Firewall Wizards mailing list archives
RE: Re: Link from DMZ to Internal Apps
From: "Ames, Neil" <NAmes () anteon com>
Date: Thu, 21 Feb 2002 08:45:14 -0500
Dear Uri, I don't want to read a marketing pitch for every question that comes up on the list, though I would appreciate a personal e-mail if you have a solution that applies to something that I post. The "urging" in the list policy is, "Commercial postings are discouraged unless they are of high technical content. I.e.: it is OK to post a description of a product or how a product could help solve a problem. It is NOT OK to follow up to postings saying "buy our thing! it does that!" I have too much to read, and Whale Communications has been pitching a lot lately, so I would appreciate some mercy. Thank you, Fritz Ames -----Original Message----- From: Uri Lichtenfeld [mailto:UriL () whale-com com] Sent: Tuesday, February 19, 2002 11:38 AM To: 'firewall-wizards () nfr com' Subject: Re: Re: [fw-wiz] Link from DMZ to Internal Apps Dear Guess Who, The first thing to realize that there is no one panacea solution that will end all your woes and solve all your problems. I think you should consider looking at a product called e-Gap e-Business by Whale Communications. It attempts to address the very same issues you raised of publishing web applications from unknown or "not 100% reliable" sources securely and without the requirement of VPN tools. Again, this product is a good quick solution to help solve most of the issues but its no replacement to a complete plan with policies, planning and education in place. The idea of the product is that it provides full protection from all aspects of web hacking. Everything from protection of the network layer to the application layer (while including authentication and encryption). There's still more to add to this, however... What forms of authentication are you using!? How open are you to "arming" your user with tokens, for instance? Etc. etc. Uri Lichtenfeld - www.whalecommunications.com -----Original Message----- From: Marcus J. Ranum To: Guess Who; firewall-wizards () nfr com Sent: 18/02/02 09:48 Subject: Re: [fw-wiz] Link from DMZ to Internal Apps
Due to departure of more experienced security minds in our healthcare organization, I am faced with making inexperienced decisions on demands for external access to internal applications.
One thing to get familiar with is HIPAA - it's a government guideline/standard "protecting the confidentiality and integrity of 'individually identifiable health information,' past, present or future." You should make sure that whatever access you're providing is OK under HIPAA...
Our Web dev team just released a "portal" for these users that aggregates some of the info they need and we have this available on the outside via our DMZ environment, but, of course, they want more.
Presumably the "portal" is using some kind of security, yes? Maybe SSL on the links at a minimum? ..?
As more of our legacy internal apps move to Web, these users want us to simply "link" them to these internal apps from the externally available portal. This to me would appear to simply bring external users directly to the inside defeating the purpose of the separate web environment in the DMZ.
Actually the fact that your organization is set up so that some bunch of Web Developers can just build and deploy a "portal" (whatever that is...) without having to interface with your security practitioners indicates to me that you're probably already in trouble, security-wise... Normally, I wouldn't recommend a strategy like this, but since it sounds like a plate of spaghetti has dropped in your lap. I'd recommend you pursue a vigorous offensive of butt-covering while you get spun up on healthcare security and computer security. You can use the "I am getting spun up on this stuff..." as a dodge to delay whatever insecure deployments you can until you learn enough so you can judge the wisdom or non-wisdom of any security-related deployments yourself. You've got what sounds to me like a potentially nasty situation. Any organization where the end users feel empowered to just deploy stuff and/or apply that kind of pressure on the security organization without any administrative checks and balances is almost guaranteed to have serious security failures. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Link from DMZ to Internal Apps Guess Who (Feb 18)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)
- Re: Link from DMZ to Internal Apps R. DuFresne (Feb 19)
- Re: Link from DMZ to Internal Apps Rick Smith at Secure Computing (Feb 21)
- <Possible follow-ups>
- RE: Link from DMZ to Internal Apps Carl Friedberg (Feb 18)
- Re: Link from DMZ to Internal Apps Joseph Steinberg (Feb 19)
- Re: Re: Link from DMZ to Internal Apps Uri Lichtenfeld (Feb 19)
- RE: Re: Link from DMZ to Internal Apps Benjamin P. Grubin (Feb 20)
- RE: Re: Link from DMZ to Internal Apps Ames, Neil (Feb 21)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)