Jump to content

[SOLVED] Firewall and cc info question

phpknight

By phpknight
in Apache HTTP Server

 Share

Recommended Posts

phpknight Advanced Member

phpknight

Posted
Posted

I have a dedicated managed server and using SSL to process gateway payments through my site.  I am getting two conflicting opinions regarding NOT having a hardware firewall.

 

Person A says that a pretty smart person who has a server with the same company on the inside--not a normal web user--would be able to get credit card information, etc. if only a software firewall installed. 

 

Person B says that a hardware firewall is better but that people really could not steal the credit card information if only a software firewall is used. 

 

This is all beyond my level of understanding, but I would appreciate the opinion/explanation of somebody who is unbiased here.  Do I need a hardware firewall or not?

Link to comment
Share on other sites
steviewdr Member

steviewdr

Posted
Posted

Your using SSL, so all network traffic is encrypted.

 

Therefore ppl cannot access the data in transit. They must access it from the server itself where the data is stored etc.

 

Therefore in my opinion, your server would have to be hacked, in order to get access to the stored information.

 

Here comes the issue with the firewall. You will want a firewall to control what ports are available to other servers. Firewalls can be used to stop/divert DDOS attacks etc.

 

As far as hardware versus software firewall goes, here is what I think:

A. Software would do fine, AS LONG AS IT IS KEPT UPTODATE with SECURITY UPDATES

B. Software would do fine if its a dedicated box, AND YOU SET IT UP PROPERLY

C. Software would do fine IF YOU HAVE PHYSICAL ACCESS TO THE SERVER

 

D. Hardware would do better if you wanted a VPN AUTOMATICALLY SETUP

E. Hardware would do better if you DO NOT REGULARLY MAINTAIN THE SERVER

 

Typically HARDWARE firewalls are used where there are a lot of rules and VPNs to the server. In a remote situtation, you would have to make sure that it is a DEDICATED HARDWARE firewall versus a SHARED HARDWARE firewall.

 

Personally, I use a software firewall, keep it well patched. Make sure I dont put in any rules which would cut off my remote access by accident. I also perform updates to the firewall and server physically (in case an update etc. might break it).

 

Both are firewalls, and I cannot see how a hardware is better than a software firewall. UNLESS OF COURSE YOUR SERVER is NOT MAINTAINED and GETs hacked etc. via a web app! A hardware firewall in this case would still work. If the server was hacked, then the software firewall could be disabled. But if thats the case, they have all the CC info they want.

 

-steve

Link to comment
Share on other sites
phpknight Advanced Member

phpknight

Posted
  • Author
Posted

Steve,

 

Okay, thanks for the information.  I just wanted to clarify one thing.  I understand your point about the server being hacked from the outside.  However, the person claimed said the software firewall left this situation open:

 

Webhosting company ABC has managed dedicated servers that are protected by a software firewall.  I have a dedicated server along with 1000 other people.  While ALL the sites and the cc information is protected in transit fro the outside world because of SSL, the claim is that any one person who owns a server could (with enough agility) somehow get the cc information from the other servers from the INSIDE (I presume this is before the transit ever takes place).  First, is the situation I described clear?  Second, do you agree?

 

I would hope and assume that this is not possible.  If it were, I would get the hardware firewall.  I am assuming from your previous response that you would think the above situation is indeed impossible, but I just wanted to double-check.

 

 

Link to comment
Share on other sites
steviewdr Member

steviewdr

Posted
Posted

While ALL the sites and the cc information is protected in transit fro the outside world because of SSL, the claim is that any one person who owns a server could (with enough agility) somehow get the cc information from the other servers from the INSIDE (I presume this is before the transit ever takes place).  First, is the situation I described clear?  Second, do you agree?

 

The situation is clear. The circumstances are still a little hazy to me.

 

You say "get the cc information from the other servers from the INSIDE". Inside what or where?

If a person has SSH or FTP access to your dedicated server and thus can access from INSIDE, no firewall will help.

 

Is it another server INSIDE your Hosting Company you mention? I.e. another person with a Dedicated server in the rack beside yours that you are concerned about?

 

 

A firewall is a firewall. A software firewall sits on the server and has to be managed by the user/maintainer of that server. A hardware firewall would typically have to be configured by the hosting provider.

 

Even if I got a hardware firewall for free with my dedicated server, I WOULD STILL HAVE A SOFTWARE FIREWALL!!

 

If configured correctly, a software firewall will help prevent attacks to a server.

 

BTW....your getting way too tied up on firewalls. Lots of pcs are getting rooted via insecure webapps etc.

 

If your really worried about the hardware. You can gpg the credit card info table in your MySQL database etc. I have seen it done for untrusted hardware and it work perfect. 1 gpg key is used to encrypt the data. A different gpg key (kept on a person) can only decrypt it.

 

-steve

Link to comment
Share on other sites
phpknight Advanced Member

phpknight

Posted
  • Author
Posted

Steve,

 

Right, it is this one:

Is it another server INSIDE your Hosting Company you mention? I.e. another person with a Dedicated server in the rack beside yours that you are concerned about?

 

I was not worried at all until somebody made me worry, lol. 

Link to comment
Share on other sites
steviewdr Member

steviewdr

Posted
Posted

Well rest assured. A software firewall will work perfectly. I would definately go this route, as you are not relying on your hosting company to configure and maintain the firewall. KEEP YOUR OS UP-TO-DATE with security updates.

 

-steve

Link to comment
Share on other sites
phpknight Advanced Member

phpknight

Posted
  • Author
Posted

One more thing.  I got clarification on this.  The person says that it is a SHARED software firewall among many dedicated servers that is the bad thing.  Feel free to let me know if you are agree with this or not if you are still following this ticket.

Link to comment
Share on other sites
steviewdr Member

steviewdr

Posted
Posted

Depending on how the Web Hosting company configured the SHARED firewall among many dedicated servers, there may be more potential for hacking into a box. Basically you are trusting your Web Hosting company to do their work properly.

 

Thats why, even if I got a firewall (software or hardware, dedicated or shared etc.) off my web hosting company, I would still run a firewall on the dedicated server itself.

 

-steve

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.