Firewall Wizards mailing list archives
RE: A little paranoia for the weekend...
From: Joseph Steinberg <Joseph () whale-com com>
Date: Wed, 6 Aug 2003 16:31:13 -0400
Sorry for any excess "vendorism" - points taken. I agree that when you access sensitive data from a physically insecure location, there is always some risk. The risk is more than just the presence of a keystroke logger - there could also be someone watching (and potentially holding a video-camera), etc. This is true whether we are talking about SSL VPN (and web access) or IPSEC VPN - the access technology and device is not the issue, it is the *location* from which access takes place. If an inappropriate party sees the screen of a user typing an email about a planned corporate merger, or views the keyboard of a user entering his social security number into an HR application, private information may be leaked. So... the real issue is to have the remote-access technology DIFFERENTIATE between different kinds of locations as best as possible -- "physically safe" locations (e.g., your home or office) and "insecure locations" (essentially everywhere else) and be able to restrict your access accordingly. Based on your own corporate policies you should be able to allow access to some systems and data from insecure locations, but, allow other functions (for example reconfiguring corporate firewalls, accessing a system used for planning corporate mergers, etc.) to be accessible only from a safe place (e.g., home or office computer). In addition to restricting access based on the location, it is important to implement a "virtual shredder" to erase any residue from a public computer after a user's session is over. Joseph Steinberg -----Original Message----- From: Ben Nagy [mailto:ben () iagu net] Sent: Wed, July 30, 2003 5:54 AM To: 'Joseph Steinberg'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] A little paranoia for the weekend...
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Joseph Steinberg
[...]
Web-based remote access (SSL VPN etc.) can be secure if implemented properly.
Not on an unsecured public terminal they can't. This is just an illustration of the classic motif - If bad people have unrestricted physical access to a PC then you can't trust it anymore. End of story. Even with pixie dust. . . . _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: A little paranoia for the weekend... Joseph Steinberg (Aug 07)