Thread: What is safe

    #1
  1. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2001
    Location
    Montana
    Posts
    504
    Rep Power
    14

    What is safe


    We are a small company that is looking into geting our first server. We are considering Apple,s Xserver.

    We want to have it used as a file server and a web server. Is this safe? Can we put our QuickBook's data on the server and still be safe using it as web server?

    In one book I read it said only put web stuff on your web server. But this would mean we would have to buy 2 servers. I thought servers were supposed to be secure.
    Have Eternal Life
    Learning is so unproductive...
    The more I learn the more questions I have!
    Therefore I am going backwards.
  2. #2
  3. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Nothing that is connected to a public network can ever be considered totally secure.

    Use 2 servers.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2001
    Location
    Montana
    Posts
    504
    Rep Power
    14
    So the web server should not be on our local network? Other wise it is possible to gain access through the web serve into the local network?
    Have Eternal Life
    Learning is so unproductive...
    The more I learn the more questions I have!
    Therefore I am going backwards.
  6. #4
  7. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    That's correct. Without knowing your current network setup and how it is connected to the internet, I can't give advice on how you should do it.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2001
    Location
    Montana
    Posts
    504
    Rep Power
    14
    Our network now consist of 11 computers (3 Macs, 7 Windows 98 and 1 XP) And 2 RIPs. We have a 10 MB and a 100 MB Hub.
    Have Eternal Life
    Learning is so unproductive...
    The more I learn the more questions I have!
    Therefore I am going backwards.
  10. #6
  11. No Profile Picture
    Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    Sweden
    Posts
    76
    Rep Power
    14
    Like rod says, nothing connected to the net is safe.

    However, the thing you should do is put up a firewall and make two separate networks. One for your workstations and one for the servers that need to be contacted over the web.
    An option would be to add yet another network for your other servers, the ones that doesnt need to be reached over the net.

    Now, you can open up port 80 to your webbserver for the www traffic. Then maybe port 21 and port 22 so you can access it with FTP and SSH(or telnet, but then you will be opening up a security hole rather than closing one).

    For your workstations network you can restrict or allow access however you want. Configureing a firewall can be as complicated as you want it to be.

    The only thing to keep in mind with the firewall is to constantly ask yourself "Do I really need to have this enabled? Isn't there a better and safer way of doing this".

    Now, the thing that's almost more important than a firewall... make sure you check for updates and fixes for everything on the public side (the side that can be reached over the internet). That means cheacking once a week or more if there's any security updates for Apache, sFTP, OpenSSH and so on (change these to the things you have on your server)

    If you keep up to date, and keep your public(internet) stuff away from your private(workstations) stuff you should be reasonably secure. Obviosly, you are never totally secured, but you are as secure as you are able to be. Your security will depend on how knowledgable you are about attacks and how to protect yourself so I suggest reading books, both technical and more generic books.

    Some general knowledge books I can reccomend are "Secrets and Lies: Digital Security in a Networked World" - Bruce Schneier
    "Incident Response: Investigating Computer Crime" - Chris Prosise and Kevin Mandia
    Practical Unix and Internet Security
    by Simson Garfinkel... maybe not so general, but good.
    As for technical books, I would say, get a good book about the firewall you buy and books about the protocols you use (like SSL, TCP/IP and whatever else you have floating around your network). The protocols and the firewall sort of goes hand in hand so you know what to allow and what not to allow.

    If you are totally in the dark on all of this, maybe you should hire someone to set things up for you since bad configurations can give you a false sense of security when you in fact have none.

    Oh, and one other thing.... Check the logs now and then for intrution attempts! Almost forgot that... Anyhoo, most firewalls can be told to mail the logs to a mailadress at intervals, so make sure you or someone who knows what they are reading skimm through it once a week or so. Where I work, we let another firm do this particular part for us becous I simply don't have time to sit and read through it. I just get a condensed report of the dubious activity that has been targeted at our systems, then I can make a decition based on that on how to procede. Obviosly, this cost money... but for us/me, it's worth it becous we have a pretty big system, and many servers...so our logs get huge fast.

    This can be complimented with IDS, NIDS and other stuff, but this might be to expensive and complicated for you... but you should know you have the option.

    Oh yeah... I say, use two servers aswell. You don't want your fileserver to be accessable from the internet!
    In other words, three devices are needed (I assume you don't have a firewall).
    One WWW server(you can have mail on it if you need that aswell), one fileserver and one firewall... I would go for a hardware firewall, becous they are smaller and generally I think they are nicer to work with.

    Your internet plugs into the firewall, then one network card plugs into the webserver, the other network card plugs into the hub (get a switch instead).
    You route all incomming traffic on port 80 (possibly port 25, 110, 21 and 22 depending what else you want to be running on the webbserver) to your webserver and block all incomming traffic that hasn't been initiated from within to the hub(your workstations). Allow no mappings between the webserver and the workstation... you can update your website locally on the webserver or over the internet. If you map up a local path, you open up a backdoor to your local network. Hope I'm not complicating things for you now....

    Check this for a picture of what I mean... IMAGE

    /Fjodor
    Last edited by Fjodor; June 24th, 2002 at 05:34 AM.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2001
    Location
    Montana
    Posts
    504
    Rep Power
    14
    Thanks to the both of you for you help.
    Have Eternal Life
    Learning is so unproductive...
    The more I learn the more questions I have!
    Therefore I am going backwards.

IMN logo majestic logo threadwatch logo seochat tools logo