Home page logo
/

basics logo Security Basics mailing list archives

RE: Re: Secure Intranet?
From: ONEILL David J <David.J.Oneill () state or us>
Date: 06 Nov 2002 07:24:31 -0800

The only problem I see with your solution is that you are assuming that the
partner on the other side of the VPN is keeping to the same level of security
as your own system (at least as secure as your own.)  What if the partner
organization is an easy target?  The VPN will allow an intruder to tunnel
right past your security by piggy backing on the compromised VPN connection.


David J. O'Neill
NEDSS - IS7
Parkway Bldg., 2nd Floor
Phone: (503) 378-2101 ext. 364
FAX:     (503) 378-2102

sims () interex org 11/05/02 10:02AM >>>
If someone has the time, resources, knowlege and ability to break into your
systems, then nothing is going to be secure enough. Basically any time you
make confidential data available outside your organization or even inside for
that matter, you have to weigh the risks with the benefits. If the benefits
out-weigh the risks then you make it as difficult as possible for anyone to
get to the data you want to restrict.

HTTPS could be used for this although with information as sensative as medical
records, I would try something different. You can use VPN access with one time
passwords and a high encryption level depending on how many need access and
how much access they need. Then on your server you have to make sure that is
something is compromised, you have minimized the damage that can be done.
Example, you give only read access to users that don't need to write files.
Etc etc.

For info on one-time-passwords you can check out this site (I am not saying to
go with this one, but it has information that explains its use)
http://www.securecomputing.com/index.cfm?skey=643 

have fun.

*********** REPLY SEPARATOR  ***********

On 11/1/2002 at 4:58 PM Surmit Walia wrote:

If HTTPS is not secure enough, than why do banks use them?  Just
wondering... 

---------------
---> Using a https server don't seem to me secure enough, but it's the
cheapest solution..

I hope it helps

Arnaud M.

On Thu, 31 Oct 2002 19:44:57 -0800 (PST)
Alan Cooper <imalcooper () yahoo com> wrote:

I have client that would like to have its confidential
data (medical records) available to traveling
executives.  

What is the most secure way to set this up?  Secure
web site using private certificates?  Go with VPN's? 
Tell the client forget the idea because there is no
good way to secure confidential data exposed to the
Internet?  

Suggestions...

Thanks for your help.

Al Cooper


__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/ 




                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
                                                                              
   


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault