Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

Firewall help (hardware or software)

Hey guys,

I'm looking to setup a firewall to place in front of our ecommerce shop and associated servers. I have a general understanding of firewalls but I'm not experienced with business level / hardware firewalls and I'm hoping someone can help me understand these better so that I make the right choice for our application.

Recently, our Magento shop was exploited due to a 3rd party extension (Magmi) and the hacker ended up installing a web shell and modifying some core files to skim credit card details of unsuspecting customers.  We found their malicious code and disabled credit card processing in the meantime but we don't really know what else they were able to do with that web shell.

Right now we're basically rebuilding our shop on a new server and we'll be moving the data over to it. We're also going to step up our game with security as much as possible at the server level (filesystem monitoring, disabling dangerous functions in php, frequent scanning for malicious files, and more) but I want to go further than that.

What I'm trying to understand is if these business level firewalls would have been able to catch this type of activity and block it. In simpler terms, do these firewalls add rules to protect against known exploits like the Magmi one that affected us? I.e., would they catch this type of stuff going in and out? I'm assuming that's what they charge monthly subscription rates for, right?

If so, what's an economical but reliable route to go? We have 2 web shops that do anywhere from 20-80 transactions per day but there are days (new product launches) where transactions can spike up to 1000+ over the course of a 24 hour period.

Are there good software solutions that we can use if we have our own hardware (we have a bunch of machines and components laying around) or should we focus on only using a hardware solution from a known company?

I hope I'm clear with what I'm after, thanks for your help!
3 Solutions
Natty GregIn Theory (IT)Commented:
I'm not a firewall expert, but paranoid expert (lol) so I have used two system in the past cisco router and lock it down where it does not respond to anything from the internet (my isp) could not find me either. With that said you choose the ports and protocols you want to accept from the internet side. Then I backed that up with pfsense router, with proxy filter, antivirus scanner at interface.

All this will help but education is better, cause with all that security it takes one person to download an attachment with virus to make security redundant. They're really good hackers but almost all breach is done from inside your network.

So pfsense is a good firewall with learning curve but once setup will really help you with hacker alerts through the use of snort, an intrusion detection mechanism.
mcaincAuthor Commented:
Thanks nattygreg,

I think I might be looking for something a little different.

This appears more along the lines of what I'm after but it's nearly $5k (ouch) from what I've seen online.

In our case, having a firewall that can catch and block a threat that we didn't even know existed would have been huge. If I'm not misunderstanding the capabilities of this firewall, it appears that it protects from high visibility attacks. I found web articles from mid-2014 about the Magmi exploit that affected us, I'm assuming this is the kind of stuff they look for?

The "Data Theft Protection" would have been awesome as well if we could control where credit card information is being sent (i.e., only allow this information to be sent to or if they're skimming username & password combinations. I suppose standard firewalls could catch that if we had rules setup correctly.

Thanks again!
Natty GregIn Theory (IT)Commented:
Very good system, its work the money, learn the lesson set the rules and alerts and if you can afford please hire a forensics expert to audit your systems while you implement this new system.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

mcaincAuthor Commented:
Anyone familiar with Citrix netscaler? Thoughts on that?
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
This isn't just a firewall issue.  You need to secure your webstore in multiple levels:

1. Perform a full code audit
2. Separate your database server and web frontend if you haven't already (this is actually a PCI-DSS requirement if you are doing your own processing).
3. Encrypt your database
4. Configure a filesystem monitor to identify any changes to:
a. Your system files (shells, libraries,binaries, etc)
b. Scan for new executable files
c. Keep monitoring your code, any code changes should be documented.
5. Configure a system level firewall (iptables, etc for linux.  Windows Firewall or better for Windows) and lock it down to only the most absolutely essential ports inbound and outbound.
6. Disable any code functions you don't need (For Example, PHP you can disable any "system calls" and process control functions.
7. Update your system constantly (I can't stress this enough)
8. Audit your security, identify possible attack vectors and look for ways to mitigate
9. Consider separating your Frontend, Processing and Database into mutliple servers.
10. Invest in a hardware firewall, Web Frontend accessible through one interface, Database only from web frontend on specified ports

Security is never ending, so there is much, much more.

And for hardware firewalls, I would recommend a Cisco ASA with IPS/IDS and Botnet.  Barracuda is also a decent brand.  A Citrix Netscaler is more of a Hardware Load Balancer.
If cost is of concern, you could also use existing pc hardware and build your own firewall using pfSense (an OpenBSD derived Packet Filter).

There are drawbacks in that you end up shouldering a bulk of the responsibility with maintaining and managing the system.  The pfSense group does offer Commercial Support if needed (obviously for a price).  However, if you do decide that it is better to use an Enterprise Level hardware firewall, Daniels recommendation is right on point.

mcaincAuthor Commented:
Thanks guys, I spoke with the guys at Barracuda and went with their 540 Load Balancer since it offers the same Data Theft Protection engine as their WAF and we can use it for scaling more efficiently. On top of that we also got their x300 Firewall.

We're already working on pretty much exactly what Daniel recommended but I wanted to add an additional layer of security in front of our servers JUST to go that extra mile since you never know.

Honestly, I never really took security as serious as I should have until AFTER the hack... now I know better. You security guys definitely have a tough job and so many things to consider. I can imagine that it would be hard to justify the need for something at an enterprise level when budgets aren't limitless (take small businesses for example).... I'm pretty much one of the guys that would say, "we'll add that later" and just procrastinate. Now here I am, after a messy hack, with an entirely new outlook on things.

Thank you again for your input everyone.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Tackle projects and never again get stuck behind a technical roadblock.
Join Now