Commerce Specific Filtering

In most designs, the e-commerce portion of an organization's network uses the same bandwidth as the rest of the network. Users, mail servers, and e-commerce transactions all occur over the same WAN linl This is suboptimal for several reasons:

• A successful flood attack against your Internet connection will affect both general Internet and ecommerce traffic.

• A spike in internal user Internet usage can affect e-commerce availability.

• Because internal user traffic is so diverse (lots of applications, ports, and protocols), the usage of the WAN link can be unpredictable.

Instead, organizations could choose to separate their internal users from their e-commerce systems in one of two ways:

Move the e-commerce environment to a collocation facility at your SP, as shown in Figure 6-24.

Figure 6-24. Collocated E-Commerce

Attacker Customer

Purchase two separate Internet connections (four if you need redundancy for both services), as in Figure 6-25.

Figure 6-25. Dedicated E-Commerce WAN Connection

Attacker Customer

In the collocation example, you have the benefit of increased bandwidth because you are physically sitting within the ISP's network, whereas in the second example you have greater control and manageability of your e-commerce systems. In either case, specific filtering works the same. In an ecommerce environment, you typically need a very limited set of services to function, including the following:

• SSL/Transport Layer Security (TLS) (TCP port 443) . BGP (TCP port 179)

• ICMP (as defined earlier in this chapter)

DNS is not needed if the DNS servers are hosted somewhere else, such as at the ISP. This means UDP i a whole may not be needed. With this level of specificity, it becomes possible to filter e-commerce traffic as it leaves the ISP network destined for your e-commerce systems. This provides two distinct advantages:

• DDoS or worms must be very specific in order to reach the e-commerce network.

• Traffic that would otherwise consume expensive ISP bandwidth can be stopped. Because the traffii is blocked at the firewall anyway, there is no sense in allowing it on the wire in the first place.

E-commerce-specific filtering is shown in Figure 6-26.

