Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: A little paranoia for the weekend...

From: Joseph Steinberg <Joseph () whale-com com>
Date: Wed, 6 Aug 2003 16:31:13 -0400

Sorry for any excess "vendorism" - points taken.

I agree that when you access sensitive data from a physically insecure
location, there is always some risk. The risk is more than just the presence
of a keystroke logger - there could also be someone watching (and
potentially holding a video-camera), etc. This is true whether we are
talking about SSL VPN (and web access) or IPSEC VPN - the access technology
and device is not the issue, it is the *location* from which access takes
place. If an inappropriate party sees the screen of a user typing an email
about a planned corporate merger, or views the keyboard of a user entering
his social security number into an HR application, private information may
be leaked. 

So... the real issue is to have the remote-access technology DIFFERENTIATE
between different kinds of locations as best as possible -- "physically
safe" locations (e.g., your home or office) and "insecure locations"
(essentially everywhere else) and be able to restrict your access
accordingly. Based on your own corporate policies you should be able to
allow access to some systems and data from insecure locations, but, allow
other functions (for example reconfiguring corporate firewalls, accessing a
system used for planning corporate mergers, etc.) to be accessible only from
a safe place (e.g., home or office computer).

In addition to restricting access based on the location, it is important to
implement a "virtual shredder" to erase any residue from a public computer
after a user's session is over.

Joseph Steinberg


-----Original Message-----
From: Ben Nagy [mailto:ben () iagu net]
Sent: Wed, July 30, 2003 5:54 AM
To: 'Joseph Steinberg'; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] A little paranoia for the weekend...



-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of Joseph Steinberg

[...]


Web-based remote access (SSL VPN etc.) can be secure if implemented
properly.


Not on an unsecured public terminal they can't. This is just an illustration
of the classic motif - If bad people have unrestricted physical access to a
PC then you can't trust it anymore. End of story. Even with pixie dust.
.
.
.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: