If you're talking about running an ecommerce site - I assume you're talking about accepting payment card information. That is going to put you into the realm of PCI compliance, which is a scary thing for someone new to server administration. You can't just accept credit card information.
So in terms of ecommerce a firewall is only one thing you need to think about. For PCI compliance guidelines you have to meet the following (and this is a simplified list) Here is the full list :
http://www.bbb.org/data-security/bec...nt/checklists/
But basically in terms of what you're setting up on your system you're going to need the following.
- Firewall (optional but recommended)
- AV required (not really , but for compliance it needs to be there, this can be an external appliance)
- IPS /IDS (required for compliance, again can be an external appliance)
- Web Application Firewall (same applies, can be external appliance)
- Encryption (AES or stronger, can't store track 2 etc ... Read the standard for this)
- Transmittal of data MUST BE SSL
- Credentials (they need to be very strong consult the checklist)
- Patch levels, current, always, or you are out of compliance
- Stored data can not be on the same server (either physical or virtual separation is acceptable) as the web application accepting the PCI.
Also you're not hosting this from your home or small business are you? Because you won't meet the rigorous phsyical security standards.
Now that should keep you busy for awhile
My advice accept paypal or use a hosting company.
To answer your question about Firewalls, they're not just a Windows thing that being said, most if not all SPI firewalls are going to be nothing but a front end for iptables/netfilter. Again for PCI compliance a DPI firewall OR IDS is required though it can be external. So really, unless you're talking about serious configuration of an IPS/DPI system you're best just using iptables.
Hope this helps.
Bookmarks