Results 1 to 5 of 5
  1. #1
    Join Date
    Aug 2001

    Arrow Security Implementations....your opinions

    I'm looking for your thoughts and opinions on this. Note: By reading this, you agree that you are not holding anyone that posts responsible for what they say or suggest. By posting, you will not be held responsible for any outcomes that occur from the use of your information.

    I think the best way to do this is to provide 2 scenarios. 1) a very large budget and 2) a minimal budget. What security measures and features would you put up to make sure that your clients information and CC numbers are stored on your servers in the MOST SECURE way. What SSL cert would you get? What O/S would you use? What software would/wouldn't you have installed? What type of database would you store it in? What kind of server setup would you use if there was more than 1 server involved?

    Please post your answers to the above 2 scenarios. I've seen posts where people say that security measures need to be put in place but they never really suggest what to do. If you had to store the information on servers for software use, how would you do it?

    Last edited by WebmastTroy; 07-09-2002 at 02:11 AM.
    "Last year, some resourceful software enthusiasts cracked Sony Music's proprietary technology simply by scribbling around the edges of the disc with a Magic Marker pen, thus enabling playback on any device." -

  2. #2
    Join Date
    May 2001
    Dayton, Ohio
    For the cheap, I'd have the CC's encrypted on the server via PGP or GPG... Then emailed to my private email box..

    The unencrypted email would be stored on a computer thats not even hooked up to the web, and all CC proccessing would be done by hand via SSL...

    All SSL certs are about the same, its the same kinda encryption... Hell a self-signed works just fine....

    And expensive solution... Hmmm....

    A secured colocated box, running FreeBSD, with an encrypted partition for the credit cards... I would then have another secure box that would take the information from the user...

    The two secure boxes would have a small network between them, the box with the CC's would not have a direct internet connection...

    I haven't had to set up a system like that before, but thats about what I'd do... And of course, I'm half a sleep right now so I'm prolly missing something...
    -Mat Sumpter
    Director, Product Engagement
    Penton Media

  3. #3
    Join Date
    Aug 2001
    Your suggestion is a lot like what I was thinking.

    Server 'A' would serve the entire web site and would have an SSL cert installed. 'A' would take the information over the SSL connection and encrypt it. 'A' would connect to MySQL on an internal network server, that doesn't have a real IP (Server B), as an encrypted field. 'B' would then store the data until it was needed for use by 'A'.

    I don't know the best software and O/S to use for this, thats kind of why I wanted to find out what you feel is the best O/S to use for a secure "solution". It makes me feel better that the design that I thought of is someone elses, also.

    How much more secure could that setup above be? Of course, you could get into security guards around the server, but we'll just consider that the datacenter it's at has things like that in place (armed guards, key entry, cameras, etc.)

    Anyone else?
    "Last year, some resourceful software enthusiasts cracked Sony Music's proprietary technology simply by scribbling around the edges of the disc with a Magic Marker pen, thus enabling playback on any device." -

  4. #4
    Join Date
    Jun 2001
    San Diego, CA

    The most secure OS....

    The most secure OS is the one you are most comfortable with.

    Be it GNU/Linux, *BSD, WinNT or whatever...

    I personally wouldn't ever use WinNT based on track record but then there's people like the hired guns at who can make a WinNT machine cry for mercy.

    On that same token, a GNU/Linux box can be just as insecure or error prone as a WinNT box especially with the recent Apache vulnerabilities.

    Bottom line, use your tools, don't try the "most secure" just use what you know is secure.

    ...or hire a trusted admin (and get them finger printed, seriously)

    EveryDNS.NET :: FreeDNS and more.

  5. #5

    If high budget...

    Network Infrastructure:

    Switches vs. hubs
    Servers have dedicated eithernet connection
    Servers connections only to core router

    Server Infrastructure:

    Hardended Operating System
    Enterpise version of server software

    Security Infrastructure

    Managed firewall
    Managed Intrusion Detection System (IDS)
    No telnet
    Only necessary services and ports
    Cannot ssh directly into root

    Client server database

    Data is encrypted


    Any highly sensitive data like CC information should not be stored on a server for any long period of time.

    Any computer on a network can be hacked given time and resources.
    Peter M. Abraham
    LinkedIn Profile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts