RE: Personal Firewalls
From: Mark L. Jackson (codewizard@lvcm.com)Date: 07/15/02
- Previous message: Steve Bremer: "Re: Cracking Servers W/O open ports: Packet Filter Firewall"
- In reply to: Nicole Tutt: "Personal Firewalls"
- Next in thread: Noah White: "Re: Personal Firewalls"
- Reply: Noah White: "Re: Personal Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark L. Jackson" <codewizard@lvcm.com> To: "Nicole Tutt" <NicoleT@meddata.com>, <security-basics@securityfocus.com> Date: Mon, 15 Jul 2002 02:17:51 -0700
// My company has a VERY distributed user base with many people
// working from small satellite sites and/or from home. I would
// love suggestions for a PC level firewall that would protect
why only a pc level firewall?
// from intrusions and also whether hardware v. software solutions
// would be best. We deal with medical records so privacy of the
// data is imperative.
Then the HIPAA regs will force you to do more than just get a pc firewall.
//
// The basic case scenario is a user working from home and
// connecting to the internet via cable/dsl/dial-up via an ISP to
// access mail (webaccess) and upload or download data(via SSL to
// our public web server) that may contain patient information.
While a pc firewall is a good idea, it will not satisfy HIPAA. You have a
couple of options as to what you can do about this. I am very concerned
about the uploading/downloading from a public web server to a home system.
Very scary.
The first (and I recommend this) is a router to router VPN connection. You
could also do this with a Win2K RRAS box on the server end and a router on
the other end. In an emergency you could use a VPN connection from a system
(say a laptop) instead of a router. I would discourage this, though. Make
sure that the router can be restricted as far as who admins it. Users should
not be able to change anything on the router.
The second option would be to set up a Citrix server and have only
connections through the Citrix secure client. You could also move your
office to thin clients making security even tighter. The only drawback to
this is that it is expensive. It is the superior solution. Tarantella might
work, but I have never worked with it, so I can not say for certain.
You also need to trash all of your insecure operating systems. Any system
that does not require a login is not acceptable (a real login, Win95/98/ME
are not real logins). One of the nice things about Citrix is that is does
not matter the system it is on, security is handled at the server and data
is handled the same way on all clients. Data can be viewed but is not saved
on the local system.
I would suggest immediately moving to encrypted email for all interoffice
email, and any external email that deals with patients. At the very least
use a secure email setup. I would also not allow access to Exchange via
Outlook Web Access. Use the VPN and have them log into the domain. I would
also archive ALL email that goes through Exchange. You might consider
automatic carbon of all email to an Exchange mail box that is controlled by
the CEO or CIO (if you have one).
You also need to examine your procedures in the office. Who is allowed to
look at files, do you have logging enabled, who now has access, who should
not have it that does, etc....
Are you using Microfour's Practice Studio? If you are then you have some
gaping security holes. Microfour feels the need to share out the C: drive
without any password, and no restrictions. I have battled these jokers about
this on several occasions. I have had to actually go behind them and
unshared the drive only to find they dialed in the doctor/recep/nurse
whatever gave the admin password and they reshared it. After speaking to
them about this and explaining the issues this caused, I was told: "That
computer is for our use. It does not matter what you want to do. We will do
with it what we want. You should not be putting anything else on this
system."
PC firewall suggestions (please remember that this will only stop attacks on
a system, and there should not be any information stored there anyway):
1) BlackIce - best for Novices, and reliable. Can eventually be integrated
into a larger system later (if you go with the Real Secure version).
2) Tiny Personal Firewall - can be very confusing and mistake prone if not
managed by a knowledgeable person. Remote admin with an admin only option.
3) Sygate personal firewall - have not used it personally, but have heard
good things.
4) Zone Alarm - alarm is right. Until Steve Gibson stops flogging this
product I will never recommend it. Every person I know who has used it has
had problems. I have a major problem with this product in that it appears to
try to be all things to all people which never works.
5) Norton personal firewall - well it is a Symantec product. I don't like
them and will not use them. I don't need software on my system to download
products, especially with out my permission. They think otherwise. Again
have seen many problems with this product. Support is a joke.
6) McAfee - well they had a good line of e-e-ppliances, but as per SOP they
ruined the business. They can never seem to get their act together. Support
is worse than a joke. If you have a good idea and want it to fail, sell it
to McAfee.
- Previous message: Steve Bremer: "Re: Cracking Servers W/O open ports: Packet Filter Firewall"
- In reply to: Nicole Tutt: "Personal Firewalls"
- Next in thread: Noah White: "Re: Personal Firewalls"
- Reply: Noah White: "Re: Personal Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
