As we're a Magento only hosting provider, it means that we have not just tailored our servers specifically for Magento - but also our entire network too.
Because of this, we have been able to configure a very tight set of rules for firewalling as standard (without additional change). That means that you'll benefit from 3 levels of firewalling.
Stateless edge firewall
Right at our network edge, where our routers touch the internet itself - we have filters in place to close all ports. Only the following ports are open:
80 HTTP 443 HTTPS OpenVPN
All other ports are closed by default, at the network edge - before even getting to your hardware firewall (if applicable) or server itself.
You'll wonder how you might gain access to your server (SSH/FTP) - in which case all access is via a private VPN to your stack.
It will stop bad traffic before it even gets to your next firewall(s).
There is also some TCP/ICMP DOS filtering that takes place to fend off low-level would be attackers.
Hardware firewall (optional)
We only usually recommend a hardware firewall if either you've got quite a number of servers in your stack and manageability of firewall rules becomes difficult, or if you've been mandated to have one by your PCI-DSS regulations.
The hardware firewall serves as the next line of defence with stateful packet inspection, and optionally with L7 sniffing and intrusion detection.
It will stop bad traffic before it even gets to your server(s).
A software firewall is installed on each server within the stack and acts as both IDS and IPS; with intelligent blocking based on traffic patterns. This firewall operates on the layer 4 of the OSI model and will block traffic at layer 3.
So any port scan attacks, SYN/FIN/ACK attacks, ICMP attacks are blocked without interrupting your store.
Web application firewall
The last line of defence is a web application firewall that runs exclusively on layer 7 (ie. HTTP). It will detect XSS attacks, SQL injection attacks, authorization attacks, HTTP attacks (eg. slowloris) - and block repeat offenders.
It also acts a rate limiter for requests and bad crawl bots, scraping tools will first be "tar-pitted" (ie. slowed down), followed by a soft block, then a permanent block.
All of these levels of firewalling are provided as standard with MageStack from Sonassi Hosting - and optionally can be supplemented with a hardware firewall if ultimately necessary.