web based solution

fernandodonster

I have a company with a lot of branches all over world. I would like to computerize all branches with linux/apache/mysql/php web solution(web site).
already all branches are internet connected.
What i want is all branch users can login and public internet user will not be available my site.Could u suggest a solution?

scrupul0us

sounds to me like you need to setup one website and have the users go there

if your organization is running active directory you could authenticate them over LDAP...

if LDAP doesnt suit your fancy for security purposes over the open web, if you are running OWA with exchange you could also authenticate using webdav

if none of the above applies then all you need is a simple sessions based protected website

fernandodonster

thanks scrupul0us.
i like a simple sessions based protected website with php
but i have doubt that Is it safe from public internet users??
any suggestion??

scrupul0us

well if its on the internet then anyone can see it unless you use IP based security... it sounds to me like you want an intranet that only your employees can access from within the organization?

fernandodonster

thanks.
But i would like know more about IP based security.
any site's name to get more details???

wren9

If i'm not mistaken is he refering? the INTRANET?

internet is public.
intranet is private?

wren9

i guess he can still use the internet.
since the system will have User Authentication.
Anything will be private within system.

scrupul0us

@fern: does your company have a private network shared by all the satellite sites?

example:
-Exchange server(s)
-Active directory server(s)
-Shared network folders all sites can see/use?

If you have a private network, setting up an intranet is as easy as installing IIS on one of the networked servers and either:

a) creating a rule in the proxy
b) creating a record in all your users hosts file

fernandodonster

@.
No network.
we transfer date by email.
all branch are internet connected.
currently we have we site having only CMS developed with php/mysql.
we would like to share data via this website.
Is it safe this way?
i would like to give a login name and password to each branches.
any suggestion?? or good solution??
thanks inadvance

wren9

There are many ways you can make your business secure in the internet.

SSL is one of those.

If you want it really secure you should run your own WEB SERVER in your company.

But this is costly.

Two factors you need to consider Hardware and Software.

The best way is consult a Network Engineer or Electronics Communication Engineer.

They are expert in securing communication using the internet.

wren9

Secure Socket Layer (SSL) is the solution you need.

fernandodonster

@.
i want to buy a server(linux) with good configuration.
i like LAMP to develop a site.
what are the security measures i have to be taken when i set up web server.
any suggestion?
thanks inadvance.

wren9

http://www.tuxmachines.org/node/8677

http://www.securityfocus.com/infocus/1694

my friend google.com can always help you.

scrupul0us

First of all, its not expensive at all to run an internal webserver in a company... I have 3 web servers in my house and it cost me less than $500 between them for ram and HDD upgrades (I'm using Optiplex GX270 series dells that i picked up real cheap)

the only thing you need a is a dedicated IP at one of the branch locations to host it and then you can put on it whatever you want and secure it however you want

also, an ssl only "secures" communications between the browser and the server and there's evidence that proxies and other intermediary devices can be exploited to make that transmission insecure (but thats for another discussion)

fernandodonster

thanks scrupul0us
@.
I would like to do security with user name and password to each user by LAMP.
Already my site having CMS only and intend to set user name and password in the home page to each user..
my companies branch having internet connection with static IP.
Can i use ".htaccess" security(user name and password).
Is there any need of IP based security???

wren9

as far as i know .htaccess user authentication is not so secure and not so robust programming technique.

how about a good class for user authentication.

once you have found/created a good USER AUTHENTICATION and integrated a nice SSL

then i guess that's enough.

Yes it is true there is really no 100% secure in the internet, just like in the real bank.

It can be rob any time even though there is security personnel guarding the bank.

You can minimize and make for bad guys hard for them to crack your site but no one is really safe or 100% secure in the internet.

If you are using JOOMLA i believe there are already build modules ready for ducking in your site.

What is your CMS ? drupal? joomla?

scrupul0us

"as far as i know .htaccess user authentication is not so secure and not so robust programming technique."

htaccess is plenty secure for basic security models... it does send clear text information but with an SSL, it's an easily implemented, simple, secure choice

that being said it's an aweful choice if you don't want to constantly fool with htpass or create an interface to work with htpass and htaccess, you are much better off using a database to store your users and their hashed passwords

that being said if you read that he already has a CMS setup and wants a user/login on the home page this is moot as it wont serve the purpose...

From the sounds of this he wants the entire presence to be absent from anyone except his employees...

Heres what I would do and have done... create a simple login interface (think windows 2000 login screen)... have your website display that so that any public visitors will HAVE to authenticate before they see anything... as this is going to be the public face of your site be sure to add some lockout features for those trying to brute force their way in, but at the same time provide a method of feedback for legit users to get help if they lock themselves out (think 'forgot password' options)

Once the user is authenticated, set a session/cookie (that your CMS checks for) and then all is good