Dialing out problem

["Ellis Luk" <e_luk () hotmail com>]

At my work place, some staff need to use a modem to connect to a
subscription service and down load information. Previously, these are
serial connections (using kermit ... etc), not network connections.
So the security risk is low.

But recently, in the name of Y2K compliance and e-commerce enabled,
they change the application to use TCP/IP.
When we told them that we have security concern because this
application effectively cross connect our network with their server.
Their reply is basically "well, trust me, and by the way,
you should take care your own security."

I remembered that a few years ago when I did some security analysis
work for a financial institution, they planned to offer a subscription
service to their customers. But their offer was using VPN through
Internet. However, as you can see, such offer virtually cross
connect 2 different clients together through the VPN product
(which did not provide any access control). Eventually, they
understood the implication and cancelled the offer (it was
changed to Web based.)
Now, I am at the receiving end. Obviously, my company should not
trust the information provider, but securing individual user's
workstation is difficult if not impossible. Using standalone PCs
may solve this security issue but it is not practical.

I wonder if other people has encountered similar situations, and how
would they handle it.

--
Ellis


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com