First, let’s talk about “firewalls”. Basically firewalls are boxes thru which network traffic passes, and they look at each packet and decide (based on rules) whether to pass a packet or not. Typically you set up a firewall between all your servers and the outside world (see image below, the top firewall) and that will take out the malicious traffic coming into your Web Server. Remember none of your digital assets actually live on your Web server.
If you want to be really safe, put one other firewall into your system, between your Web Server and your Database and File servers (the middle firewall on the image above). What if we set that firewall up to only pass packets that it knows comes from our code, and so only “authorized” packets are allowed to touch your Database or File Servers? You end up with a highly secure digital asset management system: the only server accessible from the outside world is your Web Server, which holds no asset data. Yet another layer of security protects your Database and File Servers. Security that only allows traffic from authorized software to touch the Database and File Servers. You can sleep well at night!
Posted by David Tenenbaum
Flickr photo by carlosluz