, 2014, 04:25:43 AM

Quote from: a2capt on May 27, 2014, 10:10:40 PM
Between this and the latest proposal from this same directorate on requiring everyone to use the .gov hierarchy...

I've heard of no such "directorate". Source?

a2capt · May 30, 2014, 04:31:17 AM

It's mentioned in the agenda, here:

http://captalk.net/index.php?topic=18825.0

A.Member · May 30, 2014, 04:45:19 AM

Quote from: a2capt on May 30, 2014, 04:31:17 AM
It's mentioned in the agenda, here:

http://captalk.net/index.php?topic=18825.0

Thanks. I'm guessing nothing came of it...it was just a CSAG agenda item and didn't seem to have a ton of support at that.

Also, just curious, for those that know Col Webb, what is his background/qualifications for being the cap.gov domain administrator? Does he have a professional IT background? (that's not necessarily a callout, just curious - as stated)

dwb · May 30, 2014, 07:47:16 PM

His initials are WWW and his last name is Webb. Is there anyone more qualified?

(I don't actually have an answer, sorry)

Mustang · June 03, 2014, 06:17:20 AM

Webb is an attorney, not an IT professional.