Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > is that a good offer for a server installation?

Reply
Thread Tools

is that a good offer for a server installation?

 
 
Giuseppe
Guest
Posts: n/a
 
      06-30-2005
A person I know needs to receive large files (about 500 Mb) from his
customers to be downloaded and then worked.
Each customer should have his own protected area.
He has contacted a computer company (moreover distant more than 100 km from
his office) that has proposed this solution:
1. buying a server to mantain in his office
2. SO linux based upon kernel 2.6xx
3. web server&php. apache
4. firewall
5. installation of cwfm (a software that manages files, at first I believed
that should be created by them, but then I found out to be free on the net
http://cwfm.sourceforge.net) upload and download are managed via http

The economic offer was:
- installation SO linux: configuration linux, apache, php, dns, iptables and
cwfm --->3000 euro (about 3600 dollars)
- mantainance ---> first year free, from the second on 1000 euro (about 1200
dollars)
purchasing of the server is apart

I'm very doubfull about this, but the person who should buy everything is
even enthustiastic about the onesty and knoledge of these people.

They insisted above all on the issue of security, as if hackers ordinary
waste their time to manage to keep wedding albums sent via the internt, and
they told him that ftp is not secure for this and their program is based
upon http. "It could be seriously risky for his customer privacy" !!!

questions:
1) do you relly think that http is more secure than ftp?
2) do you think http is the right solution for uploading so large files?
3) what do you think about the economic offer? Consider that I' writing from
Italy and here everything is cheaper compared to, for example USA or
northern europe. So you have to consider higher the sum he has to pay.

Has somebody some link to correlated topics? As it seems that I have no
authority with this person, wich insted should have a site with articles
written by knoledged people. I've made a search on the internt but I was non
able to find anything usefull.


bye and thank you to those who will express an opinion



Giuseppe




 
Reply With Quote
 
 
 
 
Michael J. Pelletier
Guest
Posts: n/a
 
      06-30-2005
Giuseppe wrote:

> A person I know needs to receive large files (about 500 Mb) from his
> customers to be downloaded and then worked.
> Each customer should have his own protected area.
> He has contacted a computer company (moreover distant more than 100 km
> from his office) that has proposed this solution:
> 1. buying a server to mantain in his office
> 2. SO linux based upon kernel 2.6xx
> 3. web server&php. apache
> 4. firewall
> 5. installation of cwfm (a software that manages files, at first I
> believed that should be created by them, but then I found out to be free
> on the net http://cwfm.sourceforge.net) upload and download are managed
> via http
>
> The economic offer was:
> - installation SO linux: configuration linux, apache, php, dns, iptables
> and
> cwfm --->3000 euro (about 3600 dollars)
> - mantainance ---> first year free, from the second on 1000 euro (about
> 1200 dollars)
> purchasing of the server is apart
>
> I'm very doubfull about this, but the person who should buy everything is
> even enthustiastic about the onesty and knoledge of these people.
>
> They insisted above all on the issue of security, as if hackers ordinary
> waste their time to manage to keep wedding albums sent via the internt,
> and they told him that ftp is not secure for this and their program is
> based upon http. "It could be seriously risky for his customer privacy"
> !!!
>
> questions:
> 1) do you relly think that http is more secure than ftp?


HTTPS, yes. Remember ftp sends in clear text!

> 2) do you think http is the right solution for uploading so large files?


I do it. I use a program called Horde that has a file system interface
(written in php). and it works quite well.

> 3) what do you think about the economic offer? Consider that I' writing
> from Italy and here everything is cheaper compared to, for example USA or
> northern europe. So you have to consider higher the sum he has to pay.


I do think it is a little expensive...

> Has somebody some link to correlated topics? As it seems that I have no
> authority with this person, wich insted should have a site with articles
> written by knoledged people. I've made a search on the internt but I was
> non able to find anything usefull.


I do not have any problems with the applications. Just the price seems a
little high. You get a year of maintenance? What does it include?

Michael

>
> bye and thank you to those who will express an opinion
>
>
>
> Giuseppe


 
Reply With Quote
 
 
 
 
Giuseppe
Guest
Posts: n/a
 
      06-30-2005
"Michael J. Pelletier" ha scritto nel messaggio
> > questions:
> > 1) do you relly think that http is more secure than ftp?

>
> HTTPS, yes. Remember ftp sends in clear text!


does the software they are going to install work under https?

> > 2) do you think http is the right solution for uploading so large files?

>
> I do it. I use a program called Horde that has a file system interface
> (written in php). and it works quite well.


I thought that ftp was a better solution for uploading so large files


> I do not have any problems with the applications. Just the price seems a
> little high. You get a year of maintenance? What does it include?
>
> Michael


thank you for your opinion


 
Reply With Quote
 
Giuseppe
Guest
Posts: n/a
 
      06-30-2005
here is a link:

http://cwfm.sourceforge.net/index.php


 
Reply With Quote
 
Michael J. Pelletier
Guest
Posts: n/a
 
      06-30-2005
Giuseppe wrote:

> "Michael J. Pelletier" ha scritto nel messaggio
>> > questions:
>> > 1) do you relly think that http is more secure than ftp?

>>
>> HTTPS, yes. Remember ftp sends in clear text!

>
> does the software they are going to install work under https?


Well technically you can always "wrap" the web application in a directory
that forces the web server to use https. So, yes, it should work.

>> > 2) do you think http is the right solution for uploading so large
>> > files?

>>
>> I do it. I use a program called Horde that has a file system interface
>> (written in php). and it works quite well.

>
> I thought that ftp was a better solution for uploading so large files


Actually the solution I like the best for this is sftp (really ssh). There
are many windows applications that will allow you use this to speak to a
linux/BSD box running it. Linux/BSD can do it "out of the box".

>> I do not have any problems with the applications. Just the price seems a
>> little high. You get a year of maintenance? What does it include?
>>
>> Michael

>
> thank you for your opinion


 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      06-30-2005
In article <4ESwe.29182$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)
says...
> A person I know needs to receive large files (about 500 Mb) from his
> customers to be downloaded and then worked.
> Each customer should have his own protected area.
> He has contacted a computer company (moreover distant more than 100 km from
> his office) that has proposed this solution:
> 1. buying a server to mantain in his office
> 2. SO linux based upon kernel 2.6xx
> 3. web server&php. apache
> 4. firewall
> 5. installation of cwfm (a software that manages files, at first I believed
> that should be created by them, but then I found out to be free on the net
> http://cwfm.sourceforge.net) upload and download are managed via http
>
> The economic offer was:
> - installation SO linux: configuration linux, apache, php, dns, iptables and
> cwfm --->3000 euro (about 3600 dollars)
> - mantainance ---> first year free, from the second on 1000 euro (about 1200
> dollars)
> purchasing of the server is apart
>
> I'm very doubfull about this, but the person who should buy everything is
> even enthustiastic about the onesty and knoledge of these people.
>
> They insisted above all on the issue of security, as if hackers ordinary
> waste their time to manage to keep wedding albums sent via the internt, and
> they told him that ftp is not secure for this and their program is based
> upon http. "It could be seriously risky for his customer privacy" !!!
>
> questions:
> 1) do you relly think that http is more secure than ftp?
> 2) do you think http is the right solution for uploading so large files?
> 3) what do you think about the economic offer? Consider that I' writing from
> Italy and here everything is cheaper compared to, for example USA or
> northern europe. So you have to consider higher the sum he has to pay.
>
> Has somebody some link to correlated topics? As it seems that I have no
> authority with this person, wich insted should have a site with articles
> written by knoledged people. I've made a search on the internt but I was non
> able to find anything usefull.
>
>
> bye and thank you to those who will express an opinion


While FTP is clear, it's also a very good standard and fully supported.
Many FTP programs allow the computer admin to setup User/Password/Folder
without it being part of the OS Security, so you can also restrict via
the application without giving an OS level account. FileZilla Server is
a great FTP Server and runs on many platforms.



--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      07-01-2005
In the Usenet newsgroup alt.computer.security, in article
<4ESwe.29182$(E-Mail Removed)>, Giuseppe wrote:

>He has contacted a computer company (moreover distant more than 100 km
>from his office) that has proposed this solution:


OK - hopefully that also includes a UPS (Uninterruptable Power System) to
allow time to safely shut down the system in the even of a power failure.

>The economic offer was:
>- installation SO linux: configuration linux, apache, php, dns, iptables
>and cwfm --->3000 euro (about 3600 dollars)
>- mantainance ---> first year free, from the second on 1000 euro (about
>1200 dollars)
>purchasing of the server is apart


As the software cost is minimal (under 100 euro for a boxed set), the main
costs will be "labor".

>I'm very doubfull about this, but the person who should buy everything is
>even enthustiastic about the onesty and knoledge of these people.


http://tldp.org/guides.html

The "Linux Consultants Guide" lists 102 vendors in Italy.

>They insisted above all on the issue of security, as if hackers ordinary
>waste their time to manage to keep wedding albums sent via the internt


Script kiddiez and wankers may not be interested in the wedding albums,
but they ARE interested in having access to the server - especially if
it's large and on a fast network connection.

>and they told him that ftp is not secure for this and their program is
>based upon http. "It could be seriously risky for his customer privacy" !!!


FTP is not a secure protocol (everything is sent un-encoded), but neither
is 'http' unless you say 'https' - notice the 's' for secure on the end.

>1) do you relly think that http is more secure than ftp?


No - but the secure version is.

>2) do you think http is the right solution for uploading so large files?


500 Megs? Wouldn't be the way I'd do it, but you also have to think of the
other end of the connection - those customers. Do they know how to use
anything other than Microsoft Outlook Express? If the customers are the
common click and drool idiots, https is the correct solution. If they are
skilled, AND they have the right computer program, then there are other
alternatives - scp and sftp being only a few of many.

>3) what do you think about the economic offer? Consider that I' writing
>from Italy and here everything is cheaper compared to, for example USA or
>northern europe. So you have to consider higher the sum he has to pay.


3000 euro for install/setup? How much does a computer smart person make
per hour? 10 euro (don't forget, this has to include taxes, and the cost
of doing business)? That 3000 euros (less the cost of software, and
shipping and travel costs) might buy a month of one person, and it
includes the first year of mantainance.

1000 euro for mantainance for a year? Is that "on-site" or telephone and
over the net? Again, look at the cost of travel if that is involved, and
the cost of the person you will get to service the box. Is the service
'24/7', or just "normal business hours"?

>Has somebody some link to correlated topics?


Look at the 'Linux Consultants Guide' and see that you have multiple bids
(we require three), and make the choice from those.

Old guy
 
Reply With Quote
 
Joachim Schipper
Guest
Posts: n/a
 
      07-02-2005
Moe Trin <(E-Mail Removed)> wrote:
> In the Usenet newsgroup alt.computer.security, in article
> <4ESwe.29182$(E-Mail Removed)>, Giuseppe wrote:


>>and they told him that ftp is not secure for this and their program is
>>based upon http. "It could be seriously risky for his customer privacy" !!!

>
> FTP is not a secure protocol (everything is sent un-encoded), but neither
> is 'http' unless you say 'https' - notice the 's' for secure on the end.
>
>>1) do you relly think that http is more secure than ftp?

>
> No - but the secure version is.
>
>>2) do you think http is the right solution for uploading so large files?

>
> 500 Megs? Wouldn't be the way I'd do it, but you also have to think of the
> other end of the connection - those customers. Do they know how to use
> anything other than Microsoft Outlook Express? If the customers are the
> common click and drool idiots, https is the correct solution. If they are
> skilled, AND they have the right computer program, then there are other
> alternatives - scp and sftp being only a few of many.


There are a lot of 'secured FTP' (very different from SFTP, confusingly;
we're talking FTP with SSL/TLS support here) implementations out there.
Finding something compatible may be non-trivial, though. (Hint:
vsftpd-with-ssl can be accessed by at least CoreFTP and lftp, for
Windows and *nix clients; the first offers a free 'light' version, and
the second is open source.)

The proposed security does not sound impressive - MD5 isn't that secure,
especially if you have customers who are likely to choose the most
bloody obvious passwords - and the actual contents are sent in the
clear (!). Any decent secured-FTP daemon will SSL/TLS-encrypt the
command stream, and a good one will encrypt the data stream as well.
[Though you may wish to consider efficiency vs. security for the data
stream.]
In both cases, 'unsecured' HTTP or FTP is a nightmare, but 'secured'
(i.e., over SSL/TLS) HTTP or FTP is good.

If we are talking this size of file, you'll want to have support for
resuming uploads. FTP has this; I've never seen it work over HTTP,
mostly because it requires quite a bit of client-side logic. HTTP would
require all sorts of weird, non-portable ActiveX or Javascript mess; any
decent FTP client has this built-in.

Additionally, Apache is less secure than one would like. It's not
insecure by any stretch, but a good FTP daemon like vsftpd is very
difficult to crack.

OTOH, vsftpd does not have all the options you might wish for, many
other major FTP daemons are comparable to Apache in security, and
FTP-over-SSL is a headache (i.e., impossible) to properly firewall.

So, there are valid reasons for not using FTP - but there are valid
reasons to use one as well.

But if we are talking the common 'click and drool idiots', I agree that
being easy may be more important than actually working well. In this
case, go with some ugly web app. Be sure to triple-audit it first.

I've never rendered or received commercial installation services, but
the price seems quite high to me. Shopping around is a good idea.

Joachim
 
Reply With Quote
 
speeder
Guest
Posts: n/a
 
      07-02-2005
On 02 Jul 2005 13:37:21 GMT, Joachim Schipper
<(E-Mail Removed)> wrote:

>There are a lot of 'secured FTP' (very different from SFTP, confusingly;
>we're talking FTP with SSL/TLS support here) implementations out there.
>Finding something compatible may be non-trivial, though. (Hint:
>vsftpd-with-ssl can be accessed by at least CoreFTP and lftp, for
>Windows and *nix clients; the first offers a free 'light' version, and
>the second is open source.)
>
>The proposed security does not sound impressive - MD5 isn't that secure,
>especially if you have customers who are likely to choose the most
>bloody obvious passwords - and the actual contents are sent in the
>clear (!). Any decent secured-FTP daemon will SSL/TLS-encrypt the
>command stream, and a good one will encrypt the data stream as well.
>[Though you may wish to consider efficiency vs. security for the data
>stream.]
>In both cases, 'unsecured' HTTP or FTP is a nightmare, but 'secured'
>(i.e., over SSL/TLS) HTTP or FTP is good.
>
>If we are talking this size of file, you'll want to have support for
>resuming uploads. FTP has this; I've never seen it work over HTTP,
>mostly because it requires quite a bit of client-side logic. HTTP would
>require all sorts of weird, non-portable ActiveX or Javascript mess; any
>decent FTP client has this built-in.
>
>Additionally, Apache is less secure than one would like. It's not
>insecure by any stretch, but a good FTP daemon like vsftpd is very
>difficult to crack.
>
>OTOH, vsftpd does not have all the options you might wish for, many
>other major FTP daemons are comparable to Apache in security, and
>FTP-over-SSL is a headache (i.e., impossible) to properly firewall.
>
>So, there are valid reasons for not using FTP - but there are valid
>reasons to use one as well.
>
>But if we are talking the common 'click and drool idiots', I agree that
>being easy may be more important than actually working well. In this
>case, go with some ugly web app. Be sure to triple-audit it first.
>
>I've never rendered or received commercial installation services, but
>the price seems quite high to me. Shopping around is a good idea.
>
> Joachim


Perfect! I couldn't agree more. Nice answer Joachim.

FTP was *made* to do what you want to do. And it can be done quite
securely.

Internet Explorer or Firefox make easy to use GUI but there are dozens
of FTP clients available out there. I'm sure you can find one which is
both idiot proof and compatible.
 
Reply With Quote
 
Joachim Schipper
Guest
Posts: n/a
 
      07-03-2005
In article <(E-Mail Removed)> you wrote:
> FTP was *made* to do what you want to do. And it can be done quite
> securely.
>
> Internet Explorer or Firefox make easy to use GUI but there are dozens
> of FTP clients available out there. I'm sure you can find one which is
> both idiot proof and compatible.


<plug>
For Windows, I've found CoreFTP to be pretty effective. It supports
SSL/TLS for both command and data stream (though especially the latter
is not enabled by default), and offers all the goods one would expect
from an FTP client. It does require installation and doesn't look too
pretty, but it's very functional.
There's a free 'light' version, which offers pretty much all required
features (the Pro version should be nicer, but I've never tried it).
</plug>

(No, I'm not in any way affiliated with CoreFTP.)

LeechFTP and FileZilla do not encrypt the data stream. Windows' stock
FTP client is laughable.

As to *nix, people tend to be more capable. I've found lftp to be a very
good client; ncftp is lacking, as it does - like many other packages -
not support encrypting the data stream. The stock ftp command is
quite outdated. I have not investigated graphical clients for *nix, as I
have no interest in using them myself.

Browsers tend towards rather bad FTP implementations, especially where
authentication and encryption is concerned. Neither IE nor Firefox is a
pleasure to work with, and IIRC neither will properly encrypt command
and data streams.

Joachim
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem in running a basic code in python 3.3.0 that includes HTML file Satabdi Mukherjee Python 1 04-04-2013 07:48 PM
Special Offer....!!!! Obtian CCNA+CCNP Without Exams In 10 Days(100% Passing Gaurantee)...HURRY UP...!!!!....Limited Time Offer...!!!!!! mcsd_exams@yahoo.com Cisco 0 07-28-2006 11:29 AM
Kit Sale - First good offer accepted Cisco 2 06-11-2006 12:13 AM
lumicron digital on special offer .... any good alecalgo@madasafish.com Digital Photography 1 12-10-2005 07:41 PM
F/S A BUNCH OF GOOD MEMORY. MAKE OFFER no one Computer Information 1 04-28-2004 06:41 PM



Advertisments