Re: [Zope] Re: [ZCommerce] Secure storage of credit card info

2000-06-08 Thread Derek Simkowiak 

-> I'd like to also have a one-box solution, though.

Ooh, that's bad JuJu.  Keeping CC#s on the same box as your
webserver?

a)  Pray there are no overflows/misconfigurations/etc. on the webserver
daemon.

b)  Turn off EVERY other service on that box (even ssh has had a buffer
overflow).  This means no remote system management (i.e. buy another
keyboard and monitor).

c)  [After the Fact]: Wonder why you didn't choose to spend another mere
$1200 for a separate (Linux Oracle) server

In short, if you're worried enough to encrypt the database files
on disk, you're worried enough to have a separate database server.


--Derek


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: [ZCommerce] Secure storage of credit card info

2000-06-08 Thread Derek Simkowiak 

-> > You have a ZCommerce site.  You accept credit cards, and securely
-> > communicate with a CC processor to verify the transacton.  Now,

Besides Bill's suggestion, keep all your servers behind a good
firewall.  One option is to use Linux IP Masquerading, having your
webserver *and* database server use 192.168.0.??? IP Addresses.  Then,
turn on port forwarding on your Masq server, so that all incoming requests
on port 80 go to (something like) port 8080 on your webserver, which then
responds to the request.

You could just use an encrypted filesystem on the database server,
although that may be too slow (and possibly overkill?).  At that point
--assuming your firewall is secured-- you'd more or less need physical
access to your internal network to see those CC#s.  The only real danger
left is a misconfiguration (or bad code) in your webserver software.
(read: don't use IIS :)


--Derek


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )