Standard firewall policy

As we're a Magento only hosting provider, it means that we have not just tailored our servers specifically for Magento - but also our entire network too.

Because of this, we have been able to configure a very tight set of rules for firewalling as standard (without additional change). That means that you'll benefit from 3 levels of firewalling.

Stateless edge firewall

Right at our network edge, where our routers touch the internet itself - we have filters in place to close all ports. Only the following ports are open:

80   HTTP
443  HTTPS
1194 OpenVPN

All other ports are closed by default, at the network edge - before even getting to your hardware firewall (if applicable) or server itself.

You'll wonder how you might gain access to your server (SSH/FTP) - in which case all access is via a private VPN to your stack.

It will stop bad traffic before it even gets to your next firewall(s).

There is also some TCP/ICMP DOS filtering that takes place to fend off low-level would be attackers.

Software firewall

A software firewall is installed on each server within the stack and acts as both IDS and IPS; with intelligent blocking based on traffic patterns. This firewall operates on the layer 4 of the OSI model and will block traffic at layer 3.

So any port scan attacks, SYN/FIN/ACK attacks, ICMP attacks are blocked without interrupting your store.

Web application firewall

The last line of defence is a web application firewall that runs exclusively on layer 7 (ie. HTTP). It will detect XSS attacks, SQL injection attacks, authorization attacks, HTTP attacks (eg. slowloris) - and block repeat offenders.

It also acts a rate limiter for requests and bad crawl bots, scraping tools will first be "tar-pitted" (ie. slowed down), followed by a soft block, then a permanent block.

All of these levels of firewalling are provided as standard with MageStack from Sonassi Hosting - and optionally can be supplemented with a hardware firewall if ultimately necessary.