Please, I need help!

S

spider_dudeX

Geek Trainee
Situation:

A company plans to sell all its line of products on line. While they were operating the warehouse show room retail sales operations, they extensively used transaction servers and other server network systems for CRM and inventory warehousing. Now additional web and application servers need to run in the business.

--------------------------------------------------------------------------

What would be recommended policy for the network and server security?



Firewall is definitely a good idea to prevent bad stuff from coming in from the outside, but what other security measures can be taken to prevent people working within the company to hack into the network/server, for instance.

I hope you can help, thank you :)
 
Thank you very much for your input Waffle! :)

Anymore input from anyone would be wonderful!

By the way, nice avatar there Waffle :good:
 
OK, some questions for you:

1) What size company is it you work for?
2) What kind of budget are you working with?
3) Are the servers you're talking about going to be accessed from the Internet, or just from your local network?
4) What operating systems are your servers running?
5) Your workstations?

Answering these questions will help me to be as specific to your needs as possible. :good:

Thanks,
-AT
 
1) What size company is it you work for?

- It's a large corporation.

2) What kind of budget are you working with?

- Not sure at the moment, but anything you come up with would be wonderful!

3) Are the servers you're talking about going to be accessed from the Internet, or just from your local network?

- Accessed from the local network

4) What operating systems are your servers running?

- Windows XP Pro

So, based on that, can you help me out?? :o
 
Since your servers are running XP Pro, I'd strongly recommend against allowing them to be accessible from the Internet. The reason for this is that Windows has inherent design flaws which make it less than secure in multi-user and/or networking environments. This is understandable, since Windows wasn't originally intended to be a multi-user or networking platform.

As far as the router (firewall) goes, there are a few directions you can go and still achieve similar results:

Cisco Router
A great solution for the large business, but very pricey. They cost around $1000 for the very low-end models, and average about $10,000 (US) for the more well-rounded units. For the enterprise, you can easily get into the $100,000 range and beyond. Cisco is the name in the industry, but you're going to pay for it. Also, managing Cisco routers does require some pretty involved training.

Freesco
Freesco is an open-source, Linux-based alternative to Cisco. It is a free operating system which runs from a single 1.4mb floppy. It's powerful, very full-featured, and fairly easy to setup and administrate. This option does require some strong technical skills, especially in networking specifics and the Linux operating system. But the big plus is that using Freesco, you can turn even very low-end hardware into a powerful, enterprise-class router without too much hassle. This means you have world-class protection for just the cost of a cheap rackmount or commodity PC.

IPCop
IPCop is another free, Linux-based router along the lines of Freesco. IPCop is even easier to setup and administrate than Freesco, requiring no Linux knowledge at all and very little networking know-how. If you can setup a home-class router, you'll have no troubles with IPCop. It's very powerful, is modular and so features can easily be added, and can be easily administrated via 256-bit encrypted web interface or SSHv2. IPCop offers secure VPN, traffic and resource-usage graphing, advanced logging and intrusion detection, and even HTTP / DNS proxying should you so desire to use it. I like IPCop so much that my company is currently behind one, and I use one at home too! I built my company's router for around $300 total cost, and it usually utilizes less than 1% of its CPU resources. It has never gone down, nor has it been compromised. You can read more about IPCop in this article.

As far as internal security goes, you can have untrustworthy parts of your network protected safely behind your router, and yet isolated from trusted parts of your network by using the principles of subnets and DMZ.

Let me know if there's anything else I can do to help, or if you need more specifics on anything!

-AT
 
Couple more questions ...

As on line sales increase to a couple hundred on line customers, the servers would take longer time to run applications. Any suggestions?

If it happens that a server application program, which updates customer data, is infected with a virus, what could be the possible effect?
 
spider_dudeX said:
...As on line sales increase to a couple hundred on line customers, the servers would take longer time to run applications. Any suggestions?
Click to expand...
I'll need a few specifics before I can even guess at a solution, because to be honest I'm not sure I understand the problem. :o
A barrage of questions follow:
* Are the systems in question being forwarded order information from your company's website, or are they actually running the website?
* Do you mean that when the systems run many orders at once, they become bogged down?
* Is it the network, or the resources of the system that become bogged down?
* Finally, what type of network/system hardware are we dealing with?
spider_dudeX said:
If it happens that a server application program, which updates customer data, is infected with a virus, what could be the possible effect?
Click to expand...
Well, the effect could potentially be catastrophic. I don't know what country you're in, but in the US there's a law that states that if a server containing sensative client information is compromised, the customers in question must be expressely notified that their data may be in unsavory hands. The reputation-damaging fallout from such a situation can possibly spell ruin for even the most financially secure companies. With this in mind, these machines should be as well-isolated from other systems on the network as possible, and should run advanced and current anti-virus software. For this purpose, I recommend Trend-Micro. Furthermore, if they do not explicitly need to be running Windows, I strongly advise replacing the Windows OS on those systems with Linux, BSD, or perhaps some other *nix such as OSX or Solaris (if you are to replace the hardware as well). Unix-like systems are intended by design to be secure, multi-user, and networked; as a result they are inherently more secure (and therefore more virus/hack-resistant) than any version of Windows, even if it has an anti-virus. In addition, every Unix-like system I've mentioned is significantly more stable than Windows, and much better with resource management (so they run faster given the same hardware). These factors make them much better suited to mission-critical server tasks than the Microsoft offering.

In any case, these systems should be kept in a secure, locked area if at all possible. Preferrably someplace where their well-being can be monitored, yet they cannot be tampered with (i.e. locked refrigerated cabinet, I.T. closet, etc). Most hacks which occur behind firewalls are caused by disgruntled or unstable employees, so this should not be overlooked.

Hope this helps,
-AT
 
I apologise if i am wrong, but these are course questions for coursework, i have seen them before, and my younger brother is doing something similiar.

Although we are here to help, and anti-trend has provided you with some excellent information, you are not learning anything from us telling you what the ideal things to implement / purchase would be and why..

I am not trying to offend you, but we are not here to do your coursework, work for you, we are here to help, and guide you along the way, whilst you try and discover it yourself, we are here when you get stuck.

It's cheating, and by doing so your cheating yourself, you'd be better off learning through your own research and experience.
 
Well, these aren't the actual questions, they are questions that help me get a better understanding of the questions I'm currently working on ...
 
You're right, I was cheating a little, it's just that I'm extremely busy, and this is due today, and I got this assignment yesterday afternoon, so I wanted to get it done fast. I had to stay up all night last night to study for a final this Friday, plus I have to work on a report due the same Friday, along with all this other stuff...

I know that cheaters never prosper; I'm really sorry!! :(
 
Well atleast your sorry, however with this type of course and work, even if u got this yesterday, you could have easily done it in an hour with no knowledge of the stuff anti-trend has mentioned, as long as you had not left work to the last minute.

Excuse me if this is a flame but i really don't care..

I've learnt from my mistakes and if you leave everything till the last minute, work gets rushed, mistakes get made and the quality of your work becomes substantially decreased in comparison to what it should / could be.

I live in the UK, i did my GCSE's (which get you into A levels - which get you into University), so without GCSE's your either stuffed.. or your going to have to go back and study and waist another 1 or 2 years of your life.

I left revision to late, i went out got drunk, smoked, smoked weed, did poppers, did coursework to the minimum of my ability, (the quickest), played CS / HL to much, and generally pissed it all away, when i could have done so much better. I have 5GCSE grades (NOW) which still is not alot, considering the average people take is 9 or 10. I got: Maths/Sciencex2/English/IT/French

To put it into perspective.. i FAILED IT really badly i got a E grade.. C being to pass at GCSE level, which is making a website - not coding it, just in frontpage or dreamweaver, making publisher documents, word documents, databases e.t.c

Stuff that could have taken me minutes..

I re-took IT, as I loved IT as a subject, i was more interested though in causing the school system to crash, hacking admin tools or editing the school website.

I retook IT, i got an A grade, with about 8 hours work and bout a weeks solid revision, and maths as well (C grade). I now have 3 A levels in IT Practitioning and Administration, I am starting an MCSE (Microsoft Certified Service Engineer) at the age of 19, and then going to University in another year and a half (september 2006), and i am working as a deputy IT manager for an engineering company.

u'll regret it dude, u really really will.. and it effects alot more than just time believe me. If your behind then just tell your teacher, or tutor, and be honest.. they maybe angry but they will understand as long as you are honest with them.

I hope this helps, whether or not it does is upto you, because i'm sure you should already know this.

Post Edited by moderator Anti-Trend
 
If you would have just been straight-forward and honest about having difficulty in your coursework, we would have still come forward and assisted you (or at least pointed you in the right direction). I'm not too upset about this whole thing, but it does make us both look foolish. All of the regulars on this forum are good people who are willing to help strangers on a daily basis, and we don't get payed for what we do. Please keep that in mind while posting.

-AT
 
Y'know the bit that gave it away to me that this probably wasn't for a real company?

Your name :D

Not many network admins/security advisors etc are gonna call themselves spider_dudeX! :p

(yes Procal X is an exception, but, there's always one...)
 
Waffle said:
Y'know the bit that gave it away to me that this probably wasn't for a real company?

Your name :D

Not many network admins/security advisors etc are gonna call themselves spider_dudeX! :p

(yes Procal X is an exception, but, there's always one...)
Click to expand...


lol, good point :D

Am I allowed to post about this neat website on the forums? There's no pron or anything, it's this great flash-animated series, and I spread the word as much as I can.
 
spider_dudeX said:
Am I allowed to post about this neat website on the forums? There's no porn or anything, it's this great flash-animated series, and I spread the word as much as I can.
Click to expand...
You can post most anything which doesn't fit into any other forums over in the General Chat forum. That is, as long as it abides by our very reasonable site rules.
 
2.) NO SITE PIMPING OR ADVERTISING.
We've had a few of these come up in the past. If your participating in the forums and want us to check out your site, that's fine. Better yet, put the link in your signature. Users that come here for site pimping and little or nothing WILL have their account disabled or may even be banned for repeat offenses. If you want to advertise with us, please contact Sniper as this ultimately his site. Don't push your luck here. Bannings have happened, and we are not afraid to ban site pimps, so be warned.
Click to expand...

What's site pimping?

I'll put the website in my sig to start off, but I'd like to know for certain that I can post about this great website. It has blood in it, because of the fighting, but nothing gut wrenching and gross that would make one want to puke!

It's funny, has action, adventure, a bit sad, it's good stuff! :D
 
No worse than most of my sigs then! :rolleyes:

Site Pimping is when somebody registers here for the sole purpose of promoting their site, and flood the threads and posts with pointless messages related to their site.
 
You must log in or register to reply here.
Back
Top