Firewall help (hardware or software)

Posted on 2015-02-19
Medium Priority
Last Modified: 2016-03-02
Hey guys,

I'm looking to setup a firewall to place in front of our ecommerce shop and associated servers. I have a general understanding of firewalls but I'm not experienced with business level / hardware firewalls and I'm hoping someone can help me understand these better so that I make the right choice for our application.

Recently, our Magento shop was exploited due to a 3rd party extension (Magmi) and the hacker ended up installing a web shell and modifying some core files to skim credit card details of unsuspecting customers.  We found their malicious code and disabled credit card processing in the meantime but we don't really know what else they were able to do with that web shell.

Right now we're basically rebuilding our shop on a new server and we'll be moving the data over to it. We're also going to step up our game with security as much as possible at the server level (filesystem monitoring, disabling dangerous functions in php, frequent scanning for malicious files, and more) but I want to go further than that.

What I'm trying to understand is if these business level firewalls would have been able to catch this type of activity and block it. In simpler terms, do these firewalls add rules to protect against known exploits like the Magmi one that affected us? I.e., would they catch this type of stuff going in and out? I'm assuming that's what they charge monthly subscription rates for, right?

If so, what's an economical but reliable route to go? We have 2 web shops that do anywhere from 20-80 transactions per day but there are days (new product launches) where transactions can spike up to 1000+ over the course of a 24 hour period.

Are there good software solutions that we can use if we have our own hardware (we have a bunch of machines and components laying around) or should we focus on only using a hardware solution from a known company?

I hope I'm clear with what I'm after, thanks for your help!
Question by:mcainc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Assisted Solution

by:Natty Greg
Natty Greg earned 400 total points
ID: 40620343
I'm not a firewall expert, but paranoid expert (lol) so I have used two system in the past cisco router and lock it down where it does not respond to anything from the internet (my isp) could not find me either. With that said you choose the ports and protocols you want to accept from the internet side. Then I backed that up with pfsense router, with proxy filter, antivirus scanner at interface.

All this will help but education is better, cause with all that security it takes one person to download an attachment with virus to make security redundant. They're really good hackers but almost all breach is done from inside your network.

So pfsense is a good firewall with learning curve but once setup will really help you with hacker alerts through the use of snort, an intrusion detection mechanism.

Author Comment

ID: 40620367
Thanks nattygreg,

I think I might be looking for something a little different.

This appears more along the lines of what I'm after https://techlib.barracuda.com/bwafoverview but it's nearly $5k (ouch) from what I've seen online.

In our case, having a firewall that can catch and block a threat that we didn't even know existed would have been huge. If I'm not misunderstanding the capabilities of this firewall, it appears that it protects from high visibility attacks. I found web articles from mid-2014 about the Magmi exploit that affected us, I'm assuming this is the kind of stuff they look for?

The "Data Theft Protection" would have been awesome as well if we could control where credit card information is being sent (i.e., only allow this information to be sent to authorize.net) or if they're skimming username & password combinations. I suppose standard firewalls could catch that if we had rules setup correctly.

Thanks again!
LVL 14

Expert Comment

by:Natty Greg
ID: 40620385
Very good system, its work the money, learn the lesson set the rules and alerts and if you can afford please hire a forensics expert to audit your systems while you implement this new system.
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.


Author Comment

ID: 40620525
Anyone familiar with Citrix netscaler? Thoughts on that?

Accepted Solution

Daniel Sheppard earned 1200 total points
ID: 40621332
This isn't just a firewall issue.  You need to secure your webstore in multiple levels:

1. Perform a full code audit
2. Separate your database server and web frontend if you haven't already (this is actually a PCI-DSS requirement if you are doing your own processing).
3. Encrypt your database
4. Configure a filesystem monitor to identify any changes to:
a. Your system files (shells, libraries,binaries, etc)
b. Scan for new executable files
c. Keep monitoring your code, any code changes should be documented.
5. Configure a system level firewall (iptables, etc for linux.  Windows Firewall or better for Windows) and lock it down to only the most absolutely essential ports inbound and outbound.
6. Disable any code functions you don't need (For Example, PHP you can disable any "system calls" and process control functions.
7. Update your system constantly (I can't stress this enough)
8. Audit your security, identify possible attack vectors and look for ways to mitigate
9. Consider separating your Frontend, Processing and Database into mutliple servers.
10. Invest in a hardware firewall, Web Frontend accessible through one interface, Database only from web frontend on specified ports

Security is never ending, so there is much, much more.

And for hardware firewalls, I would recommend a Cisco ASA with IPS/IDS and Botnet.  Barracuda is also a decent brand.  A Citrix Netscaler is more of a Hardware Load Balancer.
LVL 34

Assisted Solution

it_saige earned 400 total points
ID: 40621571
If cost is of concern, you could also use existing pc hardware and build your own firewall using pfSense (an OpenBSD derived Packet Filter).

There are drawbacks in that you end up shouldering a bulk of the responsibility with maintaining and managing the system.  The pfSense group does offer Commercial Support if needed (obviously for a price).  However, if you do decide that it is better to use an Enterprise Level hardware firewall, Daniels recommendation is right on point.


Author Comment

ID: 40623442
Thanks guys, I spoke with the guys at Barracuda and went with their 540 Load Balancer since it offers the same Data Theft Protection engine as their WAF and we can use it for scaling more efficiently. On top of that we also got their x300 Firewall.

We're already working on pretty much exactly what Daniel recommended but I wanted to add an additional layer of security in front of our servers JUST to go that extra mile since you never know.

Honestly, I never really took security as serious as I should have until AFTER the hack... now I know better. You security guys definitely have a tough job and so many things to consider. I can imagine that it would be hard to justify the need for something at an enterprise level when budgets aren't limitless (take small businesses for example).... I'm pretty much one of the guys that would say, "we'll add that later" and just procrastinate. Now here I am, after a messy hack, with an entirely new outlook on things.

Thank you again for your input everyone.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question