To all concerned: I guess this issue has been beat pretty well in this forum, but I'll throw in my $.02.
1. A hardware solution is almost always preferred. It eliminates overhead on the host PC and provides some physical isolation. 2. A combination of devices decreases the potential for compromise since the potential attack would have to use at least two exploits. 3. A dedicated client PC with no unneeded applications loaded would allow the administrator maximum control over the security environment of the users. 4. Although the individual client connections can be relatively secure, the risk and potential for compromise of confidential data is greatest where that data is greatest, the server. If it were me, I would concentrate first on what John said. Are you HIPAA compliant? I would not host the data on a web server unless absolutely required. If the quantity of data transmitted is such that a modem will do then I would set up a modem bank and store the data on a dedicated server isolated from your web servers and use a secure method of transmission over phone circuits. If cable or DSL bandwidth is required then a VPN server/client would be preferred. There are tons of variations and ways to isolate you central office network. The point is that you would probably get much more bang for your buck concerning yourself with a solution on the server end. If you have at least 25 client connections then the money you would spend dedicating a server to the task would probably be well spent. If you want to try and really secure the individual clients then this is what it might look like. (oh yeah, as always we must ask how much $ do you have?) If the host PCs are used by the individuals as their own home computer to do web browsing, personal email, IRC, Aol Instant Messanger, and any other gaping security hole application, a quick easy and relatively inexpensive solution could be the installation of removable hard drives. This would allow the user to continue whatever personal stuff on their own hard drive and when they needed to conduct company business they would install the 'company' drive and go about business only. I would do this no matter what. You should be able to implement that for around $100 a station (drive bays are $20 and I think a $80 hard drive would do unless you deal with huge amounts of data.) For the cable and DSL folks, a router would certainly be the order of the day. Most cable/DSL routers provide some level of firewall like control. I haven't priced them lately but I think around $75 and up. Another hardware solution is to take some of those old clunkers and put a couple of NICs or a NIC and a modem in it and load up something like smoothwall or ipcop. Again this is around $100 if you you can scrounge some old 233's or whatnot. I have talked to several folks who use Linksys cable routers, and universally they say that it practically eliminates intrusion attempts. Some of them had run Norton, MacAffee or Zonealarm software and noted no hits. You could possibly set up a cable router feeding the smoothwall/ipcop pc and then the client PC. I have seen this setup and it does work and will pass the ssl traffic. jim >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] (\"Nicole Tutt\"), >[EMAIL PROTECTED] >Subject: Re: Personal Firewalls >Date: Fri, 12 Jul 2002 14:22:01 -0400 > >Nicole - > >Although this is probably obvious, since you are dealing with medical >patient info, whatever solution you go with you should have someone make >sure that your solution and your resulting architecture are >HIPAA-compliant. > >John > > >In a message dated Fri, 12 Jul 2002 12:13:52 PM Eastern Standard Time, >"Nicole Tutt" <[EMAIL PROTECTED]> writes: > > >My company has a VERY distributed user base with many people working from >small satellite sites and/or from home. I would love suggestions for a PC >level firewall that would protect from intrusions and also whether hardware >v. software solutions would be best. We deal with medical records so >privacy of the data is imperative. > > > >The basic case scenario is a user working from home and connecting to the >internet via cable/dsl/dial-up via an ISP to access mail (webaccess) and >upload or download data(via SSL to our public web server) that may contain >patient information. > > > >Thanks > >Nicole > > > > _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com