November 20th, 2007, 09:40 PM
E-commerce network setup
I'm working on a network architecture setup for an e-commerce provider; I've been Googling and reading up for days, but I can't seem to find a general "secure" network setup for an e-commerce environment (I've seen every network diagram from the first 15 Google and Yahoo image pages using the terms "network", "diagram", "e-commerce", "secure", "setup" and a bunch of other terms in all possible combinations, and I didn't get any further...). It's for a school project, so I'm not limited by money or anything else (only by time)
Here are some things that I came up with - with a bunch of questions attached...
Does an e-commerce server go in the DMZ along with the web server? How does the interaction between the e-commerce server and the web server take place? How does the interaction between the customer and the e-commerce server take place (just SSL, or is there more to it)? How is the e-commerce server firewalled? What if you want to do your own credit card processing - do you connect a database server to the e-commerce server? How does that database server communicate with the credit card issuer? How do you implement three-tier security in this set-up? Where does an IDS fit in in this scheme?
Anyone have some pointers to guide me in the right direction?
November 23rd, 2007, 08:38 PM
Hi Neg, seems like you are getting very little action on this topic so I'll give it a shot.
Originally Posted by Negative
Answer) We here really don't have an "E-commerce" server. We have a server that vendors can connect to to retrieve order information an costing. Our server for that purpose does reside in the DMZ.
Does an e-commerce server go in the DMZ along with the web server?
Answer) Not really sure what your asking here but with our set-up, the e-commerce server is it's own web server. It has all its own web services running.
How does the interaction between the e-commerce server and the web server take place?
Answer) In our set-up we just rely of SSL. No real confidential information is being passed.
How does the interaction between the customer and the e-commerce server take place (just SSL, or is there more to it)?
Answer) Our's sits behind a Checkpoint firewall. Specific rules are applied to control Who connects and on which ports they connect. (eg. only allow SSL connections)
How is the e-commerce server firewalled?
Answer) Can't help you here, we don't pass Credit Card info through this, or any server.
What if you want to do your own credit card processing - do you connect a database server to the e-commerce server?
Answer) See above.
How does that database server communicate with the credit card issuer?
Answer) We didn't go that deep as the information being passed is not that confidential.
How do you implement three-tier security in this set-up?
Answer) We have (currently) 2 IDS Sensors. One in the DMZ (which covers this and all other servers in the DMZ) and one connected to our main switch which covers all other traffic on our LAN
Where does an IDS fit in in this scheme?
Now, I don't know how much this helped you but maybe it will spur additional conversation on the topic.
Last edited by DjM; November 23rd, 2007 at 10:01 PM.
November 24th, 2007, 02:38 AM
I was on SANS the other day and remeber seeing an ecommerce section in the reading room...so I did some basic browsing.
The paper is a little dated...but I think the basic architecture concept is there...
This document gives an overview of some common methods that can be employed to build defense-in-depth into your eCommerce solution. Defense-in-depth can be defined as implementing multiple layers of defense in order to mitigate the risks associated with attacks.
How people treat you is their karma- how you react is yours-Wayne Dyer
November 24th, 2007, 03:51 PM
I really appreciate the time you took to do that little write-up - nothing like a "real life" set-up to point me in the right direction!
Thanks, MLF - the diagrams in those papers are going to be a good help!
By GbinaryR in forum AntiVirus Discussions
Last Post: October 30th, 2008, 09:33 AM
By Carla in forum Web Security
Last Post: October 31st, 2004, 08:17 AM
By FanacooL in forum Other Tutorials Forum
Last Post: October 29th, 2004, 04:24 AM
By Nokia in forum Tips and Tricks
Last Post: June 12th, 2004, 05:13 PM
By cwk9 in forum Other Tutorials Forum
Last Post: June 3rd, 2002, 06:57 PM