Security for a digital sales server-hardware firewall?

[johnspack]

I'm looking for industrial strength hardware protection for a server that will have digital downloads. If software methods could be employed, I'd be interested as well, but I'm sure I need hardware protection. The method of sales are being dealt with by other parties, my job is to recommend security for this T3 server, which is based on the east coast of the states, and I'm mainly responsible for running. I need to make a recommendation to the owner as soon as possible. I've looked at many hardware firewall solutions, the best of course being much too expensive. This has to be something easy to employ, as I'm a continent away, and can't be there to install it. The owner at this time does not have a lot of funds for this. Any ideas for this anyone? Go easy on me, I'm more hardware tech than IS guy, so some of this is a bit new, but I have to learn it....

[Hybrid_theory]

You're doing sales, you need someone with knowledge to install it and configure it, you honestly cant get a good solution that a newbie can install.

The server itself needs to be hardened. If its running IIS or apache, make sure to follow guides for hardening those solutions, there are also several for windows server 2003/2008 and variants of Linux on how to harden them. You'll want to configure software firewalls properly, allow as little as you need to for the server to run. Install some anti virus, whether Linux or Windows. Linux has clam AV, for windows go with something commercial.

For a firewall, really depends what kind of traffic you're to expect. The Cisco ASA's for example can handle a lot of traffic in the higher models, like ISP amounts. So you could look at one of the lower models maybe, see if they're in price range. If not, DLink sells commercial firewalls for a reasonable price. As does Barracuda.

If this is a web server, you may want to place it in a DMZ on the firewall. But if it just interfaces with one, put it behind the firewall and your web server on the DMZ, and just allow communications between the two that are needed.

[IggSter]

Have a look at Juniper for a firewall solution. They tend to be just as good as Cisco, a good bit cheaper and mostly managed and configured via a GUI.

[W1zzard]

are you looking for protection against intrusion? DOS? or simply to protect the downloads from unauthorized download ? how are you distributing the files? http? ftp?
do you need to protect a whole network or just a single machine?

[johnspack]

Ug, I think I need to talk to the team more about this. Probably http download link with ssl enabled verisign link or similar. There's even talk about linking through GoDaddy. I don't know much about this yet, so I don't know what to recommend yet. I believe the server itself is on linux, and on some kind of secure rack, possibly with a linux firewall in front of it. It may get shifted to the windows server I manage however, and that worries me. I think intrusion is the least of my worries, but still a concern, I'm worried more about secure transactions of the product. I would only need to protect a single server for this. This may be a bit above our heads yet, but they insist on going ahead. So, any tips, yes please!

[Hybrid_theory]

If it is indeed a webserver, IIS is actually more secure than apache. There's little configuration needed out of the box with it. And since it is used less than Apache, it is attacked less.
If you're worried about transactions across the web, ssl enabled verisign is a good way to go.

[Easy Rhino]

secure transactions, aye? a lot of it depends on what billing company (if any) your organization goes through. a lot of times going with a third party billing company saves money and is more secure. transactions are done over SSL and on THEIR servers. you simply provide a link or some sort of form to make the transaction. i don't know of any specific software as these will be web based purchases i am guessing. after purchase, you can allow http or ftp downloads. personally, ftp is the way to go. every purchase should generate a unique ID and KEY that can be used to authorize the download. if you are worried about somebody being able to intrude on your network and download data without authorization make sure you have strict security settings. have at least 1 firewall in front of the host server. are you guys co-locating your servers? that would be the best bet if security is an issue. they tend to handle all of that and provide their clients with a best practice guide so you can understand how they operate and ways to keep all of your downloads secure.