Strengthening Web Stack Security (LAMP) with Network Service Isolation per VM Systems

Web stack is a collection of various open-source soft such as programming language of the server side, operating system, database server, and web server. The most widely used stack is called LAMP. This name is a shortening for Linux, Apache server, MySQL, and PHP (in some cases it might be Python or Perl). For security reasons, the best variant is to run various network services on separate virtual machines or systems. With such a system, that is obvious that potential attackers cannot crack lots of services.

Here in this article, we will have the most helpful information about setting up a solution that can serve caching, dynamic/static content, and database by functioning on virtual machines or separate servers.  

LAMP: Traditional Setup versus Split Configuration

Traditional server setup where all the services are on one machine is extremely risky nowadays. There are so many hackers who can access your server and all the data on it with only one attempt. To exclude such troubles, it is better to consider a split configuration.

The spit configuration will divide the cache, database, and other parts per server. The benefits of such an approach are the following:

• Optimization
• Security
• Easiness of usage
• Growth and scalability
• Simplifies monitoring

Defined Roles for Each VM/Server in Split LAMP Architecture

The example below characterizes different VMs that can be relevant to blogs, custom-made apps, or Drupal-based websites. 

Actual Server Setup Revealed

1. Install and configure NFS server.
2. Install and configure MySQL server.
3. Install and configure Memcached server.
4. Install and configure Apache server.
5. Install and configure Lighttpd server.
6. Install and configure Nginx server.

​Performance and Security Benefits of Splitting LAMP Services

Some of the major benefits of splitting LAMP services are such as:

• Scaling. With the separate services, it is much easier to scale the whole system. For instance, if you have just one server/vm then the strategy needs to be really complex in order to include every little component. You should also consider the load balance that drastically influences the performance characteristics.
• Deployment. As a rule, these nodes are usually immutable. This means the deployment happens by creating a new node, but not adding something to an already existing one. The process is way easier when the database and application are in different nodes.
• Security. In case of any risk of attacks, you can lose access to one node, but not to all at once and that greatly minimizes the problems.

​Managing Interactions between Split LAMP Components

For a more practical understanding of the interactions between components, let’s create an actual example and explain everything according to it. For instance, the name of the site is www.ex.com and it relates to 102.23.1.4 IPv4 address and it is assigned to eth0. The internal IP is 837.234.1.1 and it is assigned to eth1. All the services are in LAN and the website is reverse proxy.

The hardware firewall rules only allow 102.23.1.4 on ports 443 and 80. The rest of the ports are blocked. Every node allows access to required ports and runs iptables. The pool of server is defined as following:

upstream mybackend {
      server 837.234.1.10:80; #server1
      server 837.234.1.11:80; #server2
      ....
  	..
  	..
      server 837.234.1.100:80; # server100
}

The lighttpd and Apache server can access files at VM05 using nfs server. The Apache server is PHP configured. The PHP app is configured to link to the database on WM04. Cache SQL via Memcached server on VM03 is used on PHP app.

Additionally, it is possible to place reverse proxy on DMZ and other servers in the firewall to higher the level of security. In such a way, this will maximize the project’s cost.

​Summing up

To immensely increase the security level of the web app, it is important to deploy the VMs’ network for every layer of this stack. If speaking about the budget for this kind of improvement, of course, it is not a cheap option, the maintenance and setup of the system can be pricy. Despite the cost of the strategy, the security improvement is huge and so beneficial for any case. Moreover, the server’s virtualization makes the processes of restoring, backing up, and migrating to other hardware so much quicker and simpler.

Due to the binary nature of the virtual machines on the host filesystem, it is way simpler to port to some other machines when it is needed. Also, a little bit higher prices that are invested in this system became almost insignificant when you are restoring all machines in a matter of minutes. When you are in such a situation, you will really understand the major benefits that come together with network service isolation per VM systems. Moreover, with this approach, it is much simpler to monitor different VMs in the network.