How to Protect and Secure Website Infrastructure

There are four primary Web Server applications used to host websites: Apache HTTP Server, Microsoft IIS, Nginx, and LiteSpeed. While there are others, these four are by far the most popular.

You can deploy any of these web servers in the Atlantic.Net Cloud Platform. We have an extensive selection of detailed step-by-step procedures explaining how to deploy and secure these applications; simply search the Atlantic.Net blog.

There are an estimated 2 billion websites on the World Wide Web, ranging from sites as simple as single homepages to huge, popular social media and sprawling eCommerce platforms. However, for any type of website, web security should be at the top of the priority list.

Web security is defined as “the protection of personal and organizational public-facing websites from cyberattacks.” There are various threats such as website vandalism, hacking backend services, and potentially stealing business data. Ransomware and malware attacks are another serious threat.

Victims of these kinds of cyberattacks often must spend a significant amount of money to resolve them and are likely to lose a lot of customer confidence, especially if data is compromised.

Create a Secured Infrastructure

The keys to website security are to minimize the attack surface of the website infrastructure and place controls over how network traffic traverses the platform. A security-first architectural design is the only recommended way to protect web servers hosted on-premise or in the cloud.

If you decide not to go with dedicated server hosting, VPS hosting is a very popular platform choice when designing websites, but it is important to check that your cloud provider has already done the hard work of creating a security-defined infrastructure as part of the VPS service.

Most web designers are happy to let someone else manage the infrastructure so they can focus on creating excellent web content, designing a logo, etc.

There are many distinct layers to web server infrastructure, typically comprised of the front end, the mid-tier, and the backend. Multi-tier web applications are arguably the most common configuration, wherein the infrastructure is usually protected by a load-balancer with enhanced security configuration and a network firewall at the network edge perimeter.

Only the front end web server(s) are externally-facing to the public internet within a DMZ, with the application and database servers logically positioned behind additional firewalls inside the core network.

The frontend should be protected by proxying TLS traffic through a secured web gateway, preferably virtual appliances such as a software-defined HAProxy; a cloud secured service, such as a Web Application Firewall (WAF), will also work well.

Network Edge Protection Services

Edge Services such as DDoS protection, Web Application Firewalls, Website Optimization, and Content Delivery Networks are cloud services that afford consumers great flexibility and added security. Downtime on revenue-generating websites must be avoided at all costs; if Walmart.com suffered downtime of only a few minutes, this would result in several million dollars of lost revenue.

DDoS, or distributed denial of service, is an attack launched by hackers to overload a web server with fake requests with the intention of bringing the system down or blocking legitimate traffic. The end result is that legitimate users will encounter a slow or offline website.

Content Delivery Networks (CDN) reduce the attack surface of your website. User requests for content on your site are cached at the network edge CDN, the result is that your web server has to serve less web content, because the CDN delivers many of the duplicate requests.

Atlantic.Net provides our own CDN using servers positioned across key global points. As information travels across the web, our Content Delivery Network caches data and routes traffic according to server proximity, enabling users to reach your content quickly, regardless of their location. The system is easy to set up and offers affordable and predictable pricing.

Secure Web Gateway (SWG)

A secure web gateway (SWG) is essentially the doorkeeper to your web server infrastructure. If you operate an on-premise infrastructure, an SWG is a great way to provide layer 7 termination and in-depth inspection of http/https web traffic to protect against web threats that target businesses.

The main difference between an SWG and a network firewall is that the SWG receives the complete request from the client before making a decision on where to send the traffic. This decision is made using predefined security policies and intelligent session termination, whereas a firewall makes decisions on a packet-by-packet basis, with no session termination.

It is highly recommended to create strict security policies to manage end-to-end traffic inside the perimeter network. Configure the secured gateway to disable and reject deprecated security cipher suites such as SSLv3, RC4, TLS1, TLS1.1, DES, 3DES, and so on.

Such legacy ciphers have been discontinued because there are a huge number of vulnerabilities and exploits embedded in them. Instead, enable a modern cipher suite such as AES or RSA.

Scan for vulnerabilities

Website app servers are susceptible to hacks, exploits, and vulnerabilities. Because malware is a serious risk to websites, the ability to detect and remove malware is essential. Regular file scans and detailed reporting generate a holistic overview of the state of the network.

The software that runs websites is constantly evolving and being upgraded to prevent vulnerabilities. Scanning for vulnerabilities, sometimes known as penetration testing or pen testing, is a technique of testing external and internal computer infrastructure against all known vulnerabilities.

Vulnerability scans look for known vulnerabilities in your systems and report potential exposures. Penetration tests are intended to exploit weaknesses in the architecture of your IT network and determine the degree to which a malicious attacker can gain unauthorized access to your assets.

Atlantic.Net offers vulnerability scans as part of our managed services offering. We can provide biweekly vulnerability scans and penetration testing for host servers or configured websites, as well as assist with evaluating and interpreting scan results while working with our customers to patch vulnerabilities.

Additionally, social engineering can be conducted to test employee’s susceptibility to ransomware, phishing, or whaling attacks; these tasks are usually completed by an internal security team or outsourced to a managed service provider.

Other best practices to consider

So far, we have mainly referenced hierarchical design decisions for implementing security on your website. There is, of course, much that system administrators can do to increase security awareness.

Network engineers are needed to monitor and update rules for Web Application Firewalls (WAF) and Secure Gateways (SWG). The network layer can prevent SQL injections, cross-site scripting, vulnerability probing, etc.

Atlantic.Net offers a robust Web Application Firewall as part of our Network Edge protection. The WAF examines web traffic looking for suspicious activity; it then automatically filters out illegitimate traffic based on rulesets that Atlantic.Net applies for you or custom rulesets applied at your request.

The WAF looks at both GET and POST-based HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge or let pass.

The operating system is the next entity to be secured. Regardless of whether they are Windows or Linux based, operating systems must be regularly updated, preferably monthly. Default usernames and passwords should be changed, and consider disabling root or administrator accounts in addition to limiting the number of privileged user accounts. In other words, do not make everyone a domain admin!

The type of website application you host can also affect your security. In all cases, the latest versions of website code should be used; for example, expired and unsupported versions of Java are still surprisingly common. Middleware such as Apache Tomcat, IBM WebSphere, and IIS should be updated regularly and patched for known security issues.

Backups are also important, as even the most reliable servers are susceptible to failure, and in the event of a problem, a backup to restore the website is essential. Atlantic.Net offers one-click backups as part of our cloud service, and if you operate a large, revenue-generating website, you should consider offsite backups.

Share your vision with us, and we will develop a hosting environment tailored to your needs!

Contact an advisor at 888-618-DATA (3282) or fill out the form at the link below.