Strengthening Web Stack Security (LAMP) with Network Service Isolation per VM Systems
Web stack is a collection of various open-source soft such as programming language of the server side, operating system, database server, and web server. The most widely used stack is called LAMP. This name is a shortening for Linux, Apache server, MySQL, and PHP (in some cases it might be Python or Perl). For security reasons, the best variant is to run various network services on separate virtual machines or systems. With such a system, that is obvious that potential attackers cannot crack lots of services.
Here in this article, we will have the most helpful information about setting up a solution that can serve caching, dynamic/static content, and database by functioning on virtual machines or separate servers.
LAMP: Traditional Setup versus Split Configuration
Traditional server setup where all the services are on one machine is extremely risky nowadays. There are so many hackers who can access your server and all the data on it with only one attempt. To exclude such troubles, it is better to consider a split configuration.
The spit configuration will divide the cache, database, and other parts per server. The benefits of such an approach are the following:
- Optimization
- Security
- Easiness of usage
- Growth and scalability
- Simplifies monitoring
Defined Roles for Each VM/Server in Split LAMP Architecture
The example below characterizes different VMs that can be relevant to blogs, custom-made apps, or Drupal-based websites.
| Server/VM | Description | Software |
| VM0 | Such node/VM should have 2 interfaces - private and public. The public interface helps users to connect to the site. The private one is applied for network traffic between nodes. | Netfilter as firewall and haproxy/nginx as reverse proxy |
| VM1 | This node is used for serving such static files as css, images, or js. The files should be stored on VM5 server. | Tux, Linux nfs client, lighttpd, and nginx |
| VM2 | For dynamic pages, this node is used. For instance, the custom app and installed WordPress can be on this VM. The app’s files are stored on VM5. | Linux nfs client and Apache 2 with python/php5/fastcgi/perl/etc |
| VM3 | The node is used to cache objects and data in RAM. This reduces the frequency of calls to external data and in such a way speeds up everything. | Redis or Memcached |
| VM4 | This part is responsible for storing mysql or postgresql data in RDBMS. | Mysql server |
| VM5 | This node functions as a distributed file system. On this server, only such data as images, php/python files, css, js are stored. A mount command is used to access data requested from VM2 and VM1. | NFSv4 server |
| Uplink port or ISP router | VM0 connects to the Internet via an uplink given by ISP. | Site-specific |
Actual Server Setup Revealed
- Install and configure NFS server.
- Install and configure MySQL server.
- Install and configure Memcached server.
- Install and configure Apache server.
- Install and configure Lighttpd server.
- Install and configure Nginx server.
​Performance and Security Benefits of Splitting LAMP Services
Some of the major benefits of splitting LAMP services are such as:
- Scaling. With the separate services, it is much easier to scale the whole system. For instance, if you have just one server/vm then the strategy needs to be really complex in order to include every little component. You should also consider the load balance that drastically influences the performance characteristics.
- Deployment. As a rule, these nodes are usually immutable. This means the deployment happens by creating a new node, but not adding something to an already existing one. The process is way easier when the database and application are in different nodes.
- Security. In case of any risk of attacks, you can lose access to one node, but not to all at once and that greatly minimizes the problems.
​Managing Interactions between Split LAMP Components
For a more practical understanding of the interactions between components, let’s create an actual example and explain everything according to it. For instance, the name of the site is www.ex.com and it relates to 102.23.1.4 IPv4 address and it is assigned to eth0. The internal IP is 837.234.1.1 and it is assigned to eth1. All the services are in LAN and the website is reverse proxy.
The hardware firewall rules only allow 102.23.1.4 on ports 443 and 80. The rest of the ports are blocked. Every node allows access to required ports and runs iptables. The pool of server is defined as following:
upstream mybackend {
server 837.234.1.10:80; #server1
server 837.234.1.11:80; #server2
....
..
..
server 837.234.1.100:80; # server100
}
The lighttpd and Apache server can access files at VM05 using nfs server. The Apache server is PHP configured. The PHP app is configured to link to the database on WM04. Cache SQL via Memcached server on VM03 is used on PHP app.
Additionally, it is possible to place reverse proxy on DMZ and other servers in the firewall to higher the level of security. In such a way, this will maximize the project’s cost.
​Summing up
To immensely increase the security level of the web app, it is important to deploy the VMs’ network for every layer of this stack. If speaking about the budget for this kind of improvement, of course, it is not a cheap option, the maintenance and setup of the system can be pricy. Despite the cost of the strategy, the security improvement is huge and so beneficial for any case. Moreover, the server’s virtualization makes the processes of restoring, backing up, and migrating to other hardware so much quicker and simpler.
Due to the binary nature of the virtual machines on the host filesystem, it is way simpler to port to some other machines when it is needed. Also, a little bit higher prices that are invested in this system became almost insignificant when you are restoring all machines in a matter of minutes. When you are in such a situation, you will really understand the major benefits that come together with network service isolation per VM systems. Moreover, with this approach, it is much simpler to monitor different VMs in the network.