Skip to main content
Skip table of contents

12. Network Security

Thru employs a comprehensive defense-in-depth strategy to ensure the highest level of network security for our Managed File Transfer service. Our approach combines multiple layers of protection (NSG and ASGs – deny and only allow approved ASG flows), advanced monitoring, and proactive threat management.

We utilize a combination of host and network monitoring, log analysis, and cloud security analytics for threat detection and automated response. Our security infrastructure includes:

  • XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) tools

  • Endpoint Detection and Response (EDR)

  • Vulnerability management across Thru infrastructure

  • Native Azure analytics for anomaly detection

  • Search engine tool for tracking external signals of emerging attack campaigns

12.1       Network Architecture and Segmentation

Our network architecture is designed on the principles of defense-in-depth and least privilege:

  • Multi-Tier Architecture: Our network is divided into multiple tiers (e.g., web, application, database) to isolate different service components.

  • Security Groups: We leverage native access controls provided by AWS and Azure. In Azure, Application Security Groups (ASGs) play a key role in network segmentation, tagging resources based on their communication scopes.

  • Traffic Flow Control: Communication is restricted to flow only from higher trust to lower trust ASGs, inherently limiting lateral movement for potential threats.

12.2       Preventative Controls

Multiple preventative controls are in place to mitigate risk exposure:

  • Web Application Firewall (WAF): HAProxy performs layer 7 filtering (deny all; allow a limited set of URLs), TLS termination, JSON Web Token (JWT) verification, and rate limiting.

  • OWASP Top 10 Risk Mitigation: We use React JS sanitization, .NET binding, and database row-level security to protect against SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other common web vulnerabilities.

  • Database Row-level security (RLS)

  • Brute Force Protection: This includes login delays, account lockouts, IP blocking, and API throttling.

  • Network Security Groups: These heavily restrict traffic while allowing authorized connections.

  • Application Security Groups: Only allow service to service connections.  All other traffic is blocked by default.

12.3       DDoS Protection

  • Thru leverages Microsoft's DDoS prevention suite for always-on traffic scrubbing and rapid mitigation. We tune HAProxy for superior coverage over traditional WAFs while minimizing false positives.

12.4      DoS Protection

  • In addition to HAProxy throttling at the entry point to Thru’s services, connections to each service are controlled via Poly templates supporting Retry Policies with decorrelated Jitter, Bulkhead, and Circuit Breaker design patterns.

12.5       Secure Remote Access

  • VPN with multi-factor authentication is required for all remote access to our network, ensuring secure connections for remote workers.

12.6       Monitoring and Response

  • Extended Threat Detection: Our XDR tool serves as a central pane for security monitoring, aggregating critical event streams and applying correlation rules to detect indicators of compromise or audit failures.

  • Continuous Security Awareness: We consume Common Vulnerabilities and Exposures (CVE) advisories and threat intelligence sources to maintain an up-to-date inventory of potential security vectors.

12.7       Vulnerability Management

  • Our vulnerability management program conducts impact analysis as new CVEs emerge, followed by updates across assets. This proactive approach fortifies our posture against both known and potential zero-day exploits.

12.8       File Scanning

  • As an additional security measure, Thru MFT services scan files up to 250MB (configurable) before transfer or download. For performance reasons, larger files are passed without scanning.
    Scanning limits can be adjusted per environment, and dedicated single-tenant deployments can be configured as required.

Thru's multi-layered approach to network security combines robust architecture, preventative controls, continuous monitoring, and proactive threat management. This comprehensive strategy ensures the highest level of protection for our customers' data and maintains the integrity of our Managed File Transfer service.

Glossary of Terms:

  • XDR: Extended Detection and Response

  • SIEM: Security Information and Event Management

  • EDR: Endpoint Detection and Response

  • JWT: JSON Web Token

  • ·ASG: Application Security Group

  • WAF: Web Application Firewall

  • OWASP: Open Web Application Security Project

  • CVE: Common Vulnerabilities and Exposures

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close