Firewall Wizards mailing list archives
Re: Link from DMZ to Internal Apps
From: Rick Smith at Secure Computing <rick_smith () securecomputing com>
Date: Thu, 21 Feb 2002 10:16:17 -0600
This has been a terrific thread. I strongly agree with Carl Friedberg on the policy issue: you can't say "No" to a powerful user unless you have a policy in place about how sensitive information must be protected and how it can be used. Given that you're in the health care business, this must be coordinated with HIPAA requirements or some folks will find themselves in deep trouble someday. Simply conjure up the image of what happens to people who make accounting mistakes in Medicare (potential jail time) and you'll get people's attention. It's not clear to me what (if any) sanctions apply to HIPAA violations, but most senior staff members will appreciate how inflexible and humorless the Government is about rule breaking by health care organizations. Moreover, a good data leak that violates federal guidelines could leave them open for civil suits, and health care companies hate those. Ron DuFresne brings up an important, related point when he points out that the organization loses control of data when it gets downloaded to a household PC or laptop. You probably want to limit risks by providing "thin client" access to the data via a Web page (process everything on the host and only deliver the results to the end user). Of course, even that approach will leave bits of sensitive data at the endpoint. However, this might be deemed an acceptable risk. Having flogged the application proxy horse myself for many years, I also agree with Benjamin Grubin on the subject of Whale, et al. Technically I can agree with my colleagues at Whale, but I've found that in practice very few sites are willing or able to develop and maintain an effective proxy that really reflects the details of their application. The more detailed (harder to create and maintain) the proxy is, the more attacks it can intercept and prevent. The less detailed (easier to create and maintain) you are, the more attacks that will slip through, regardless of what type of strong platform you use. (insert plug for Sidewinder's application proxies, type enforcement, etc. here). Rick. smith () securecomputing com roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Link from DMZ to Internal Apps Guess Who (Feb 18)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)
- Re: Link from DMZ to Internal Apps R. DuFresne (Feb 19)
- Re: Link from DMZ to Internal Apps Rick Smith at Secure Computing (Feb 21)
- <Possible follow-ups>
- RE: Link from DMZ to Internal Apps Carl Friedberg (Feb 18)
- Re: Link from DMZ to Internal Apps Joseph Steinberg (Feb 19)
- Re: Re: Link from DMZ to Internal Apps Uri Lichtenfeld (Feb 19)
- RE: Re: Link from DMZ to Internal Apps Benjamin P. Grubin (Feb 20)
- RE: Re: Link from DMZ to Internal Apps Ames, Neil (Feb 21)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)