Solved

Firewall help (hardware or software)

Posted on 2015-02-19
7
349 Views
Last Modified: 2016-03-02
Hey guys,

I'm looking to setup a firewall to place in front of our ecommerce shop and associated servers. I have a general understanding of firewalls but I'm not experienced with business level / hardware firewalls and I'm hoping someone can help me understand these better so that I make the right choice for our application.

Recently, our Magento shop was exploited due to a 3rd party extension (Magmi) and the hacker ended up installing a web shell and modifying some core files to skim credit card details of unsuspecting customers.  We found their malicious code and disabled credit card processing in the meantime but we don't really know what else they were able to do with that web shell.

Right now we're basically rebuilding our shop on a new server and we'll be moving the data over to it. We're also going to step up our game with security as much as possible at the server level (filesystem monitoring, disabling dangerous functions in php, frequent scanning for malicious files, and more) but I want to go further than that.

What I'm trying to understand is if these business level firewalls would have been able to catch this type of activity and block it. In simpler terms, do these firewalls add rules to protect against known exploits like the Magmi one that affected us? I.e., would they catch this type of stuff going in and out? I'm assuming that's what they charge monthly subscription rates for, right?

If so, what's an economical but reliable route to go? We have 2 web shops that do anywhere from 20-80 transactions per day but there are days (new product launches) where transactions can spike up to 1000+ over the course of a 24 hour period.

Are there good software solutions that we can use if we have our own hardware (we have a bunch of machines and components laying around) or should we focus on only using a hardware solution from a known company?

I hope I'm clear with what I'm after, thanks for your help!
0
Comment
Question by:mcainc
7 Comments
 
LVL 11

Assisted Solution

by:Natty Greg
Natty Greg earned 100 total points
ID: 40620343
I'm not a firewall expert, but paranoid expert (lol) so I have used two system in the past cisco router and lock it down where it does not respond to anything from the internet (my isp) could not find me either. With that said you choose the ports and protocols you want to accept from the internet side. Then I backed that up with pfsense router, with proxy filter, antivirus scanner at interface.

All this will help but education is better, cause with all that security it takes one person to download an attachment with virus to make security redundant. They're really good hackers but almost all breach is done from inside your network.

So pfsense is a good firewall with learning curve but once setup will really help you with hacker alerts through the use of snort, an intrusion detection mechanism.
0
 

Author Comment

by:mcainc
ID: 40620367
Thanks nattygreg,

I think I might be looking for something a little different.

This appears more along the lines of what I'm after https://techlib.barracuda.com/bwafoverview but it's nearly $5k (ouch) from what I've seen online.

In our case, having a firewall that can catch and block a threat that we didn't even know existed would have been huge. If I'm not misunderstanding the capabilities of this firewall, it appears that it protects from high visibility attacks. I found web articles from mid-2014 about the Magmi exploit that affected us, I'm assuming this is the kind of stuff they look for?

The "Data Theft Protection" would have been awesome as well if we could control where credit card information is being sent (i.e., only allow this information to be sent to authorize.net) or if they're skimming username & password combinations. I suppose standard firewalls could catch that if we had rules setup correctly.

Thanks again!
0
 
LVL 11

Expert Comment

by:Natty Greg
ID: 40620385
Very good system, its work the money, learn the lesson set the rules and alerts and if you can afford please hire a forensics expert to audit your systems while you implement this new system.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:mcainc
ID: 40620525
Anyone familiar with Citrix netscaler? Thoughts on that?
0
 
LVL 6

Accepted Solution

by:
Daniel Sheppard earned 300 total points
ID: 40621332
This isn't just a firewall issue.  You need to secure your webstore in multiple levels:

1. Perform a full code audit
2. Separate your database server and web frontend if you haven't already (this is actually a PCI-DSS requirement if you are doing your own processing).
3. Encrypt your database
4. Configure a filesystem monitor to identify any changes to:
a. Your system files (shells, libraries,binaries, etc)
b. Scan for new executable files
c. Keep monitoring your code, any code changes should be documented.
5. Configure a system level firewall (iptables, etc for linux.  Windows Firewall or better for Windows) and lock it down to only the most absolutely essential ports inbound and outbound.
6. Disable any code functions you don't need (For Example, PHP you can disable any "system calls" and process control functions.
7. Update your system constantly (I can't stress this enough)
8. Audit your security, identify possible attack vectors and look for ways to mitigate
9. Consider separating your Frontend, Processing and Database into mutliple servers.
10. Invest in a hardware firewall, Web Frontend accessible through one interface, Database only from web frontend on specified ports

Security is never ending, so there is much, much more.

And for hardware firewalls, I would recommend a Cisco ASA with IPS/IDS and Botnet.  Barracuda is also a decent brand.  A Citrix Netscaler is more of a Hardware Load Balancer.
0
 
LVL 33

Assisted Solution

by:it_saige
it_saige earned 100 total points
ID: 40621571
If cost is of concern, you could also use existing pc hardware and build your own firewall using pfSense (an OpenBSD derived Packet Filter).

There are drawbacks in that you end up shouldering a bulk of the responsibility with maintaining and managing the system.  The pfSense group does offer Commercial Support if needed (obviously for a price).  However, if you do decide that it is better to use an Enterprise Level hardware firewall, Daniels recommendation is right on point.

-saige-
0
 

Author Comment

by:mcainc
ID: 40623442
Thanks guys, I spoke with the guys at Barracuda and went with their 540 Load Balancer since it offers the same Data Theft Protection engine as their WAF and we can use it for scaling more efficiently. On top of that we also got their x300 Firewall.

We're already working on pretty much exactly what Daniel recommended but I wanted to add an additional layer of security in front of our servers JUST to go that extra mile since you never know.

Honestly, I never really took security as serious as I should have until AFTER the hack... now I know better. You security guys definitely have a tough job and so many things to consider. I can imagine that it would be hard to justify the need for something at an enterprise level when budgets aren't limitless (take small businesses for example).... I'm pretty much one of the guys that would say, "we'll add that later" and just procrastinate. Now here I am, after a messy hack, with an entirely new outlook on things.

Thank you again for your input everyone.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question