Firewall Wizards mailing list archives
Re: Link from DMZ to Internal Apps
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 19 Feb 2002 01:05:16 -0500 (EST)
It seems to me that there might well be an area here that is still ignored. Even with strict access and authentication mechinisms in place, in an environment whence there is this lax concept of data security, and considering that much of this data is personal for those people it is maintained upon, but, impersonal to those that use the data in the course of their work, the risk remains, that once the data has been scarfed up by one for their job, and especially those folks working from home, or in partnership relations via VPN's, how secure does that data then remain? An encrypted VPN tunnel only protects that data in transit, not once the data is parsed down to a users laptop or home machine, once it leaves the perimiter how secure remains the confidentiality of that data? Thus the mention by many about policies. Those policies, and HIPPA regulations, are required to deal with data leakage once the data has been 'securely' transmitted as well. Thanks, Ron DuFresne On Mon, 18 Feb 2002, Marcus J. Ranum wrote:
Due to departure of more experienced security minds in our healthcare organization, I am faced with making inexperienced decisions on demands for external access to internal applications.One thing to get familiar with is HIPAA - it's a government guideline/standard "protecting the confidentiality and integrity of 'individually identifiable health information,' past, present or future." You should make sure that whatever access you're providing is OK under HIPAA...Our Web dev team just released a "portal" for these users that aggregates some of the info they need and we have this available on the outside via our DMZ environment, but, of course, they want more.Presumably the "portal" is using some kind of security, yes? Maybe SSL on the links at a minimum? ..?As more of our legacy internal apps move to Web, these users want us to simply "link" them to these internal apps from the externally available portal. This to me would appear to simply bring external users directly to the inside defeating the purpose of the separate web environment in the DMZ.Actually the fact that your organization is set up so that some bunch of Web Developers can just build and deploy a "portal" (whatever that is...) without having to interface with your security practitioners indicates to me that you're probably already in trouble, security-wise... Normally, I wouldn't recommend a strategy like this, but since it sounds like a plate of spaghetti has dropped in your lap. I'd recommend you pursue a vigorous offensive of butt-covering while you get spun up on healthcare security and computer security. You can use the "I am getting spun up on this stuff..." as a dodge to delay whatever insecure deployments you can until you learn enough so you can judge the wisdom or non-wisdom of any security-related deployments yourself. You've got what sounds to me like a potentially nasty situation. Any organization where the end users feel empowered to just deploy stuff and/or apply that kind of pressure on the security organization without any administrative checks and balances is almost guaranteed to have serious security failures. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Link from DMZ to Internal Apps Guess Who (Feb 18)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)
- Re: Link from DMZ to Internal Apps R. DuFresne (Feb 19)
- Re: Link from DMZ to Internal Apps Rick Smith at Secure Computing (Feb 21)
- <Possible follow-ups>
- RE: Link from DMZ to Internal Apps Carl Friedberg (Feb 18)
- Re: Link from DMZ to Internal Apps Joseph Steinberg (Feb 19)
- Re: Re: Link from DMZ to Internal Apps Uri Lichtenfeld (Feb 19)
- RE: Re: Link from DMZ to Internal Apps Benjamin P. Grubin (Feb 20)
- RE: Re: Link from DMZ to Internal Apps Ames, Neil (Feb 21)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)