Below is a diagram of a sample web application that utilizes Bitcoin. It contains a hot wallet as well as a cold wallet. The various nodes and connections are explained below.

Sample Architecture

Transport Layer Security (SSL/TLS)

The main benefit of using SSL/TLS is to protect all user and organization data while it is in transmission. Using transport layer security is necessary for both server side and client side communications in order to protect user data and to prevent replay and man in the middle (MITM) attacks. TLS does NOT ensure the encryption of data at rest. It only ensures data integrity during transmission. Data at rest should be encrypted using other encryption methods.

Network Layer Security & Web Application Firewalls (WAFs)

Network layer security is critical for ensuring that your network is not compromised by an attacker. Proper firewalls, intrusion detection systems, and using up to date components are all necessary in order to protect your customers and Bitcoin. Your web application firewall (WAF) should provide an additional layer of security by at least having rules for the OWASP Top Ten as well as keeping it up to date when new types of attacks are developed.

The DMZ

The Demilitarized Zone (DMZ) in your network acts as an additonal layer of security for your organization's back end systems. In this case, the DMZ is developed to contain servers that are Internet facing. This security measure acts so that in the event of an application or static content server compromise, there is an additional firewall that the attacker would have to get through in order to gain access to the other servers. Firewalls on either side of the DMZ allow for additional protection from hackers.

Application Servers

Your application servers will run your application's code. The application server will be responsible for validating data that is received from the users as well as ensuring that all data sent back to the users is properly encoded. The application server you use (i.e. Tomcat, WebLogic, WebSphere, IIS, etc..) should always be up to date and have all the patches installed as they are released. Your organization should have a process that periodically checks your application server's for new versions, vulnerabilities, and patches. The web application server should also securely store all certificates and it should never use default credentials.

Static Content Servers

Your static content servers should store and serve all data that is static such as CSS, static HTML, Javascript, etc. Using a static server reduces load on your dynamic servers and also allows for faster response times and page loads.

Database Servers

The database servers will hold your organizations' databases such as MySQL, SQL Server, Mongo, etc... The separation of your database server from your application server is critical. In the event that your application server is compromised, this separation gives your users' data an additional layer of protection. All Personally Identifiable Information (PII) such as names, passwords, addresses, credit card numbers, SSNs, and others should always be encrypted while at rest. Access to your database servers should also be restricted to only identified users and servers in order to prevent outsider access. The database server should always have the latest and most secure version of the database installed. Default usernames and passwords should never be used and must be stored securely. Physical access to the database servers should be restricted and regular encrypted backups should be made in order to be able to recover in the event of a compromise or disk failure.

Logging Servers

Logging servers are very important for auditing purposes. Your logging servers should NEVER store PII on them. The logging servers should be able to identify when users log in, log out, do any actions that are important such as transfer of Bitcoin, buying/selling products, updating their information, changing passwords etc... The logging server should be kept separate from your application and database servers. This is particularly important in the event that one of the other servers is compromised, the attacker would have a much more difficult time modifying log entries to hide their activities. Logging servers are also very important in order to provide a trail in the event of a law suit or compliance requirements.

Hot Wallet Servers

Hot wallet servers will contain Bitcoin that is connected to the internet. Your application will utilize the hot wallet server to send/receive Bitcoin very quickly. The benefit of a hot wallet is the fact that you can almost instantly send and receive Bitcoin. The negative aspect of this is in the event that your hot wallet server is compromised, there is a high chance that you may lose all Bitcoin stored on this server. Your hot wallet should only contain as little Bitcoin as possible that is necessary to run your daily operations. Your application that uses this hot wallet should limit the size and frequency of transactions for each user in order to minimize loss in the event of a security issue within the application. Any transactions with the hot wallet server should be logged at the logging servers. The only entities that should be allowed to communicate with the hot wallet server are the application servers.

Cold Wallet Servers

Cold wallet servers are Bitcoins that are kept in cold storage. Examples of a cold wallet are USB drives, servers disconnected from the internet, brain wallets, and paper wallets. The cold wallet should only be accessible physically by an administrator and this wallet will contain the majority of your organization's Bitcoin. It is recommended that this wallet is "tiered" or broken up into multiple cold storage wallets. When adding or removing Bitcoin from cold storage, a new Bitcoin address should be created and only the desired amount should be transferred to it. Once the new address contains the Bitcoin, it can then be transmitted to a hot wallet. Under no circumstances should the cold wallet ever be able to receive messages from the Internet. Transmission of Bitcoin to and from the cold wallet should always be a manual process that requires an administrator.