Firewall Wizards mailing list archives

Re: Link from DMZ to Internal Apps

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 19 Feb 2002 01:05:16 -0500 (EST)


It seems to me that there might well be an area here that is still
ignored.  Even with strict access and authentication mechinisms in place,
in an environment whence there is this lax concept of data security, and
considering that much of this data is personal for those people it is
maintained upon, but, impersonal to those that use the data in the course
of their work, the risk remains, that once the data has been scarfed up by
one for their job, and especially those folks working from home, or in
partnership relations via VPN's, how secure does that data then remain?
An encrypted VPN tunnel only protects that data in transit, not once the
data is parsed down to a users laptop or home machine, once it leaves the
perimiter how secure remains the confidentiality of that data?  Thus the
mention by many about policies.  Those policies, and HIPPA regulations,
are required to deal with data leakage once the data has been 'securely'
transmitted as well.

Thanks,


Ron DuFresne

On Mon, 18 Feb 2002, Marcus J. Ranum wrote:

Due to departure of more experienced security minds in
our healthcare organization, I am faced with making
inexperienced decisions on demands for external access
to internal applications.


One thing to get familiar with is HIPAA - it's a government
guideline/standard "protecting the confidentiality and integrity of
'individually identifiable health information,' past, present or future."
You should make sure that whatever access you're providing
is OK under HIPAA...

Our Web
dev team just released a "portal" for these users that
aggregates some of the info they need and we have this
available on the outside via our DMZ environment, but,
of course, they want more.


Presumably the "portal" is using some kind of security, yes?
Maybe SSL on the links at a minimum? ..?

 As more of our legacy
internal apps move to Web, these users want us to
simply "link" them to these internal apps from the
externally available portal.  This to me would appear
to simply bring external users directly to the inside
defeating the purpose of the separate web environment
in the DMZ.


Actually the fact that your organization is set up so that
some bunch of Web Developers can just build and deploy
a "portal" (whatever that is...) without having to interface
with your security practitioners indicates to me that you're
probably already in trouble, security-wise...

Normally, I wouldn't recommend a strategy like this, but
since it sounds like a plate of spaghetti has dropped in your
lap. I'd recommend you pursue a vigorous offensive of butt-covering
while you get spun up on healthcare security and computer
security. You can use the "I am getting spun up on this stuff..."
as a dodge to delay whatever insecure deployments you can
until you learn enough so you can judge the wisdom or non-wisdom
of any security-related deployments yourself. You've got what
sounds to me like a potentially nasty situation. Any organization
where the end users feel empowered to just deploy stuff and/or
apply that kind of pressure on the security organization without
any administrative checks and balances is almost guaranteed to
have serious security failures.

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                           http://www.nfr.com
Personal:                      http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Link from DMZ to Internal Apps Guess Who (Feb 18)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)
  - Re: Link from DMZ to Internal Apps R. DuFresne (Feb 19)
- Re: Link from DMZ to Internal Apps Rick Smith at Secure Computing (Feb 21)
- <Possible follow-ups>
- RE: Link from DMZ to Internal Apps Carl Friedberg (Feb 18)
- Re: Link from DMZ to Internal Apps Joseph Steinberg (Feb 19)
- Re: Re: Link from DMZ to Internal Apps Uri Lichtenfeld (Feb 19)
  - RE: Re: Link from DMZ to Internal Apps Benjamin P. Grubin (Feb 20)
- RE: Re: Link from DMZ to Internal Apps Ames, Neil (Feb 21)