This may be a bit off-topic from firewalls, but I'd like to hear other
people's opinion. We (information security) are having a minor holy war
with our internal audit folks concerning the requirement for employees using
remote access to also use encryption. We understand that there are cases
where encryption may be required. But we feel it's a matter of performing
an analysis of the risk. Wiretapping of public telephone services by
someone intent on reading your email is a possibility, but a mile-wide
asteroid might hit the planet today too. Of greater importance for the
occasional remote access user is the use of strong authentication of both
parties and specific access authorization. Now it may be a different matter
for the telecommuter, say a transcriptionst. Their exposure is greater
because they're connected longer and the data may be more sensitive. In
this case, maybe encryption is warranted.
I've done a bit of searching for instances of wiretapping on the Web and
have come up empty-handed. I've seen a lot of news stories concerning
wiretapping laws, mis-use by law enforcement or government entities, and
Lynda Tripp taping Monica. But I have not found an instance of someone
tapping into an established modem-connected session, then expoiting this
connection to steal data in transmission. I also see a lot of talk from
"consultants" and vendors about what a widespread issue this is. Has anyone
out there had first-hand experience with an incident?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
