is that a good offer for a server installation?

Discussion in 'Computer Security' started by Giuseppe, Jun 30, 2005.

  1. Giuseppe

    Giuseppe Guest

    A person I know needs to receive large files (about 500 Mb) from his
    customers to be downloaded and then worked.
    Each customer should have his own protected area.
    He has contacted a computer company (moreover distant more than 100 km from
    his office) that has proposed this solution:
    1. buying a server to mantain in his office
    2. SO linux based upon kernel 2.6xx
    3. web server&php. apache
    4. firewall
    5. installation of cwfm (a software that manages files, at first I believed
    that should be created by them, but then I found out to be free on the net
    http://cwfm.sourceforge.net) upload and download are managed via http

    The economic offer was:
    - installation SO linux: configuration linux, apache, php, dns, iptables and
    cwfm --->3000 euro (about 3600 dollars)
    - mantainance ---> first year free, from the second on 1000 euro (about 1200
    dollars)
    purchasing of the server is apart

    I'm very doubfull about this, but the person who should buy everything is
    even enthustiastic about the onesty and knoledge of these people.

    They insisted above all on the issue of security, as if hackers ordinary
    waste their time to manage to keep wedding albums sent via the internt, and
    they told him that ftp is not secure for this and their program is based
    upon http. "It could be seriously risky for his customer privacy" !!!

    questions:
    1) do you relly think that http is more secure than ftp?
    2) do you think http is the right solution for uploading so large files?
    3) what do you think about the economic offer? Consider that I' writing from
    Italy and here everything is cheaper compared to, for example USA or
    northern europe. So you have to consider higher the sum he has to pay.

    Has somebody some link to correlated topics? As it seems that I have no
    authority with this person, wich insted should have a site with articles
    written by knoledged people. I've made a search on the internt but I was non
    able to find anything usefull.


    bye and thank you to those who will express an opinion



    Giuseppe
    Giuseppe, Jun 30, 2005
    #1
    1. Advertising

  2. Giuseppe wrote:

    > A person I know needs to receive large files (about 500 Mb) from his
    > customers to be downloaded and then worked.
    > Each customer should have his own protected area.
    > He has contacted a computer company (moreover distant more than 100 km
    > from his office) that has proposed this solution:
    > 1. buying a server to mantain in his office
    > 2. SO linux based upon kernel 2.6xx
    > 3. web server&php. apache
    > 4. firewall
    > 5. installation of cwfm (a software that manages files, at first I
    > believed that should be created by them, but then I found out to be free
    > on the net http://cwfm.sourceforge.net) upload and download are managed
    > via http
    >
    > The economic offer was:
    > - installation SO linux: configuration linux, apache, php, dns, iptables
    > and
    > cwfm --->3000 euro (about 3600 dollars)
    > - mantainance ---> first year free, from the second on 1000 euro (about
    > 1200 dollars)
    > purchasing of the server is apart
    >
    > I'm very doubfull about this, but the person who should buy everything is
    > even enthustiastic about the onesty and knoledge of these people.
    >
    > They insisted above all on the issue of security, as if hackers ordinary
    > waste their time to manage to keep wedding albums sent via the internt,
    > and they told him that ftp is not secure for this and their program is
    > based upon http. "It could be seriously risky for his customer privacy"
    > !!!
    >
    > questions:
    > 1) do you relly think that http is more secure than ftp?


    HTTPS, yes. Remember ftp sends in clear text!

    > 2) do you think http is the right solution for uploading so large files?


    I do it. I use a program called Horde that has a file system interface
    (written in php). and it works quite well.

    > 3) what do you think about the economic offer? Consider that I' writing
    > from Italy and here everything is cheaper compared to, for example USA or
    > northern europe. So you have to consider higher the sum he has to pay.


    I do think it is a little expensive...

    > Has somebody some link to correlated topics? As it seems that I have no
    > authority with this person, wich insted should have a site with articles
    > written by knoledged people. I've made a search on the internt but I was
    > non able to find anything usefull.


    I do not have any problems with the applications. Just the price seems a
    little high. You get a year of maintenance? What does it include?

    Michael

    >
    > bye and thank you to those who will express an opinion
    >
    >
    >
    > Giuseppe
    Michael J. Pelletier, Jun 30, 2005
    #2
    1. Advertising

  3. Giuseppe

    Giuseppe Guest

    "Michael J. Pelletier" ha scritto nel messaggio
    > > questions:
    > > 1) do you relly think that http is more secure than ftp?

    >
    > HTTPS, yes. Remember ftp sends in clear text!


    does the software they are going to install work under https?

    > > 2) do you think http is the right solution for uploading so large files?

    >
    > I do it. I use a program called Horde that has a file system interface
    > (written in php). and it works quite well.


    I thought that ftp was a better solution for uploading so large files


    > I do not have any problems with the applications. Just the price seems a
    > little high. You get a year of maintenance? What does it include?
    >
    > Michael


    thank you for your opinion
    Giuseppe, Jun 30, 2005
    #3
  4. Giuseppe

    Giuseppe Guest

    Giuseppe, Jun 30, 2005
    #4
  5. Giuseppe wrote:

    > "Michael J. Pelletier" ha scritto nel messaggio
    >> > questions:
    >> > 1) do you relly think that http is more secure than ftp?

    >>
    >> HTTPS, yes. Remember ftp sends in clear text!

    >
    > does the software they are going to install work under https?


    Well technically you can always "wrap" the web application in a directory
    that forces the web server to use https. So, yes, it should work.

    >> > 2) do you think http is the right solution for uploading so large
    >> > files?

    >>
    >> I do it. I use a program called Horde that has a file system interface
    >> (written in php). and it works quite well.

    >
    > I thought that ftp was a better solution for uploading so large files


    Actually the solution I like the best for this is sftp (really ssh). There
    are many windows applications that will allow you use this to speak to a
    linux/BSD box running it. Linux/BSD can do it "out of the box".

    >> I do not have any problems with the applications. Just the price seems a
    >> little high. You get a year of maintenance? What does it include?
    >>
    >> Michael

    >
    > thank you for your opinion
    Michael J. Pelletier, Jun 30, 2005
    #5
  6. Giuseppe

    Leythos Guest

    In article <4ESwe.29182$>,
    says...
    > A person I know needs to receive large files (about 500 Mb) from his
    > customers to be downloaded and then worked.
    > Each customer should have his own protected area.
    > He has contacted a computer company (moreover distant more than 100 km from
    > his office) that has proposed this solution:
    > 1. buying a server to mantain in his office
    > 2. SO linux based upon kernel 2.6xx
    > 3. web server&php. apache
    > 4. firewall
    > 5. installation of cwfm (a software that manages files, at first I believed
    > that should be created by them, but then I found out to be free on the net
    > http://cwfm.sourceforge.net) upload and download are managed via http
    >
    > The economic offer was:
    > - installation SO linux: configuration linux, apache, php, dns, iptables and
    > cwfm --->3000 euro (about 3600 dollars)
    > - mantainance ---> first year free, from the second on 1000 euro (about 1200
    > dollars)
    > purchasing of the server is apart
    >
    > I'm very doubfull about this, but the person who should buy everything is
    > even enthustiastic about the onesty and knoledge of these people.
    >
    > They insisted above all on the issue of security, as if hackers ordinary
    > waste their time to manage to keep wedding albums sent via the internt, and
    > they told him that ftp is not secure for this and their program is based
    > upon http. "It could be seriously risky for his customer privacy" !!!
    >
    > questions:
    > 1) do you relly think that http is more secure than ftp?
    > 2) do you think http is the right solution for uploading so large files?
    > 3) what do you think about the economic offer? Consider that I' writing from
    > Italy and here everything is cheaper compared to, for example USA or
    > northern europe. So you have to consider higher the sum he has to pay.
    >
    > Has somebody some link to correlated topics? As it seems that I have no
    > authority with this person, wich insted should have a site with articles
    > written by knoledged people. I've made a search on the internt but I was non
    > able to find anything usefull.
    >
    >
    > bye and thank you to those who will express an opinion


    While FTP is clear, it's also a very good standard and fully supported.
    Many FTP programs allow the computer admin to setup User/Password/Folder
    without it being part of the OS Security, so you can also restrict via
    the application without giving an OS level account. FileZilla Server is
    a great FTP Server and runs on many platforms.



    --
    --

    (Remove 999 to reply to me)
    Leythos, Jun 30, 2005
    #6
  7. Giuseppe

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <4ESwe.29182$>, Giuseppe wrote:

    >He has contacted a computer company (moreover distant more than 100 km
    >from his office) that has proposed this solution:


    OK - hopefully that also includes a UPS (Uninterruptable Power System) to
    allow time to safely shut down the system in the even of a power failure.

    >The economic offer was:
    >- installation SO linux: configuration linux, apache, php, dns, iptables
    >and cwfm --->3000 euro (about 3600 dollars)
    >- mantainance ---> first year free, from the second on 1000 euro (about
    >1200 dollars)
    >purchasing of the server is apart


    As the software cost is minimal (under 100 euro for a boxed set), the main
    costs will be "labor".

    >I'm very doubfull about this, but the person who should buy everything is
    >even enthustiastic about the onesty and knoledge of these people.


    http://tldp.org/guides.html

    The "Linux Consultants Guide" lists 102 vendors in Italy.

    >They insisted above all on the issue of security, as if hackers ordinary
    >waste their time to manage to keep wedding albums sent via the internt


    Script kiddiez and wankers may not be interested in the wedding albums,
    but they ARE interested in having access to the server - especially if
    it's large and on a fast network connection.

    >and they told him that ftp is not secure for this and their program is
    >based upon http. "It could be seriously risky for his customer privacy" !!!


    FTP is not a secure protocol (everything is sent un-encoded), but neither
    is 'http' unless you say 'https' - notice the 's' for secure on the end.

    >1) do you relly think that http is more secure than ftp?


    No - but the secure version is.

    >2) do you think http is the right solution for uploading so large files?


    500 Megs? Wouldn't be the way I'd do it, but you also have to think of the
    other end of the connection - those customers. Do they know how to use
    anything other than Microsoft Outlook Express? If the customers are the
    common click and drool idiots, https is the correct solution. If they are
    skilled, AND they have the right computer program, then there are other
    alternatives - scp and sftp being only a few of many.

    >3) what do you think about the economic offer? Consider that I' writing
    >from Italy and here everything is cheaper compared to, for example USA or
    >northern europe. So you have to consider higher the sum he has to pay.


    3000 euro for install/setup? How much does a computer smart person make
    per hour? 10 euro (don't forget, this has to include taxes, and the cost
    of doing business)? That 3000 euros (less the cost of software, and
    shipping and travel costs) might buy a month of one person, and it
    includes the first year of mantainance.

    1000 euro for mantainance for a year? Is that "on-site" or telephone and
    over the net? Again, look at the cost of travel if that is involved, and
    the cost of the person you will get to service the box. Is the service
    '24/7', or just "normal business hours"?

    >Has somebody some link to correlated topics?


    Look at the 'Linux Consultants Guide' and see that you have multiple bids
    (we require three), and make the choice from those.

    Old guy
    Moe Trin, Jul 1, 2005
    #7
  8. Moe Trin <> wrote:
    > In the Usenet newsgroup alt.computer.security, in article
    > <4ESwe.29182$>, Giuseppe wrote:


    >>and they told him that ftp is not secure for this and their program is
    >>based upon http. "It could be seriously risky for his customer privacy" !!!

    >
    > FTP is not a secure protocol (everything is sent un-encoded), but neither
    > is 'http' unless you say 'https' - notice the 's' for secure on the end.
    >
    >>1) do you relly think that http is more secure than ftp?

    >
    > No - but the secure version is.
    >
    >>2) do you think http is the right solution for uploading so large files?

    >
    > 500 Megs? Wouldn't be the way I'd do it, but you also have to think of the
    > other end of the connection - those customers. Do they know how to use
    > anything other than Microsoft Outlook Express? If the customers are the
    > common click and drool idiots, https is the correct solution. If they are
    > skilled, AND they have the right computer program, then there are other
    > alternatives - scp and sftp being only a few of many.


    There are a lot of 'secured FTP' (very different from SFTP, confusingly;
    we're talking FTP with SSL/TLS support here) implementations out there.
    Finding something compatible may be non-trivial, though. (Hint:
    vsftpd-with-ssl can be accessed by at least CoreFTP and lftp, for
    Windows and *nix clients; the first offers a free 'light' version, and
    the second is open source.)

    The proposed security does not sound impressive - MD5 isn't that secure,
    especially if you have customers who are likely to choose the most
    bloody obvious passwords - and the actual contents are sent in the
    clear (!). Any decent secured-FTP daemon will SSL/TLS-encrypt the
    command stream, and a good one will encrypt the data stream as well.
    [Though you may wish to consider efficiency vs. security for the data
    stream.]
    In both cases, 'unsecured' HTTP or FTP is a nightmare, but 'secured'
    (i.e., over SSL/TLS) HTTP or FTP is good.

    If we are talking this size of file, you'll want to have support for
    resuming uploads. FTP has this; I've never seen it work over HTTP,
    mostly because it requires quite a bit of client-side logic. HTTP would
    require all sorts of weird, non-portable ActiveX or Javascript mess; any
    decent FTP client has this built-in.

    Additionally, Apache is less secure than one would like. It's not
    insecure by any stretch, but a good FTP daemon like vsftpd is very
    difficult to crack.

    OTOH, vsftpd does not have all the options you might wish for, many
    other major FTP daemons are comparable to Apache in security, and
    FTP-over-SSL is a headache (i.e., impossible) to properly firewall.

    So, there are valid reasons for not using FTP - but there are valid
    reasons to use one as well.

    But if we are talking the common 'click and drool idiots', I agree that
    being easy may be more important than actually working well. In this
    case, go with some ugly web app. Be sure to triple-audit it first.

    I've never rendered or received commercial installation services, but
    the price seems quite high to me. Shopping around is a good idea.

    Joachim
    Joachim Schipper, Jul 2, 2005
    #8
  9. Giuseppe

    speeder Guest

    On 02 Jul 2005 13:37:21 GMT, Joachim Schipper
    <> wrote:

    >There are a lot of 'secured FTP' (very different from SFTP, confusingly;
    >we're talking FTP with SSL/TLS support here) implementations out there.
    >Finding something compatible may be non-trivial, though. (Hint:
    >vsftpd-with-ssl can be accessed by at least CoreFTP and lftp, for
    >Windows and *nix clients; the first offers a free 'light' version, and
    >the second is open source.)
    >
    >The proposed security does not sound impressive - MD5 isn't that secure,
    >especially if you have customers who are likely to choose the most
    >bloody obvious passwords - and the actual contents are sent in the
    >clear (!). Any decent secured-FTP daemon will SSL/TLS-encrypt the
    >command stream, and a good one will encrypt the data stream as well.
    >[Though you may wish to consider efficiency vs. security for the data
    >stream.]
    >In both cases, 'unsecured' HTTP or FTP is a nightmare, but 'secured'
    >(i.e., over SSL/TLS) HTTP or FTP is good.
    >
    >If we are talking this size of file, you'll want to have support for
    >resuming uploads. FTP has this; I've never seen it work over HTTP,
    >mostly because it requires quite a bit of client-side logic. HTTP would
    >require all sorts of weird, non-portable ActiveX or Javascript mess; any
    >decent FTP client has this built-in.
    >
    >Additionally, Apache is less secure than one would like. It's not
    >insecure by any stretch, but a good FTP daemon like vsftpd is very
    >difficult to crack.
    >
    >OTOH, vsftpd does not have all the options you might wish for, many
    >other major FTP daemons are comparable to Apache in security, and
    >FTP-over-SSL is a headache (i.e., impossible) to properly firewall.
    >
    >So, there are valid reasons for not using FTP - but there are valid
    >reasons to use one as well.
    >
    >But if we are talking the common 'click and drool idiots', I agree that
    >being easy may be more important than actually working well. In this
    >case, go with some ugly web app. Be sure to triple-audit it first.
    >
    >I've never rendered or received commercial installation services, but
    >the price seems quite high to me. Shopping around is a good idea.
    >
    > Joachim


    Perfect! I couldn't agree more. Nice answer Joachim.

    FTP was *made* to do what you want to do. And it can be done quite
    securely.

    Internet Explorer or Firefox make easy to use GUI but there are dozens
    of FTP clients available out there. I'm sure you can find one which is
    both idiot proof and compatible.
    speeder, Jul 2, 2005
    #9
  10. In article <> you wrote:
    > FTP was *made* to do what you want to do. And it can be done quite
    > securely.
    >
    > Internet Explorer or Firefox make easy to use GUI but there are dozens
    > of FTP clients available out there. I'm sure you can find one which is
    > both idiot proof and compatible.


    <plug>
    For Windows, I've found CoreFTP to be pretty effective. It supports
    SSL/TLS for both command and data stream (though especially the latter
    is not enabled by default), and offers all the goods one would expect
    from an FTP client. It does require installation and doesn't look too
    pretty, but it's very functional.
    There's a free 'light' version, which offers pretty much all required
    features (the Pro version should be nicer, but I've never tried it).
    </plug>

    (No, I'm not in any way affiliated with CoreFTP.)

    LeechFTP and FileZilla do not encrypt the data stream. Windows' stock
    FTP client is laughable.

    As to *nix, people tend to be more capable. I've found lftp to be a very
    good client; ncftp is lacking, as it does - like many other packages -
    not support encrypting the data stream. The stock ftp command is
    quite outdated. I have not investigated graphical clients for *nix, as I
    have no interest in using them myself.

    Browsers tend towards rather bad FTP implementations, especially where
    authentication and encryption is concerned. Neither IE nor Firefox is a
    pleasure to work with, and IIRC neither will properly encrypt command
    and data streams.

    Joachim
    Joachim Schipper, Jul 3, 2005
    #10
  11. Giuseppe

    Leythos Guest

    In article <42c85539$0$8339$>,
    says...
    > LeechFTP and FileZilla do not encrypt the data stream.


    There was nothing in the requirement for encryption or other than plain
    text for passwords.

    The management tool provided for the FileZilla service is painless and
    allows for throtteling users and doesn't require NT accounts for the
    configured users, makes it an ideal replacement for Win's FTP.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Jul 4, 2005
    #11
  12. Leythos <> wrote:
    > In article <42c85539$0$8339$>,
    > says...
    >> LeechFTP and FileZilla do not encrypt the data stream.

    >
    > There was nothing in the requirement for encryption or other than plain
    > text for passwords.
    >
    > The management tool provided for the FileZilla service is painless and
    > allows for throtteling users and doesn't require NT accounts for the
    > configured users, makes it an ideal replacement for Win's FTP.


    Mind, I'm talking about FTP clients here. Service sounds like Winspeak
    for daemon to me... ;-) Though the same stuff about encryption applies.

    If you want to have 'secure FTP', you're going to need to encrypt all
    data and all commands. There are valid reasons for not encrypting stuff
    (non-confidential data on a public server, or the data and the server
    aren't very dear to anyone's heart). There are valid reasons for not
    encrypting the data stream (non-confidential data, but you want to keep
    accounts secure). In both cases, the argument is that encryption is bad
    for performance while not granting anything worthwhile.

    If, on the other hand, you want to have 'secure FTP', you should encrypt
    both data and command stream.

    Joachim
    Joachim Schipper, Jul 5, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest
    Replies:
    2
    Views:
    539
  2. Jim D.
    Replies:
    0
    Views:
    605
    Jim D.
    Jun 24, 2006
  3. no one

    F/S A BUNCH OF GOOD MEMORY. MAKE OFFER

    no one, Apr 21, 2004, in forum: Computer Information
    Replies:
    1
    Views:
    361
    no one
    Apr 28, 2004
  4. Replies:
    1
    Views:
    263
    Steven Campbell
    Dec 10, 2005
  5. Giuen
    Replies:
    0
    Views:
    864
    Giuen
    Sep 12, 2008
Loading...

Share This Page