RE: [fw-wiz] A little paranoia for the weekend...
From: Joseph Steinberg (Joseph_at_whale-com.com)
Date: 08/06/03
- Previous message: Anders Ingeborn: "[fw-wiz] Nortel Contivity firewall reboot issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Ben Nagy <ben@iagu.net>, firewall-wizards@honor.icsalabs.com Date: Wed, 6 Aug 2003 16:31:13 -0400
Sorry for any excess "vendorism" - points taken.
I agree that when you access sensitive data from a physically insecure
location, there is always some risk. The risk is more than just the presence
of a keystroke logger - there could also be someone watching (and
potentially holding a video-camera), etc. This is true whether we are
talking about SSL VPN (and web access) or IPSEC VPN - the access technology
and device is not the issue, it is the *location* from which access takes
place. If an inappropriate party sees the screen of a user typing an email
about a planned corporate merger, or views the keyboard of a user entering
his social security number into an HR application, private information may
be leaked.
So... the real issue is to have the remote-access technology DIFFERENTIATE
between different kinds of locations as best as possible -- "physically
safe" locations (e.g., your home or office) and "insecure locations"
(essentially everywhere else) and be able to restrict your access
accordingly. Based on your own corporate policies you should be able to
allow access to some systems and data from insecure locations, but, allow
other functions (for example reconfiguring corporate firewalls, accessing a
system used for planning corporate mergers, etc.) to be accessible only from
a safe place (e.g., home or office computer).
In addition to restricting access based on the location, it is important to
implement a "virtual shredder" to erase any residue from a public computer
after a user's session is over.
Joseph Steinberg
-----Original Message-----
From: Ben Nagy [mailto:ben@iagu.net]
Sent: Wed, July 30, 2003 5:54 AM
To: 'Joseph Steinberg'; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] A little paranoia for the weekend...
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Joseph Steinberg
[...]
>
> Web-based remote access (SSL VPN etc.) can be secure if implemented
> properly.
Not on an unsecured public terminal they can't. This is just an illustration
of the classic motif - If bad people have unrestricted physical access to a
PC then you can't trust it anymore. End of story. Even with pixie dust.
.
.
.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Anders Ingeborn: "[fw-wiz] Nortel Contivity firewall reboot issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
