Tips for Designing and Operating a Secure Hosted Environment

Securing the communication between a web server and a database server is crucial for maintaining the confidentiality and integrity of your data. To achieve this, you can set up a firewall and implement other security measures. Here’s some guidance on how to firewall between a web server and a database server:

1. Choose a Firewall Solution:

Decide whether you want to use a hardware firewall or a software firewall. Software firewalls are more common and can be implemented on the servers themselves. Popular software firewalls include iptables (Linux), and Windows Firewall (Windows).

2. Isolate the Database Server:

It is best to separate the database server on a different network than the web server with a hardware firewall between the two private networks. In this manner, all traffic between the two networks is filtered by the firewall. This isolation reduces the attack surface and limits direct access to the database.
However, if both the web server and database server are on the same network (aka “flat network”) then implementing a firewall on the servers themselves will be necessary. When doing this, then it’s necessary to use the operating system firewalling to filter and limit necessary traffic strictly between server.

3. Configure the Firewall Rules:

**Allow Necessary Ports**:
Only open the necessary ports on the database server for communication from the web server. Typically, this includes port 3306 for MySQL, 5432 for PostgreSQL, or other database-specific ports. Restrict access to these ports only from the IP addresses or IP ranges of your web server(s).

Example iptables rule for MySQL on a Linux database server:

____________________________________________________________

iptables -A INPUT -p tcp –dport 3306 -s web_server_ip -j ACCEPT

____________________________________________________________

Deny All Other Traffic
Set a default rule to deny all incoming traffic to the database server. This ensures that only explicitly allowed connections can reach the database server and any traffic not defined by a rule will be denied.

Example iptables rule to deny all other incoming traffic:

____________________________________________________________

iptables -A INPUT -j DROP

____________________________________________________________

4. Web Server Security:

Make sure your web server is also secure. Keep software and libraries up to date, use strong authentication for database connections, and follow best practices for web application security.

5. Encrypt Database Traffic:

Use SSL/TLS or other encryption methods to secure data in transit between the web server and database server. This adds an extra layer of security, preventing eavesdropping on the communication.

6. Authentication and Authorization:

Implement strong authentication mechanisms on both the web and database servers. Create database users with least privilege access to ensure that applications can only perform the necessary actions.

7. Regularly Update and Monitor:

Keep both the web server and database server up-to-date with security patches. Monitor logs and set up alerts to detect and respond to any suspicious activity or security breaches. It’s helpful to also configure Network Time Protocol (NTP) to synchronize time between all the servers so that logs are also synchronized to time, as well.

8. Backup and Disaster Recovery:

Regularly back up your data and have a disaster recovery plan in place to ensure data availability in case of an incident.
We frequently get asked about how long to retain backups, but this answer is frequently determined by business requirements. For example, the business stakeholders may have compliance requirements for longer retention, while the technical requirement may only be a few days of retention.

9. Test Security:

Regularly perform security testing, including vulnerability scanning and penetration testing, to identify and address any weaknesses in your setup.

10. Documentation:

Document your firewall rules, server configurations, and security procedures to facilitate management and troubleshooting.

Remember that security is an ongoing process, and it’s essential to stay vigilant and adapt to evolving threats. Regularly review and update your security measures to maintain a strong defense against potential attacks.