Home page logo

basics logo Security Basics mailing list archives

RE: Re: Secure Intranet?
From: Seth Knox <seth.knox () sygate com>
Date: Wed, 6 Nov 2002 16:25:54 -0800

I concur with David's point that the systems that connect to your network
need to have a minimum level of security that is in line with your policies.
It is critical to verify the security of the end user's system before they
connect to your network through VPN. Otherwise, any compromise of the
end-user's system will quickly spread to your network. Executive are
notorious for doing dangerous things like connecting wireless LANs in
airports, installing insecure applications (IM and P2P), cancelling
anti-virus updates, and sharing their hard drive. When you are dealing with
information such as medical or financial records, if you don't protect the
information the company may be liable for damages related to the improper
disclosure of the information under HIPAA. The only way provide secure
remote access is to use strong authentication (two-factor preferable),
strong encryption, and enforce that the appropriate security measures are
present on the system (host firewall, anti-virus, patches, host IDS).
Anything less and your client is taking a serious risk. 

Sygate has a product that does security policy enforcement for VPN called
Sygate Secure Enterprise. It gives you that ability to verify that the
system at the end of the VPN tunnel is running updated anti-virus, host
firewall, host IDS, patches or any combination of security policies you want
in place. Many of the analyst like Garnter and Meta Group consider it a
necessity to have policy enforcement before deploying VPN or other types of
remote access. Also, many of the major VPN vendors are integrating with
Sygate to offer a secure remote access solutions (See PR links below). Hope
this helps. Please let me know if you have any questions.

Sygate Secure Enterprise Data Sheet

Sygate VPN Partner Press Releases

-----Original Message-----
From: ONEILL David J [mailto:David.J.Oneill () state or us]
Sent: Wednesday, November 06, 2002 7:25 AM
To: security-basics () security-focus com; sims () interex org
Subject: RE: Re: Secure Intranet?

The only problem I see with your solution is that you are assuming that the
partner on the other side of the VPN is keeping to the same level of
as your own system (at least as secure as your own.)  What if the partner
organization is an easy target?  The VPN will allow an intruder to tunnel
right past your security by piggy backing on the compromised VPN connection.

David J. O'Neill
Parkway Bldg., 2nd Floor
Phone: (503) 378-2101 ext. 364
FAX:     (503) 378-2102

sims () interex org 11/05/02 10:02AM >>>
If someone has the time, resources, knowlege and ability to break into your
systems, then nothing is going to be secure enough. Basically any time you
make confidential data available outside your organization or even inside
that matter, you have to weigh the risks with the benefits. If the benefits
out-weigh the risks then you make it as difficult as possible for anyone to
get to the data you want to restrict.

HTTPS could be used for this although with information as sensative as
records, I would try something different. You can use VPN access with one
passwords and a high encryption level depending on how many need access and
how much access they need. Then on your server you have to make sure that is
something is compromised, you have minimized the damage that can be done.
Example, you give only read access to users that don't need to write files.
Etc etc.

For info on one-time-passwords you can check out this site (I am not saying
go with this one, but it has information that explains its use)

have fun.

*********** REPLY SEPARATOR  ***********

On 11/1/2002 at 4:58 PM Surmit Walia wrote:

If HTTPS is not secure enough, than why do banks use them?  Just

---> Using a https server don't seem to me secure enough, but it's the
cheapest solution..

I hope it helps

Arnaud M.

On Thu, 31 Oct 2002 19:44:57 -0800 (PST)
Alan Cooper <imalcooper () yahoo com> wrote:

I have client that would like to have its confidential
data (medical records) available to traveling

What is the most secure way to set this up?  Secure
web site using private certificates?  Go with VPN's? 
Tell the client forget the idea because there is no
good way to secure confidential data exposed to the


Thanks for your help.

Al Cooper

Do you Yahoo!?
HotJobs - Search new jobs daily now




































  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]