.. on the configuration of security for an Internet application to be deployed. The bank that I work for is planning to deploy a cash mgt application on the internet. They propose to secure the application and its face on the Net with SSL and MS Certificate Server.
The sessions will be protected from Net snooping by SSL's 132 bit encryption, " as strong as IP tunnelling".
Access will be controlled by installing a certificate on each remote client. The installation is done via download from the Certificate Server, but is a manual process: the remote will request the certificate and the server will download only after a process is started by support.
The IT staff is unsure where the certificate resides on the client. They suppose it to be both file based and in the Registry. They have tried the "certificate export" process in IE and found that it will not export, so they are satisfied that it provides the level of security required to secure a cash mgt application. They note that the HTML page presented to IE without the certificate is an error page. There is no way to get at the certiciate on the Net site.
The cash mgt application has its own security, but I note that it is application level security, and that using only logonid / password authentication across the Net is generally held to be a mistake.
I have recommended using VPN, now readily available in Win2000, but have been rejected. "A support nightmare." was the reason given.
What do you think of the security schema planned?
What schema would you use?
What do you think of the reason given for not using VPN?
I hope your conclusions will be the same as mine. To make my point, I will most likely have a URL for testing later in the week. If you are interested in hitting against it, please let me know directly. Any questions I can answer to clarify, please let me know.
Thanks.
Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas 77805-8100
979/361-6515
801/835-5546
millerj_at_fabssb.com
Received on Nov 01 2000
Intro
