To all concerned:
I guess this issue has been beat pretty well in this forum, but I'll throw
in my $.02.
1. A hardware solution is almost always preferred. It eliminates
overhead on the host PC and provides some physical isolation.
2. A combination of devices decreases the potential for compromise
since the potential attack would have to use at least two exploits.
3. A dedicated client PC with no unneeded applications loaded would
allow the administrator maximum control over the security environment of the
users.
4. Although the individual client connections can be relatively secure,
the risk and potential for compromise of confidential data is greatest where
that data is greatest, the server.
If it were me, I would concentrate first on what John said. Are you HIPAA
compliant? I would not host the data on a web server unless absolutely
required. If the quantity of data transmitted is such that a modem will do
then I would set up a modem bank and store the data on a dedicated server
isolated from your web servers and use a secure method of transmission over
phone circuits. If cable or DSL bandwidth is required then a VPN
server/client would be preferred. There are tons of variations and ways to
isolate you central office network. The point is that you would probably get
much more bang for your buck concerning yourself with a solution on the
server end. If you have at least 25 client connections then the money you
would spend dedicating a server to the task would probably be well spent.
If you want to try and really secure the individual clients then this is
what it might look like. (oh yeah, as always we must ask how much $ do you
have?) If the host PCs are used by the individuals as their own home
computer to do web browsing, personal email, IRC, Aol Instant Messanger,
and any other gaping security hole application, a quick easy and relatively
inexpensive solution could be the installation of removable hard drives.
This would allow the user to continue whatever personal stuff on their own
hard drive and when they needed to conduct company business they would
install the 'company' drive and go about business only. I would do this no
matter what. You should be able to implement that for around $100 a station
(drive bays are $20 and I think a $80 hard drive would do unless you deal
with huge amounts of data.) For the cable and DSL folks, a router would
certainly be the order of the day. Most cable/DSL routers provide some level
of firewall like control. I haven't priced them lately but I think around
$75 and up. Another hardware solution is to take some of those old clunkers
and put a couple of NICs or a NIC and a modem in it and load up something
like smoothwall or ipcop. Again this is around $100 if you you can scrounge
some old 233's or whatnot.
I have talked to several folks who use Linksys cable routers, and
universally they say that it practically eliminates intrusion attempts. Some
of them had run Norton, MacAffee or Zonealarm software and noted no hits.
You could possibly set up a cable router feeding the smoothwall/ipcop pc and
then the client PC. I have seen this setup and it does work and will pass
the ssl traffic.
jim
>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED] (\"Nicole Tutt\"),
>[EMAIL PROTECTED]
>Subject: Re: Personal Firewalls
>Date: Fri, 12 Jul 2002 14:22:01 -0400
>
>Nicole -
>
>Although this is probably obvious, since you are dealing with medical
>patient info, whatever solution you go with you should have someone make
>sure that your solution and your resulting architecture are
>HIPAA-compliant.
>
>John
>
>
>In a message dated Fri, 12 Jul 2002 12:13:52 PM Eastern Standard Time,
>"Nicole Tutt" <[EMAIL PROTECTED]> writes:
>
> >My company has a VERY distributed user base with many people working from
>small satellite sites and/or from home. I would love suggestions for a PC
>level firewall that would protect from intrusions and also whether hardware
>v. software solutions would be best. We deal with medical records so
>privacy of the data is imperative.
> >
> >The basic case scenario is a user working from home and connecting to the
>internet via cable/dsl/dial-up via an ISP to access mail (webaccess) and
>upload or download data(via SSL to our public web server) that may contain
>patient information.
> >
> >Thanks
> >Nicole
> >
> >
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
