Maybe I am nutts or excessive when it comes to security, but I've been noticing that no one else leaves traps and alarms when dealing with user input from the client. What I mean by traps is the below:
...
...
The first thing I check before validating input is this debugOn variable... if it's anything else besides "off", all of the input is serialized and logged with the offending client IP to a suspect log which is then checked every 10 minutes by a cron Job. If the suspectLogger cronjob counts more then 3 events against a IP, that addressed is blocked or redirected to a static html page.
Another good one is when I am passing ID via get/post from one page to the next. If on the next validation the record ID doesn't match the stored IP address and their domain isn't aol.com or doesn't have the word proxy in it somewhere, a suspect event is logged and they're redirected back to the originating form with a message saying there is a mismatch between their IP address and record number.
So far every idea I've come up with that I thought was original, someone thought of five years ago or has been unfeasible, so I wonder why no one else does this, it was pretty easy to setup.
Commentary--Reactivity's Joelle Gropper Kaufman says one of the most critical stages of network security is the final connection of applications to the enterprise's application infrastructure.
So... I am trying to help a (very) small school actually get some IT going. Could I get some opinions on how to build a low-cost file and print server for a place with about 50 computers?
Right now, they're running a mix of MacOS X and Windows XP Home / Win98. They have NO server to speak of (not even an IT guy), and teachers print by connecting to some other workstation's shared printer or they figure it out on their own. They have no backups whatsoever, and many computers don't print because they don't have the right drivers installed, etc. I think they should have some solution that costs very little in recurring maintenance, and I'm torn between the options at this point.
I was thinking of 3 ways to go about this, but I'd love to see what others may recommend...
1) Buy Windows 2000 Server (because it's cheaper) and get 50 CALs. Perceived pros: - Any IT guy should know how to help them administer a windows server. - File sharing and print services are built into the OS, no additional tweaking required. - Domain controller could help them manage group policy, push software updates out, etc. - Other software (antivirus management, etc.) can run straight on the DC.
Perceived cons: - I still think that'll run over $500 for the software licenses, right? Then upgrades, of course. - System maintenance will be essential if the server's to be kept virus-free. Will maintenance cost more?
2) Build a Linux server that has Samba / CUPS services Perceived pros: - Very cheap (free) to set up - Many features can be added to the server - Not very susceptible to viruses or other security holes (provided auto updates are in place)
Perceived cons: - Unfamiliar interface for the non-technical administrator - Services will have to be set up manually, perhaps tweaks will have to be made to be compatible with newer OSes. - Can 3rd party software run on this? (i.e. antivirus managment) - Not any IT guy will know how to fix the server?
3) Buy an appliance built for the job, like the PowerElf II (http://greencomputer.com/solutions/school.shtml) Perceived pros: - Quickest setup (possibly) - Many services provided out of the box (including ones they probably will never need, like email hosting) - Automated maintenance and backup is part of the system.
Perceived cons: - Initial cost is $2000 at least, possibly more for hardware maintenance - Vendor lock-in is possible - Incompatibilities with 3rd party software??