Solved

Firewall help (hardware or software)

Posted on 2015-02-19
7
341 Views
Last Modified: 2016-03-02
Hey guys,

I'm looking to setup a firewall to place in front of our ecommerce shop and associated servers. I have a general understanding of firewalls but I'm not experienced with business level / hardware firewalls and I'm hoping someone can help me understand these better so that I make the right choice for our application.

Recently, our Magento shop was exploited due to a 3rd party extension (Magmi) and the hacker ended up installing a web shell and modifying some core files to skim credit card details of unsuspecting customers.  We found their malicious code and disabled credit card processing in the meantime but we don't really know what else they were able to do with that web shell.

Right now we're basically rebuilding our shop on a new server and we'll be moving the data over to it. We're also going to step up our game with security as much as possible at the server level (filesystem monitoring, disabling dangerous functions in php, frequent scanning for malicious files, and more) but I want to go further than that.

What I'm trying to understand is if these business level firewalls would have been able to catch this type of activity and block it. In simpler terms, do these firewalls add rules to protect against known exploits like the Magmi one that affected us? I.e., would they catch this type of stuff going in and out? I'm assuming that's what they charge monthly subscription rates for, right?

If so, what's an economical but reliable route to go? We have 2 web shops that do anywhere from 20-80 transactions per day but there are days (new product launches) where transactions can spike up to 1000+ over the course of a 24 hour period.

Are there good software solutions that we can use if we have our own hardware (we have a bunch of machines and components laying around) or should we focus on only using a hardware solution from a known company?

I hope I'm clear with what I'm after, thanks for your help!
0
Comment
Question by:mcainc
7 Comments
 
LVL 9

Assisted Solution

by:nattygreg
nattygreg earned 100 total points
Comment Utility
I'm not a firewall expert, but paranoid expert (lol) so I have used two system in the past cisco router and lock it down where it does not respond to anything from the internet (my isp) could not find me either. With that said you choose the ports and protocols you want to accept from the internet side. Then I backed that up with pfsense router, with proxy filter, antivirus scanner at interface.

All this will help but education is better, cause with all that security it takes one person to download an attachment with virus to make security redundant. They're really good hackers but almost all breach is done from inside your network.

So pfsense is a good firewall with learning curve but once setup will really help you with hacker alerts through the use of snort, an intrusion detection mechanism.
0
 

Author Comment

by:mcainc
Comment Utility
Thanks nattygreg,

I think I might be looking for something a little different.

This appears more along the lines of what I'm after https://techlib.barracuda.com/bwafoverview but it's nearly $5k (ouch) from what I've seen online.

In our case, having a firewall that can catch and block a threat that we didn't even know existed would have been huge. If I'm not misunderstanding the capabilities of this firewall, it appears that it protects from high visibility attacks. I found web articles from mid-2014 about the Magmi exploit that affected us, I'm assuming this is the kind of stuff they look for?

The "Data Theft Protection" would have been awesome as well if we could control where credit card information is being sent (i.e., only allow this information to be sent to authorize.net) or if they're skimming username & password combinations. I suppose standard firewalls could catch that if we had rules setup correctly.

Thanks again!
0
 
LVL 9

Expert Comment

by:nattygreg
Comment Utility
Very good system, its work the money, learn the lesson set the rules and alerts and if you can afford please hire a forensics expert to audit your systems while you implement this new system.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:mcainc
Comment Utility
Anyone familiar with Citrix netscaler? Thoughts on that?
0
 
LVL 6

Accepted Solution

by:
Daniel Sheppard earned 300 total points
Comment Utility
This isn't just a firewall issue.  You need to secure your webstore in multiple levels:

1. Perform a full code audit
2. Separate your database server and web frontend if you haven't already (this is actually a PCI-DSS requirement if you are doing your own processing).
3. Encrypt your database
4. Configure a filesystem monitor to identify any changes to:
a. Your system files (shells, libraries,binaries, etc)
b. Scan for new executable files
c. Keep monitoring your code, any code changes should be documented.
5. Configure a system level firewall (iptables, etc for linux.  Windows Firewall or better for Windows) and lock it down to only the most absolutely essential ports inbound and outbound.
6. Disable any code functions you don't need (For Example, PHP you can disable any "system calls" and process control functions.
7. Update your system constantly (I can't stress this enough)
8. Audit your security, identify possible attack vectors and look for ways to mitigate
9. Consider separating your Frontend, Processing and Database into mutliple servers.
10. Invest in a hardware firewall, Web Frontend accessible through one interface, Database only from web frontend on specified ports

Security is never ending, so there is much, much more.

And for hardware firewalls, I would recommend a Cisco ASA with IPS/IDS and Botnet.  Barracuda is also a decent brand.  A Citrix Netscaler is more of a Hardware Load Balancer.
0
 
LVL 32

Assisted Solution

by:it_saige
it_saige earned 100 total points
Comment Utility
If cost is of concern, you could also use existing pc hardware and build your own firewall using pfSense (an OpenBSD derived Packet Filter).

There are drawbacks in that you end up shouldering a bulk of the responsibility with maintaining and managing the system.  The pfSense group does offer Commercial Support if needed (obviously for a price).  However, if you do decide that it is better to use an Enterprise Level hardware firewall, Daniels recommendation is right on point.

-saige-
0
 

Author Comment

by:mcainc
Comment Utility
Thanks guys, I spoke with the guys at Barracuda and went with their 540 Load Balancer since it offers the same Data Theft Protection engine as their WAF and we can use it for scaling more efficiently. On top of that we also got their x300 Firewall.

We're already working on pretty much exactly what Daniel recommended but I wanted to add an additional layer of security in front of our servers JUST to go that extra mile since you never know.

Honestly, I never really took security as serious as I should have until AFTER the hack... now I know better. You security guys definitely have a tough job and so many things to consider. I can imagine that it would be hard to justify the need for something at an enterprise level when budgets aren't limitless (take small businesses for example).... I'm pretty much one of the guys that would say, "we'll add that later" and just procrastinate. Now here I am, after a messy hack, with an entirely new outlook on things.

Thank you again for your input everyone.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

E-commerce is quite a gambling world, and you should never entrust your business to a lucky chance. In order to outrun your competitors in a race to attract as many customers as possible, you need to have a well thought-out strategy under your belt.…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now