Re: ADP payroll

[Rick Smith at Secure Computing <rick_smith () securecomputing com>]

At 07:44 PM 5/9/2002, Roger Marquis wrote:

> I'm looking for people with experience using a particular ADP
> payroll software package.  This software runs under MS Windows and
> connects to ADP's servers over the Internet.  ADP support has been
> unable to provide the information necessary to do a risk analysis.

A fundamental part of risk analysis is to look at who is liable if trouble occurs. You want to focus on shielding your 
own company from liability and not spend money to protect outsiders from themselves. 

In this case, you probably want to talk to your corporate counsel about the agreement with ADP and what it might imply 
about liability. IANAL, but it seems unlikely that ADP could duck liability for damage caused by their products, 
especially if one of their employees embedded malicious software in it.

Assuming your company isn't liable for attacks on ADP that involve your traffic, then it sounds as if they've provided 
you with the sort of information you can use to protect your site: they've told you what you need in order to limit 
firewall access to their servers over their ports.

Beyond that, you could establish a separate subnet for the payroll and accounting functions (if you haven't already, 
you should really consider it) and then you can provide separate firewall controls to allow the ADP traffic into that 
subnet. If you're worried about hacking attacks originating from ADP, then you can do logging to keep track of ADP 
accesses so you can at least track them down after the fact.

> Each of these requirements is unusual for an Internet-based
> client-server software package.  When considered together they
> raise a very large red warning flag.  Security by obscurity is not
> normally taken to such extremes, especially by an Internet Financial
> Service Provider.  No Corporate Security Officer or Network Security
> Consultant would normally allow an outside company to setup a server
> inside their client's network without complete disclosure and
> guarantees regarding what that internal server will be used for.
> Clients have no way of assuring that ADP's software will not be a
> source of viruses, trojans, or abused as a base for economic
> espionage or other local network probes.

In many cases, the "assurance" comes from the reputation of the company offering the product and/or service. This is 
the argument by which many software products, notably operating systems, find themselves at the heart of corporate 
operations. As we all know, the fact that some versions of Windows NT have earned government security ratings doesn't 
prevent NT from hosting viruses, trojans, and worms, and that the odd back door has even found its way out of Redmond.


Rick.
smith () securecomputing com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards