Standard firewall policy
Table of Contents
As we're a Magento only hosting provider, it means that we have not just tailored our servers specifically for Magento - but also our entire network too.
Because of this, we have been able to configure a very tight set of rules for firewalling as standard (without additional change). That means that you'll benefit from 3 levels of firewalling.
Stateless edge firewall
Right at our network edge, where our routers touch the internet itself - we have filters in place to close all ports. Only the following ports are open:
80 HTTP
443 HTTPS
1194 OpenVPN
All other ports are closed by default, at the network edge - before even getting to your hardware firewall (if applicable) or server itself.
You'll wonder how you might gain access to your server (SSH/FTP) - in which case all access is via a private VPN to your stack.
It will stop bad traffic before it even gets to your next firewall(s).
There is also some TCP/ICMP DOS filtering that takes place to fend off low-level would be attackers.
Software firewall
A software firewall is installed on each server within the stack and acts as both IDS and IPS; with intelligent blocking based on traffic patterns. This firewall operates on the layer 4 of the OSI model and will block traffic at layer 3.
So any port scan attacks, SYN/FIN/ACK attacks, ICMP attacks are blocked without interrupting your store.
Web application firewall
The last line of defence is a web application firewall that runs exclusively on layer 7 (ie. HTTP). It will detect XSS attacks, SQL injection attacks, authorization attacks, HTTP attacks (eg. slowloris) - and block repeat offenders.
It also acts a rate limiter for requests and bad crawl bots, scraping tools will first be "tar-pitted" (ie. slowed down), followed by a soft block, then a permanent block.
All of these levels of firewalling are provided as standard with MageStack from Sonassi Hosting - and optionally can be supplemented with a hardware firewall if ultimately necessary.