I concur with David's point that the systems that connect to your network need to have a minimum level of security that is in line with your policies. It is critical to verify the security of the end user's system before they connect to your network through VPN. Otherwise, any compromise of the end-user's system will quickly spread to your network. Executive are notorious for doing dangerous things like connecting wireless LANs in airports, installing insecure applications (IM and P2P), cancelling anti-virus updates, and sharing their hard drive. When you are dealing with information such as medical or financial records, if you don't protect the information the company may be liable for damages related to the improper disclosure of the information under HIPAA. The only way provide secure remote access is to use strong authentication (two-factor preferable), strong encryption, and enforce that the appropriate security measures are present on the system (host firewall, anti-virus, patches, host IDS). Anything less and your client is taking a serious risk.
Sygate has a product that does security policy enforcement for VPN called Sygate Secure Enterprise. It gives you that ability to verify that the system at the end of the VPN tunnel is running updated anti-virus, host firewall, host IDS, patches or any combination of security policies you want in place. Many of the analyst like Garnter and Meta Group consider it a necessity to have policy enforcement before deploying VPN or other types of remote access. Also, many of the major VPN vendors are integrating with Sygate to offer a secure remote access solutions (See PR links below). Hope this helps. Please let me know if you have any questions. Sygate Secure Enterprise Data Sheet http://www.sygate.com/solutions/datasheets/Sygate_Secure_Enterprise_Datashee t.pdf Sygate VPN Partner Press Releases http://www.sygate.com/news/netscreen_sygate_pr.htm http://www.sygate.com/news/nortel_spfse_rls.htm http://www.sygate.com/news/enterasys_pr032602.htm http://www.sygate.com/news/alcatel_syg_rls.htm http://www.sygate.com/news/sygate_cisco_avvid_rls.htm -----Original Message----- From: ONEILL David J [mailto:David.J.Oneill@;state.or.us] Sent: Wednesday, November 06, 2002 7:25 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Re: Secure Intranet? The only problem I see with your solution is that you are assuming that the partner on the other side of the VPN is keeping to the same level of security as your own system (at least as secure as your own.) What if the partner organization is an easy target? The VPN will allow an intruder to tunnel right past your security by piggy backing on the compromised VPN connection. David J. O'Neill NEDSS - IS7 Parkway Bldg., 2nd Floor Phone: (503) 378-2101 ext. 364 FAX: (503) 378-2102 >>> [EMAIL PROTECTED] 11/05/02 10:02AM >>> If someone has the time, resources, knowlege and ability to break into your systems, then nothing is going to be secure enough. Basically any time you make confidential data available outside your organization or even inside for that matter, you have to weigh the risks with the benefits. If the benefits out-weigh the risks then you make it as difficult as possible for anyone to get to the data you want to restrict. HTTPS could be used for this although with information as sensative as medical records, I would try something different. You can use VPN access with one time passwords and a high encryption level depending on how many need access and how much access they need. Then on your server you have to make sure that is something is compromised, you have minimized the damage that can be done. Example, you give only read access to users that don't need to write files. Etc etc. For info on one-time-passwords you can check out this site (I am not saying to go with this one, but it has information that explains its use) http://www.securecomputing.com/index.cfm?skey=643 have fun. *********** REPLY SEPARATOR *********** On 11/1/2002 at 4:58 PM Surmit Walia wrote: >If HTTPS is not secure enough, than why do banks use them? Just >wondering... > >--------------- >---> Using a https server don't seem to me secure enough, but it's the >cheapest solution.. > >I hope it helps > >Arnaud M. > >On Thu, 31 Oct 2002 19:44:57 -0800 (PST) >Alan Cooper <[EMAIL PROTECTED]> wrote: > >> I have client that would like to have its confidential >> data (medical records) available to traveling >> executives. >> >> What is the most secure way to set this up? Secure >> web site using private certificates? Go with VPN's? >> Tell the client forget the idea because there is no >> good way to secure confidential data exposed to the >> Internet? >> >> Suggestions... >> >> Thanks for your help. >> >> Al Cooper >> >> >> __________________________________________________ >> Do you Yahoo!? >> HotJobs - Search new jobs daily now >> http://hotjobs.yahoo.com/