• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Web Application Firewall?

Joined
Aug 14, 2012
Messages
33
Hi everyone,

I am planning to run e-commerce website soon and it is hosted on ubuntu 10.04 server.

We are testing out this e-commerce website but I am not sure whether I should be investing a lot on web application firewall (not load balancer for now, unless i scale when i see better results).

Is ufw (with certain configurations) sufficient for my web application firewall? Or maybe using iptables instead?

or is it better I get a web application firewall? A company recommended me thrustwave but it's gonna be freaking expensive. He said can do level 7 or something like that.

Any alternative solutions that's more affordable? Something like untangle for Sonicwall's network security appliance. I wonder whether there's something similar for web application firewall.

Need to prevent people hacking our website via sql injection, session hijacking and server attacks, etc.

Any help? Thanks in advance.
 
Why not go with a hosted solution with a provider that has the level of service, protection level, and the quality you need? Hosted solutions or even VPS would be much less expensive than building up the infrastructure you desire.

As for SQL injection, you (or your devs or your E-comm vendor) needs to ensure that from their code.
 
any recommended VPS provider or hosted solutions? I had some bad experiences with few providers in the past.

when you say hosted solutions, you mean shared hosting?

noted on the sql injection.
 
any recommended VPS provider or hosted solutions? I had some bad experiences with few providers in the past.
Offhand, I'd just look at any large-scale hosting vendors. Selecting a online host is not a marriage -- if you're not comfortable with the quality and the service, then move to someone else. Just make sure that you (and not the host) registers the public domain name.

when you say hosted solutions, you mean shared hosting?
Either, really. There's nothing established in this thread that suggests one instead of another. In fact, the more established and known vendors should already have the infrastructure to support increased load/demand, either through internal reallocation or provisioning, and have the monitors and analytics setup to give you usage reports. Ideally, the only thing you would see is a (pre-authorized) bump in monthly dues.
 
This isn't really a "hosted" solution. I'm sure there are plenty of vendors who will sell you the service. But you're not going to find one that takes the time to learn your application properly that can effectively manage a WAF; at least at anything resembling "cheap". You'll find plenty of vendors who will repeatedly send you "alerts" and ask you if it's okay or not.

If you're looking to prevent your website from "hacking" do the following in roughly this order:

- Run a vulnerability scanner against your network/website. I think Nessus may still be technically free if you use the older updates. Or hire any major security company and tell them to do a "PCI" scan. That will catch the low hanging fruit.
- Train your developers. Have them read stuff over at OWASP.org. Buy them a secure coding book. Bring in some outside company to do training. Unless your developers are writing secure code then all the testing is going to be worthless because you run the risk that they introduce a bug _after_ you've had testing done.
- Have a qualified security company do a security assessment of your site. Should probably take a week. Probably cost around 10-15k. NOT a penetration test. You want someone with experience who will walk through your entire site and check for various security vulnerabilities. This isn't something a vulnerability scanner or some program does. Programs can automate and catch some stuff. But they usually don't find stuff like privilege escalation attacks and poorly designed password reset mechanisms.
- Do a code audit. Buy a program that does it, hire a company that can have an expert manually do it. Or both.
- Implement a web application firewall and hire someone capable of running it. Capable means they understand your application, understand the HTTP protocol in depth, and understand how to tune the WAF to your environment.

Figure out how important security is to you and work your way down that path.
 
noted and thanks :) it helps a lot :)

so if i don't opt for 3rd party hosting, no solution which i can consider other than proprietary solution like trustwave :p
 
An option (among others) could be to use a proxyservice instead such as www.cloudflare.com which seems to be fairly popular nowadays.

One thing to consider no matter if you use VPS or proxyservice such as cloudfare if how your customers private information is being handled.

If you have your own gear then you know where its being stored (if we for a moment ignore that you can get hacked and the information is stolen) but when using various cloud services the data is multiplied between datacenters you most likely have no idea of where they are or for that matter which countries this data is being stored in (and which jurisdiction these countries can obtain your data without your provider are able to tell you that they put a copy of your customers private data to the government in this country).

Except for Sonicwall (if you are about to handle this yourself) I would recommend you to take a look at PaloAlto Networks aswell - see http://hardforum.com/showthread.php?t=1709121 for more information.

Madnes5 already mentioned some great precautions you can take to have the odds on your side. Something to add to that list is backup, backup, BACKUP!

Because when (and not if) you get hacked (no matter for which reason or how it was done) having your data backupped offline will make you be able to restore your services without losing all your data (and minimize downtime needed). Its also recommended to not only store the latest backup but also previous backups (in case something goes bad over time) along with testing your backup so you know how you can restore services (and also verify that the backup is still valid so you didnt miss a database table or so).
 
Back
Top