Infrastructure Security

Started by Michelangelos, Jun 27, 2022, 11:06 AM

Previous topic - Next topic

MichelangelosTopic starter

We are about to go launch our SaaS by March End,

OVH is our infrastructure provider. They proposed a complex infra with different servers for DB, application and a Network firewall.

Our Stack is

Backend: .net core
Front End Typescript
DB: mySQL

Currently we are deploying in a single server for development testing. Its a windows based machine with IIS for hosting both APi and Front end.

My Question is

1. OVH has a good ANti DDOS protection, So do we need any 3rd party DDOS protection ?

2. Do we need a network firewall? Or does the OS based firewall and Security groups will be enough for initial period.

3. Is it better to have a separate server for Database? we find it more fast by having DB on the same server.

If we need to have different servers for DB and Application , we have to setup private network, Vrack, and lot of configuration that may need a dedicated infrastructure expert.

As of now we will be having less than 50 users to use our application.
  •  
    The following users thanked this post: kotowicz

metallexportprom

1. OVH has a good ANti DDOS protection, So do we need any 3rd party DDOS protection ?
In order to protect layer7 attack you need third party protection

2. Do we need a network firewall? Or does the OS based firewall and Security groups will be enough for initial period.
dont think you need network firewall, software firewall and security group is good enough

3. Is it better to have a separate server for Database? we find it more fast by having DB on the same server.
Yes it better to have separate DB and application server

If we need to have different servers for DB and Application , we have to setup private network, Vrack, and lot of configuration that may need a dedicated infrastructure expert.
You can allow DB connection from application server or you can also set VPN tunelling for connectivity between 2 servers.
  •  

kotowicz

If this is for a production money making operation start it out right by making it highly available and decoupled.
Use a 3rd party for DDoS protection, make sure you can and do run this out of multiple hosting providers, using one is a horrible idea and you will feel the pain of this choice when you are at your peak and everything seems to be going well.

If this is a SaaS it needs to be able to run out of a minimum of 3 physical locations so if the power is cut to one you are not offline, if your SaaS cannot do this then you are not ready for production yet.

Separate out your database servers and make sure they are only privately accessible, if you need to setup a VPN to do this do it, no need for vendor locked in private rack, etc. as you need to be running out of multiple hosting providers in three separate physical locations. If you do not have the cashflow to do full dedicated servers at each location you can use VPSs for this while you grow. Your primary database server should be sending data to at least two replicas (one in each other location).

Your application server should be scaleable so all you need to do is add more instances in multiple locations to be able to scale it up and down as needed. The same needs to be doable with your separate API servers which should be independently scaleable.

You should also have a separate monitoring cluster that you use to store metrics from all of your systems to include logs, metrics, etc. where you can view dashboards, reports, see your SIEM, etc. which should probably be internally accessible only (or over VPN or behind 2FA or 3FA SSO).

You should also have a backup cluster to store regular backup jobs, archived logs, etc. this way you always have backups available. You would also be in a good state to use a service for storing your backups offsite and offline that only the privileged admins in the company can get to in case of an emergency.

You may also want to think of doing a hybrid approach to gain the advantages of the cloud to enable better scaleability than what can be done doing things the old way. You may also save a large amount of money too by only paying for what you are actually using.
  •