Seperate server or current hardware? 1

[marc92]

Small company my brother has needs to distribute large pdf files to their clients. The files are too large to email so the thought was to post them to a dedicated server in their office and simply email the link to the clients.

The question is, do they need a completely dedicated box or can this be done through their Win2003 Server they already have? My concern is security issues with their current server. Ideally, the emailed link would allow them access to that one particular pdf and nothing else.

Is this a project their desktop repair guy can handle (he'd have to learn how to setup the server, so that's his website creation experience)?

 

[cajuntank]

Some small box will do just fine, the biggest thing that needs to be addressed is where to put that box... IT NEEDS TO BE ON A DMZ. The box, ftp or web server software is easy; but the box itself will be open to the public network with people coming in using clear text usernames and passwords (more on that in a sec.)

Best practise would be to establish a DMZ, you might have a firewall (you do have a firewall, don't you?) that has a un-used port that you can define as a DMZ network that is more secure than the public WAN port, but not as secure as the internal LAN port. So by default your traffic originating on the inside of your network has access out to both the DMZ and the WAN; on the flip side, traffic originating on your WAN, by default cannot access anything on your DMZ or LAN... you create a hole to allow http, ftp, etc... traffic through to your DMZ. So even if something/someone gains access to your box, it's on the DMZ and doesn't have access to your LAN.

"people coming in using clear text usernames and passwords"...purchase a certificate; this will provide your webserver the ability to provide a SSL connection to secure areas on your web-site, meaning when someone comes in to your web-site and they go to a page for them, you make this a secure page (https) and from then on, information passed between web-site and user is encrypted and not clear text for the "snooping eyes" out there on the web.

Now, if you trust these people beyond reproach to have potential access to you LAN, I STILL WOULDN'T DO IT. You could implement a SSL VPN appliance that would give them access to that box and that box only and would encrypt their infomation across the Internet, but this is usually done for employees/partners, not customers.

Hope that helps.

 

[burtsbees]

I simply FTP with my Windows XP box at home, but then again I have a Cisco router (2620XM) that does a decent firewall config, like deep packet inspection. This prevents hackers from even trying to guess my username/password (you'll see kids trying "admin", "administrator", etc with a slew of different passwords---called a dictionary attack or brute force). I also have a Windows 2003 Server doing FTP at work, and I have set up a PIX Firewall. This goes across a T1, and nobody has tried to hack into it in the past 3 months that it has been up.
Anyway, I would say that the service you want is FTP, and when you put a .pdf in the FTP directory, you can point a link to the customer with a registered DNS name. If this is DSL, you can go to dyndns.org and register up to 5 for free, so the link could look something like
ftp://brothersplace.gotdns.com/snoopy.pdf

Burt

 

[maczen]

Burt,
How do you like that pix 520? I am about to buy an ASA-5505 for the CCNA Security cert and would appreciate any advice there.

Marc92,
The method that Burt mentioned is both effective and secure. The setup is not that difficult either al though it can be somewhat time consuming initially.

I guess the real question is what kind of setup do you have now? Network-wise.. LANs, WANs etc. and what is being hosted via that 2003 server? Sometimes it is best to either virtualize or separate entirely for security reasons.

B Haines
CCNA R&S, ETA FOI

 

[burtsbees]

I like the PIX520. The highest OS that can go on them is 6.3...Ask around about the Local Director---if they're the same as the PIX (I have heard this), or at least do the same as the PIX, then I have 1 I can give you---just pay for the shipping. I'll even throw in a 4-port NIC for it for an extra $50.

Burt

 

[maczen]

What model is that Local Director Burt?

B Haines
CCNA R&S, ETA FOI

 

[burtsbees]

430---they're both junk, actually---just tested them...sorry.
One gets a checksum failure (could be memory parity errors---will try different memory, already tried different flash), and the other just outputs weird ASCII characters all day, no matter what term emulator I use, stop bits or no stop bits, Xon/Xoff, hardware or no flow control, any BAUD rate, and 7 or 8 stop bits. Tried both flash mods in this, too.

Burt

 

[maczen]

Oh well.. Thanks anyway... I am feeling pretty good about the ASA-5505.. It happens every time... whenever I am close to buying a 3550 something gets in the way.. LoL

B Haines
CCNA R&S, ETA FOI

 

[dearingkr]

I have several 5505's and I love them.

MCSE CCNA CCDA