[Dshield] My graphics guy sent me the following message thism orning...I'd love to hear comments/thoughts/advice:

Al Reust areust at comcast.net
Wed Feb 4 06:40:53 GMT 2004


It is fairly simple if you are familiar with Win2K. While you did not 
mention the detail of the file format (MAC was mentioned, which has its own 
"file" characteristics).

You can set a locked down win2k pro box with a TLS/SSL ftp server and web 
to get the graphics outside the Firewall. The box is cheap as it only has 
one purpose, FTP files (incoming) and then grab them from inside the 
firewall. It does not have to be powerful, just meet the need.

I created such a box in a DMZ that does Auto updates to Micro$oft and has a 
secure FTP server.. The locking down of the web interfaces so that is has a 
basic default page and no other information.. The person that retrieves the 
files, has the exact URL to view.. From inside the Firewall it would be via 
IP address, unless you want DNS issues.  Because the incoming file format 
is FTP there are no cross OS format issues.. You have an Installed a Virus 
scanner that checks as it lands. The virus scanner is set to auto update 
"daily." Yes directory browsing is acceptable in the correct 
(un-advertised) directory.. and you can also limit/require authentication. 
If you want to pay the cost of the SSL certificate you can make it SSL

The Basics:
A PII-350 with 128 meg of RAM will be fine.. yes a cheap box.
* Win 2K Pro with IIS 5.0. Lockdown tool and URLScan.. Tell it to check 
daily for Micro$oft updates.
* Anti Virus that Auto updates.
* Secure FTP (Cheap) with TLS/SSL
* Zone Alarm Firewall to take care of the rest of the crap. You lock out 
the MS ports.. and other favorite ports that you do no desire.

So yes, this all depends on the OS that you are familiar with.. It sounds 
like you are catering to a MAC Graphics Shop. This does not depend on 
getting stuff through an MTA. They are required to realize and acknowledge 
the Risk. They/You create specific accounts that allow the FTP Access.. 
They tell whomever over the phone that this "username and password will be 
allowed." All others are disallowed. In some cases identifying the specific 
FTP Client for the user end (recommendations) would have to be identified..

Other than that I am not sure how to mitigate the "risks" without seeing them.


At 03:00 PM 2/3/2004 -0500, you wrote:
>Thanks all re: the replies, including the laughs.
>Yes...Steganography...that was a good one.  The reason for .jpg blocking has
>to do more with some of the crap that people inside/outside of the office
>pass around more than anything related to virii...but I digress.
>As many of you suggested and as I'd been contemplating same, I'll probably
>drop a ftp box outside of our firewall and let my graphics guy 'own' it (for
>the most part).  I'm not a UNIX guy, but this might be as good a place to
>jump in as anyplace.  Along these lines, what flavor would be the easiest
>for me to get in place AND be secure out of the box; also, any ftp recs.
>along same lines.
>I could also build a Windows box, lock it down except for base services and
>then install a 3rd party ftp server like Bulletproof.  Any other thoughts
>re: going this route?  Any recs re: other 3rd party ftp servers to consider?
>Thanks again.
>-----Original Message-----
>From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
>Behalf Of Lauro, John
>Sent: Tuesday, February 03, 2004 2:23 PM
>To: General DShield Discussion List
>Subject: RE: [Dshield] My graphics guy sent me the following message
>thismorning...I'd love to hear comments/thoughts/advice:
> > -----Original Message-----
> > This is also better than email attachments from a bandwidth
> > point of view. Remember, base64-encoding a file causes it to
> > expand in size by about 40%.
> >
>It is better in terms of NET badwidth.  However, not in terms of
>bandwidth that each of the end user needs to see, and thus a loss in
>terms of productivity.  If it's e-mail the transfer over the slower
>link between sites happens in the background.  If FTP, then one has to
>go and poll the FTP server to see if something is there, instead of
>getting it in an e-mail as soon as it's transferred.  Plus either the
>sender or receiver must wait for the transfer (granted, other windows
>could be open), but it boils down to being less productive.
>Here is another option...
>Have the user get a yahoo account.  It's free, and he can attach .jpg
>files.  Of course this make the bandwidth issue like FTP, but still
>have the convience of e-mail.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>The information contained in this message may be CONFIDENTIAL and is for the
>intended addressee only.  Any unauthorized use, dissemination of the
>information, or copying of this message is prohibited.  If you are not the
>intended addressee, please notify the sender immediately and delete this
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list