Foregenix Blog

Mike Hinton

Is My Hosting Provider Protecting My Website?

04/10/17 10:55

Recently, it was discovered that over 14 million Verizon customers data, including PIN’s, had been exposed on an unprotected web server.  Three million WWE fan’s personal information was left exposed when it was discovered to be on an unprotected web server.  Both of these took place in the same month.  It happens more often than you’d think and the solution can be as simple as talking to your hosting provider.

An unprotected web server potentially leaves customer card data and other sensitive information vulnerable to a breach.  Most hosting providers will supply their clients with a basic firewall, which whilst useful, will not completely protect the website.  By their nature, firewalls are built to protect a network.  For example, your firewall at home can be set up to stop any external access to your computers.  However, in order to let people visit your website, you can’t have a firewall that blocks all access.  If you did, you’d end up with a dead website and zero business.


People need to be able to get through the firewall to see the content you’re offering.  Not all of these people are going to be good, some of them will have malicious intentions.  This is where a Web Application Firewall (WAF) comes in.

A basic network firewall is usually configured to only inspect the basics of any network packet - this is known as Stateful Packet Inspection (SPI). These include: the destination IP address, port number, whether it belongs to a valid session and information located within the packet header and footer.

An SPI firewall simply controls the incoming traffic and will not prevent attacks such as innocuous web browsing, spyware, adware, Trojans or other malware, as the content of the packets are not inspected. Intelligent network firewalls are available, which provide Deep Packet Inspection (DPI), where not only is the packet header and footer inspected, but the data part of the packet is searched and compared against a set of pre-defined rules. 

These types of advanced network firewalls will protect against certain types of known malware, Trojans, and spyware (depending on the rule configuration) but will not protect against application-based attacks such as SQLinjection, Cross Site Scripting, or brute force attacks. These are regularly seen by the Foregenix forensics team as the root cause of most eCommerce website breaches.

A WAF (Web Application Firewall), however, is able to determine the exact intention of the HTTP(S) content at the application level filtering out illegitimate traffic based on rule sets. This makes the WAF considerably more versatile when protecting your web environment.

WAF’s are often used to monitor the information being input into a webform or search tool. The WAF will be able to detect whether the data being input is legitimate or malicious (assuming it is configured correctly). For example, dates, post codes and product information may all be legitimate. But if you put code into that form with the intention of manipulating the application, you can sometimes find exploits that will give you direct access to the database that’s contained behind it.

Having an additional layer of checks against the data being input will defend against things like database injections and buffer overflows. Having something at the application level validating input into the web fields becomes critically important especially when sensitive data is involved.  No single firewall solution can provide your server with complete and all-round protection as it is vulnerable from both network and application attacks. Therefore, it is vital to have protection in both network and web application firewalls to achieve the ultimate defense in depth.  

So, in answer to our headline question ‘Is my hosting provider protecting my webserver?’ the response is: Possibly, but most likely only at a network layer. Naturally websites that get breached have hosting providers, as otherwise they wouldn't be trading online. Most hosting providers will tell you that a network firewall is enough to keep you protected, but this is not the case. A Web Application Firewall offers the extra layer of protection needed to keep you secure. If you're only running a WAF or only a network firewall, you're susceptible to an attack; both are required to fully protect your website. It doesn’t take long to find out what's protecting your website and it could save you the cost of a breach. 



David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Jake Dennys
10/09/18 11:37

Using a hosted payment page? This is why you still need to secure your website.

Many companies that host payment pages will boast of their ability to securely process payments. Whilst this may be true, it does not mean that your ...

Read More

Jake Dennys
22/08/18 13:25

Foregenix to join the PCI SSC Global Executive Assessor Roundtable.

We're proud to consider ourselves one of the industry leaders in the cybersecurity arena, and we are constantly striving to share our knowledge with ...

Read More

Akash Sharma
22/08/18 10:50

FGX-Web gets a fresh new look!

FGX-Web gets a fresh new look! Initially, FGX-Web was created to aid our Forensic Analysts in conducting investigations following a data breach. ...

Read More

Jake Dennys
16/08/18 17:12

What can a Website Security Health Check provide you?

Everyday there's another data compromise. Check the news, big breaches are happening all the time - and that's just the high profile ones. It's the ...

Read More

Kirsty Trainer
15/08/18 14:39

P2PE - What are the benefits to retail merchants?

Point-to-Point-Encryption, known to most as P2PE is a standard that is quickly becoming the preferred way for acquirers and merchants to secure ...

Read More