Here are some suggestions for securing your hosting operations. These recommendations are compliments of Rackspace network security techs and the image shows the final configuration moving forward. In addition to this, I suggest CloudFlare as a first line of defense.
- On the topic of hacking, the code within a website or application is truly is the last line of defense. Legacy code and functions + outdated websites are magnets for attacks.
- There are best-practice coding techniques that shouldn’t be optional, including handling of sessions, cookies, database connections, etc.
- The best way to test the websites is to attempt to hack them yourself. In-house developer “hackathons” are a great idea.
- All moving parts behind the website (HTML editors, upload components, mail components, SSL’s, API’s, etc) need to be upgraded whenever vendors release updates. Since these components are usually directly integrated with a database, they are a common vector for intrusion.
- Monitoring tools like Pingdom are great for detecting a downed-site. Similar apps are good for pinging each individual page to discover isolated errors.
- Vulnerability scanning is a must. There are companies like NewRelic and AlertLogic that have automated and hands-on monitoring and vulnerability scanning services.
- Obtain PCI (Payment Card Industry) compliance for all websites, even if they don’t use ecommerce. PCI compliance is a good protocol for ensuring your entire operation is up to snuff, from websites to servers and everything in-between. Companies like TrustWave offer a help with PCI compliance.
- Intrusion Detection Systems: Do a good job of identifying which visitors are human and which are bots and acting accordingly
- Firewall: Necessary to thwart of denial of service attacks and other bad news. Some higher-end firewalls have the ability to block countries/regions where most attacks originate.
- Web Application Firewall (WAF): This is something specifically designed to filter hacks against things like content management systems, web forms, forums, or web-based applications connected to mobile apps. Whether you need a physical WAF or Cloud-based WAF, go with Imperva.
- Load Balancer: One last layer to ensure performance and efficiency when the requests eventually reach the server.
- Anti-malware software like MalwareBytes does the trick against malware attacks.
- For Windows hosting environments, utilize IIS tools including request filtering and URL rewriting
- Sophos anti-virus has a good reputation for server-level scanning and protection against viruses.