Solved

Firewall help (hardware or software)

Posted on 2015-02-19
7
344 Views
Last Modified: 2016-03-02
Hey guys,

I'm looking to setup a firewall to place in front of our ecommerce shop and associated servers. I have a general understanding of firewalls but I'm not experienced with business level / hardware firewalls and I'm hoping someone can help me understand these better so that I make the right choice for our application.

Recently, our Magento shop was exploited due to a 3rd party extension (Magmi) and the hacker ended up installing a web shell and modifying some core files to skim credit card details of unsuspecting customers.  We found their malicious code and disabled credit card processing in the meantime but we don't really know what else they were able to do with that web shell.

Right now we're basically rebuilding our shop on a new server and we'll be moving the data over to it. We're also going to step up our game with security as much as possible at the server level (filesystem monitoring, disabling dangerous functions in php, frequent scanning for malicious files, and more) but I want to go further than that.

What I'm trying to understand is if these business level firewalls would have been able to catch this type of activity and block it. In simpler terms, do these firewalls add rules to protect against known exploits like the Magmi one that affected us? I.e., would they catch this type of stuff going in and out? I'm assuming that's what they charge monthly subscription rates for, right?

If so, what's an economical but reliable route to go? We have 2 web shops that do anywhere from 20-80 transactions per day but there are days (new product launches) where transactions can spike up to 1000+ over the course of a 24 hour period.

Are there good software solutions that we can use if we have our own hardware (we have a bunch of machines and components laying around) or should we focus on only using a hardware solution from a known company?

I hope I'm clear with what I'm after, thanks for your help!
0
Comment
Question by:mcainc
7 Comments
 
LVL 9

Assisted Solution

by:nattygreg
nattygreg earned 100 total points
ID: 40620343
I'm not a firewall expert, but paranoid expert (lol) so I have used two system in the past cisco router and lock it down where it does not respond to anything from the internet (my isp) could not find me either. With that said you choose the ports and protocols you want to accept from the internet side. Then I backed that up with pfsense router, with proxy filter, antivirus scanner at interface.

All this will help but education is better, cause with all that security it takes one person to download an attachment with virus to make security redundant. They're really good hackers but almost all breach is done from inside your network.

So pfsense is a good firewall with learning curve but once setup will really help you with hacker alerts through the use of snort, an intrusion detection mechanism.
0
 

Author Comment

by:mcainc
ID: 40620367
Thanks nattygreg,

I think I might be looking for something a little different.

This appears more along the lines of what I'm after https://techlib.barracuda.com/bwafoverview but it's nearly $5k (ouch) from what I've seen online.

In our case, having a firewall that can catch and block a threat that we didn't even know existed would have been huge. If I'm not misunderstanding the capabilities of this firewall, it appears that it protects from high visibility attacks. I found web articles from mid-2014 about the Magmi exploit that affected us, I'm assuming this is the kind of stuff they look for?

The "Data Theft Protection" would have been awesome as well if we could control where credit card information is being sent (i.e., only allow this information to be sent to authorize.net) or if they're skimming username & password combinations. I suppose standard firewalls could catch that if we had rules setup correctly.

Thanks again!
0
 
LVL 9

Expert Comment

by:nattygreg
ID: 40620385
Very good system, its work the money, learn the lesson set the rules and alerts and if you can afford please hire a forensics expert to audit your systems while you implement this new system.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:mcainc
ID: 40620525
Anyone familiar with Citrix netscaler? Thoughts on that?
0
 
LVL 6

Accepted Solution

by:
Daniel Sheppard earned 300 total points
ID: 40621332
This isn't just a firewall issue.  You need to secure your webstore in multiple levels:

1. Perform a full code audit
2. Separate your database server and web frontend if you haven't already (this is actually a PCI-DSS requirement if you are doing your own processing).
3. Encrypt your database
4. Configure a filesystem monitor to identify any changes to:
a. Your system files (shells, libraries,binaries, etc)
b. Scan for new executable files
c. Keep monitoring your code, any code changes should be documented.
5. Configure a system level firewall (iptables, etc for linux.  Windows Firewall or better for Windows) and lock it down to only the most absolutely essential ports inbound and outbound.
6. Disable any code functions you don't need (For Example, PHP you can disable any "system calls" and process control functions.
7. Update your system constantly (I can't stress this enough)
8. Audit your security, identify possible attack vectors and look for ways to mitigate
9. Consider separating your Frontend, Processing and Database into mutliple servers.
10. Invest in a hardware firewall, Web Frontend accessible through one interface, Database only from web frontend on specified ports

Security is never ending, so there is much, much more.

And for hardware firewalls, I would recommend a Cisco ASA with IPS/IDS and Botnet.  Barracuda is also a decent brand.  A Citrix Netscaler is more of a Hardware Load Balancer.
0
 
LVL 33

Assisted Solution

by:it_saige
it_saige earned 100 total points
ID: 40621571
If cost is of concern, you could also use existing pc hardware and build your own firewall using pfSense (an OpenBSD derived Packet Filter).

There are drawbacks in that you end up shouldering a bulk of the responsibility with maintaining and managing the system.  The pfSense group does offer Commercial Support if needed (obviously for a price).  However, if you do decide that it is better to use an Enterprise Level hardware firewall, Daniels recommendation is right on point.

-saige-
0
 

Author Comment

by:mcainc
ID: 40623442
Thanks guys, I spoke with the guys at Barracuda and went with their 540 Load Balancer since it offers the same Data Theft Protection engine as their WAF and we can use it for scaling more efficiently. On top of that we also got their x300 Firewall.

We're already working on pretty much exactly what Daniel recommended but I wanted to add an additional layer of security in front of our servers JUST to go that extra mile since you never know.

Honestly, I never really took security as serious as I should have until AFTER the hack... now I know better. You security guys definitely have a tough job and so many things to consider. I can imagine that it would be hard to justify the need for something at an enterprise level when budgets aren't limitless (take small businesses for example).... I'm pretty much one of the guys that would say, "we'll add that later" and just procrastinate. Now here I am, after a messy hack, with an entirely new outlook on things.

Thank you again for your input everyone.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

E-commerce is quite a gambling world, and you should never entrust your business to a lucky chance. In order to outrun your competitors in a race to attract as many customers as possible, you need to have a well thought-out strategy under your belt.…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now