Hi there, I will agree with James and his points of view. He has very concisely written out the options many companies have to face when trying to implement secure operations from remote areas.
1. I like the idea of VPNs connecting users, its always been a good thing to do to secure data. VPNs are used mostly with people who have broadband routers implementing FreeBSD or Linux. I'm not so sure if some stand-alone firewalls like Linksys will allow VPN connections however. 2. Keeping critical data, like patient data for instance is very crucial, so you should put most of your money where you think vulnerable spots are. 3. I do think that when James said removeable harddrives that he meant that they would be seperate implementations of an operating system, complete with the files required for work, and with encryption installed on disk. (NTFS for Win2k/XP anyone?) If you would want to implement this, then I think the best idea would be to check them out to users, and lock them in rackmount rooms, with restricted access. Drives should also be checked for changed checksums (*NIX) or changed files since last use. Any unauthorized changes should be taken caution of. 4. You should have a policy/contract with the employee on useage habbits and what is excepted of securty (in terms of), etc etc. 5. Firewalls (Whatever you choose should be checked and automatically combed for any suspicious activity) are something like FreeBSD's PF. Good stuff. 6. I would recommend the things below, but I wanted to just add to James' ideas which are excellent. $0.02 change. David >From: "James Lee Gromoll" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED], [EMAIL PROTECTED] >Subject: Re: Personal Firewalls >Date: Sat, 13 Jul 2002 12:07:35 -0700 > >To all concerned: > > I guess this issue has been beat pretty well in this forum, but I'll >throw in my $.02. > > 1. A hardware solution is almost always preferred. It eliminates >overhead on the host PC and provides some physical isolation. > 2. A combination of devices decreases the potential for compromise >since the potential attack would have to use at least two exploits. > 3. A dedicated client PC with no unneeded applications loaded would >allow the administrator maximum control over the security environment of >the users. > 4. Although the individual client connections can be relatively >secure, the risk and potential for compromise of confidential data is >greatest where that data is greatest, the server. > >If it were me, I would concentrate first on what John said. Are you HIPAA >compliant? I would not host the data on a web server unless absolutely >required. If the quantity of data transmitted is such that a modem will do >then I would set up a modem bank and store the data on a dedicated server >isolated from your web servers and use a secure method of transmission over >phone circuits. If cable or DSL bandwidth is required then a VPN >server/client would be preferred. There are tons of variations and ways to >isolate you central office network. The point is that you would probably >get much more bang for your buck concerning yourself with a solution on the >server end. If you have at least 25 client connections then the money you >would spend dedicating a server to the task would probably be well spent. > >If you want to try and really secure the individual clients then this is >what it might look like. (oh yeah, as always we must ask how much $ do you >have?) If the host PCs are used by the individuals as their own home >computer to do web browsing, personal email, IRC, Aol Instant Messanger, >and any other gaping security hole application, a quick easy and relatively >inexpensive solution could be the installation of removable hard drives. >This would allow the user to continue whatever personal stuff on their own >hard drive and when they needed to conduct company business they would >install the 'company' drive and go about business only. I would do this no >matter what. You should be able to implement that for around $100 a station >(drive bays are $20 and I think a $80 hard drive would do unless you deal >with huge amounts of data.) For the cable and DSL folks, a router would >certainly be the order of the day. Most cable/DSL routers provide some >level of firewall like control. I haven't priced them lately but I think >around $75 and up. Another hardware solution is to take some of those old >clunkers and put a couple of NICs or a NIC and a modem in it and load up >something like smoothwall or ipcop. Again this is around $100 if you you >can scrounge some old 233's or whatnot. > I have talked to several folks who use Linksys cable routers, and >universally they say that it practically eliminates intrusion attempts. >Some of them had run Norton, MacAffee or Zonealarm software and noted no >hits. You could possibly set up a cable router feeding the smoothwall/ipcop >pc and then the client PC. I have seen this setup and it does work and will >pass the ssl traffic. > >jim > > >>From: [EMAIL PROTECTED] >>To: [EMAIL PROTECTED] (\"Nicole Tutt\"), >>[EMAIL PROTECTED] >>Subject: Re: Personal Firewalls >>Date: Fri, 12 Jul 2002 14:22:01 -0400 >> >>Nicole - >> >>Although this is probably obvious, since you are dealing with medical >>patient info, whatever solution you go with you should have someone make >>sure that your solution and your resulting architecture are >>HIPAA-compliant. >> >>John >> >> >>In a message dated Fri, 12 Jul 2002 12:13:52 PM Eastern Standard Time, >>"Nicole Tutt" <[EMAIL PROTECTED]> writes: >> >> >My company has a VERY distributed user base with many people working >>from small satellite sites and/or from home. I would love suggestions for >>a PC level firewall that would protect from intrusions and also whether >>hardware v. software solutions would be best. We deal with medical >>records so privacy of the data is imperative. >> > >> >The basic case scenario is a user working from home and connecting to >>the internet via cable/dsl/dial-up via an ISP to access mail (webaccess) >>and upload or download data(via SSL to our public web server) that may >>contain patient information. >> > >> >Thanks >> >Nicole >> > >> > > > > > > > >_________________________________________________________________ >Send and receive Hotmail on your mobile device: http://mobile.msn.com _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
