Consulting Job for Employment Agency, questions and such.

A good friend of mine contacted me last night. He has been developing web applications for one of his friend's businesses. Pretty much his friend started up an Employment Agency locally and needed help with development.

This agency wanted to keep the web server, amongst other things, in-house; instead of having it hosted. Contrary to better judgement they went to a local Computer Store for services of setting up a server and router to the Internet. My good friend told them not to go with this computer store for the services they needed. Of course this store, hell I will just say who it is, ARCC Technology of Bakersfield enticed the agency with an introductory offer. At the end of which they would charge full price for what ever services that were needed. Needless to say the agency was not satisfied with the services provided by ARCC. My friend saying "Told you so" of course.

Since my friend is a developer and not really into consulting for the networking and setting up of equipment called me up to see if he could pass off these duties to me. I told him sure, why not?

A little background about me. I'm currently working for IBM doing deskside support for AT&T, contracting of course. I have a Bachelor's degree in Business Admin with a concentration in MIS. Currently I'm studying for the ICND2 exam so I can complete my CCNA. I have never consulted beyond what I'm doing now; though the work is not beyond me.

From what I uderstand the agency has a server and router at their office. DOn't know what OS the server is running on. Against my friend's advice they really wanted to keep everything in-house as stated previous. Though a better solution would be to keep the web server end of things hosted by a reputable hosting service. THe primary concern is they keep confidential infomation such as SOcial Security numbers, et al., located on their server. So the server needs to be secured against attacks. I don't know what security they are running network wise.

My primary concern is, of course, Security and second disaster contigency/recovery. Also running just one webserver without failover makes me worry about uptime in the case of a server crash.

Operating system is a concern also in that they were talking to my friend about running IIS in which case it would cost mucho money. I figure, as does he, that running Linux open source would save a lot of money.

Knowing what I know so far I would suggest the following.

Server wise, two servers each with two network cards and two power supplies for failures. Both plugged into seperate UPSs.

Network wise, a current Cisco or Juniper router with some sort of Adaptive Security Appliance. I don't know if an ISR would be a wise choice, just to keep both in the same box? Also what about throughput, would a single T1 be sufficient to feed the server load?

Operating Systems, is it really worth to foot the bill on a Microsoft Server or save the money and go Linux with the potential to save thousands of dollars each year on the license?

Going the Hosting route instead of in-house. What type of argument can I make to convince the agency to get their website hosted instead? TO me and my friend it makes more sense. Especially when dealing with the headaches of keeping everything up and running all the time with the security they require. Especially when keeping confidential data; could go with hosting that specializes in such things like HIPAA requirements. But then again their argument is since they are keeping confidential data that they want to keep everything in-house. Go Figure!

Finally what should I ask for compensation for my work? As far as I see it I will work in a consulting role as more or less a Project Manager since I lack the expertise to really setup the security side of things if they do want to foot the bill for an ASA. I figure we will contract out most of the specific work configuration.

Any suggestions and insight would be greatly appreciated in this matter.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

What does your friend know about programming secure applications? Will an SQL injection attack **** all the SSNs?

What are the benefits of keeping it in house? How well is it protected against theft or damage from things such as fires and floods?

Linux and Windows can both be secure and reliable if you know what you're doing, and vice versa. How well do you or they know Linux? Will saving money on licenses be worth a potentially less secure server since you don't know how to properly secure it?

How much traffic is the web server getting? You'll need to know that before you can know if a T1 will be enough or if you should get a second server. How much will downtime cost you? Does it justify the cost of another server? What about off-site backups in case of damage or theft? Will you have a hot, warm, or cold site in place?

How much redundancy is necessary? If you have two NICs, are you going to have two switches, routers, and internet connections as well? Hosting providers will have all this in place. Does it still make sense to do this in house?

How much do you know about routers, firewalls, ASAs, etc? You could buy the best hardware in the world, but unless you know how to properly configure everything, it won't do you any good.

You seem to think hosting will be inherently more secure as far as the data is concerned. If the application isn't programmed in a secure manner, it's not going to matter who hosts it. How are the SSNs stored? Plain-text? Obfuscated? Encrypted?

mikej412

LBC90805 wrote:

THe primary concern is they keep confidential infomation such as SOcial Security numbers, et al., located on their server. So the server needs to be secured against attacks.

Q: What does a hacker call a computer accessible from the Internet?
A: Mine!!

Q: What does a hacker call a social security number or credit card number stored on a computer accessible from the Internet?
A: Mine!!

LBC90805 wrote:

Especially when keeping confidential data; could go with hosting that specializes in such things like HIPAA requirements. But then again their argument is since they are keeping confidential data that they want to keep everything in-house.

That's fine if you can find and know how to evaluate a good hosting service. But there are hosting services that will lie to "make the sale."

Keeping it in house is fine as long as they realize they're keeping 100% of the liability.

For non-critical web apps that deal with non-sensitive information we still use proxy web app servers in a DMZ to send the web requests through a firewall and IPS to the real web app servers. For anything slightly more important, we go redundant and security increases exponentially.

As long as your friend isn't doing placement for experienced networking people, network security people, or experienced web programmers, he probably can get away with it.....

LBC90805

My friend has a Bachelor's in Computer Science from a real school, a CSU; California State University. He also works full time programming for a Health Insurance company here in town, so he is very familiar with security and securing applications for HIPAA requirements.

How much do you know about routers, firewalls, ASAs, etc? You could buy the best hardware in the world, but unless you know how to properly configure everything, it won't do you any good.

I've been studying for the CCNA for the past year off and on. I know how to configure a router but have no expertise in programming firewalls and ASA or other IPS,IDS. As I stated before I would much rather prefer to contract out the configuration of such devices and services.

I do see the point about providers saying they keep their servers and stuff secure, tha is a very good point. Will have to do some research about providers.

For non-critical web apps that deal with non-sensitive information we still use proxy web app servers in a DMZ to send the web requests through a firewall and IPS to the real web app servers. For anything slightly more important, we go redundant and security increases exponentially.

Good point about running a DMZ to keep the sensitive data secured.

Say we run two servers, one for the web and the other for sensitive data. Could we just put both servers behind one router on seperate VLANs and run a router on a stick with the webserver in the DMZ and the secure server on a VLAN that is running IPS? Would an ISR provide the same security as a stand alone ASA or maybe even a Check Point firewall?

Also compensation. My friend quoted the Agency between $5k and $10k for his services. Though they only pay him on a Per Diem bases he has only made $1200 from all the work he has done to date. Which isn't much! But remember that the fellow who is running the Agency is a friend and bandmate he has known for three decades.

Thanks for all your input so far.