Firewall Wizards mailing list archives
Re: ADP payroll
From: Rick Smith at Secure Computing <rick_smith () securecomputing com>
Date: Fri, 10 May 2002 10:44:20 -0500
At 07:44 PM 5/9/2002, Roger Marquis wrote:
I'm looking for people with experience using a particular ADP payroll software package. This software runs under MS Windows and connects to ADP's servers over the Internet. ADP support has been unable to provide the information necessary to do a risk analysis.
A fundamental part of risk analysis is to look at who is liable if trouble occurs. You want to focus on shielding your own company from liability and not spend money to protect outsiders from themselves. In this case, you probably want to talk to your corporate counsel about the agreement with ADP and what it might imply about liability. IANAL, but it seems unlikely that ADP could duck liability for damage caused by their products, especially if one of their employees embedded malicious software in it. Assuming your company isn't liable for attacks on ADP that involve your traffic, then it sounds as if they've provided you with the sort of information you can use to protect your site: they've told you what you need in order to limit firewall access to their servers over their ports. Beyond that, you could establish a separate subnet for the payroll and accounting functions (if you haven't already, you should really consider it) and then you can provide separate firewall controls to allow the ADP traffic into that subnet. If you're worried about hacking attacks originating from ADP, then you can do logging to keep track of ADP accesses so you can at least track them down after the fact.
Each of these requirements is unusual for an Internet-based client-server software package. When considered together they raise a very large red warning flag. Security by obscurity is not normally taken to such extremes, especially by an Internet Financial Service Provider. No Corporate Security Officer or Network Security Consultant would normally allow an outside company to setup a server inside their client's network without complete disclosure and guarantees regarding what that internal server will be used for. Clients have no way of assuring that ADP's software will not be a source of viruses, trojans, or abused as a base for economic espionage or other local network probes.
In many cases, the "assurance" comes from the reputation of the company offering the product and/or service. This is the argument by which many software products, notably operating systems, find themselves at the heart of corporate operations. As we all know, the fact that some versions of Windows NT have earned government security ratings doesn't prevent NT from hosting viruses, trojans, and worms, and that the odd back door has even found its way out of Redmond. Rick. smith () securecomputing com roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ADP payroll Roger Marquis (May 10)
- Re: ADP payroll Rick Smith at Secure Computing (May 11)
- Re: ADP payroll Roger Marquis (May 11)
- Re: ADP payroll Rick Smith at Secure Computing (May 11)