Re: Link from DMZ to Internal Apps

["Marcus J. Ranum" <mjr () nfr com>]

> Due to departure of more experienced security minds in
> our healthcare organization, I am faced with making
> inexperienced decisions on demands for external access
> to internal applications.

One thing to get familiar with is HIPAA - it's a government
guideline/standard "protecting the confidentiality and integrity of
'individually identifiable health information,' past, present or future."
You should make sure that whatever access you're providing
is OK under HIPAA...

> Our Web
> dev team just released a "portal" for these users that
> aggregates some of the info they need and we have this
> available on the outside via our DMZ environment, but,
> of course, they want more.

Presumably the "portal" is using some kind of security, yes?
Maybe SSL on the links at a minimum? ..?

>  As more of our legacy
> internal apps move to Web, these users want us to
> simply "link" them to these internal apps from the
> externally available portal.  This to me would appear
> to simply bring external users directly to the inside
> defeating the purpose of the separate web environment
> in the DMZ.

Actually the fact that your organization is set up so that
some bunch of Web Developers can just build and deploy
a "portal" (whatever that is...) without having to interface
with your security practitioners indicates to me that you're
probably already in trouble, security-wise...

Normally, I wouldn't recommend a strategy like this, but
since it sounds like a plate of spaghetti has dropped in your
lap. I'd recommend you pursue a vigorous offensive of butt-covering
while you get spun up on healthcare security and computer
security. You can use the "I am getting spun up on this stuff..."
as a dodge to delay whatever insecure deployments you can
until you learn enough so you can judge the wisdom or non-wisdom
of any security-related deployments yourself. You've got what
sounds to me like a potentially nasty situation. Any organization
where the end users feel empowered to just deploy stuff and/or
apply that kind of pressure on the security organization without
any administrative checks and balances is almost guaranteed to
have serious security failures.

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                           http://www.nfr.com
Personal:                      http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards