E-commerce network setup

Printable View

November 20th, 2007, 10:40 PM
Negative

E-commerce network setup

Hey all,

I'm working on a network architecture setup for an e-commerce provider; I've been Googling and reading up for days, but I can't seem to find a general "secure" network setup for an e-commerce environment (I've seen every network diagram from the first 15 Google and Yahoo image pages using the terms "network", "diagram", "e-commerce", "secure", "setup" and a bunch of other terms in all possible combinations, and I didn't get any further...). It's for a school project, so I'm not limited by money or anything else (only by time) :D

Here are some things that I came up with - with a bunch of questions attached...

Does an e-commerce server go in the DMZ along with the web server? How does the interaction between the e-commerce server and the web server take place? How does the interaction between the customer and the e-commerce server take place (just SSL, or is there more to it)? How is the e-commerce server firewalled? What if you want to do your own credit card processing - do you connect a database server to the e-commerce server? How does that database server communicate with the credit card issuer? How do you implement three-tier security in this set-up? Where does an IDS fit in in this scheme?

Anyone have some pointers to guide me in the right direction?

Thanks!
November 23rd, 2007, 09:38 PM
DjM

Quote:

Originally Posted by Negative

Hey all,

I'm working on a network architecture setup for an e-commerce provider; I've been Googling and reading up for days, but I can't seem to find a general "secure" network setup for an e-commerce environment (I've seen every network diagram from the first 15 Google and Yahoo image pages using the terms "network", "diagram", "e-commerce", "secure", "setup" and a bunch of other terms in all possible combinations, and I didn't get any further...). It's for a school project, so I'm not limited by money or anything else (only by time) :D

Here are some things that I came up with - with a bunch of questions attached...

Does an e-commerce server go in the DMZ along with the web server? How does the interaction between the e-commerce server and the web server take place? How does the interaction between the customer and the e-commerce server take place (just SSL, or is there more to it)? How is the e-commerce server firewalled? What if you want to do your own credit card processing - do you connect a database server to the e-commerce server? How does that database server communicate with the credit card issuer? How do you implement three-tier security in this set-up? Where does an IDS fit in in this scheme?

Anyone have some pointers to guide me in the right direction?

Thanks!

Hi Neg, seems like you are getting very little action on this topic so I'll give it a shot.

Quote:

Does an e-commerce server go in the DMZ along with the web server?

Answer) We here really don't have an "E-commerce" server. We have a server that vendors can connect to to retrieve order information an costing. Our server for that purpose does reside in the DMZ.

Quote:

How does the interaction between the e-commerce server and the web server take place?

Answer) Not really sure what your asking here but with our set-up, the e-commerce server is it's own web server. It has all its own web services running.

Quote:

How does the interaction between the customer and the e-commerce server take place (just SSL, or is there more to it)?

Answer) In our set-up we just rely of SSL. No real confidential information is being passed.

Quote:

How is the e-commerce server firewalled?

Answer) Our's sits behind a Checkpoint firewall. Specific rules are applied to control Who connects and on which ports they connect. (eg. only allow SSL connections)

Quote:

What if you want to do your own credit card processing - do you connect a database server to the e-commerce server?

Answer) Can't help you here, we don't pass Credit Card info through this, or any server.

Quote:

How does that database server communicate with the credit card issuer?

Answer) See above.

Quote:

How do you implement three-tier security in this set-up?

Answer) We didn't go that deep as the information being passed is not that confidential.

Quote:

Where does an IDS fit in in this scheme?

Answer) We have (currently) 2 IDS Sensors. One in the DMZ (which covers this and all other servers in the DMZ) and one connected to our main switch which covers all other traffic on our LAN

Now, I don't know how much this helped you but maybe it will spur additional conversation on the topic.

Cheers:
November 24th, 2007, 03:38 AM
morganlefay

I was on SANS the other day and remeber seeing an ecommerce section in the reading room...so I did some basic browsing.

The paper is a little dated...but I think the basic architecture concept is there...

Quote:

Abstract
This document gives an overview of some common methods that can be employed to build defense-in-depth into your eCommerce solution. Defense-in-depth can be defined as implementing multiple layers of defense in order to mitigate the risks associated with attacks.

http://www.sans.org/reading_room/whi...9569087e855daf

More here

http://www.sans.org/reading_room/whi...352c0fc0db51c1

MLF
November 24th, 2007, 04:51 PM
Negative

Hi DjM,

I really appreciate the time you took to do that little write-up - nothing like a "real life" set-up to point me in the right direction!

Thanks, MLF - the diagrams in those papers are going to be a good help!