Re: CRIME secure mail programs/internet

From: Jere Retzer (retzerj@private)
Date: Mon Dec 03 2001 - 08:58:51 PST

  • Next message: Alan: "Re: CRIME secure mail programs/internet"

    This might be a good application for Windows Terminal Server or Citrix. As you suggest, keep all the data on the corporate server. You still may have the potential for the user copying and saving data  or printing confidential information but you could at least have a policy that says this is not allowed. 
    
    Not strong enough in my opinion but maybe legally sufficient. John Christiansen, what do you say concerning the legal sufficiency of a policy to that effect?
    
    >>> John E Jewkes-AAA0OR <aar0mi@private> 11/30/01 08:10PM >>>
    OR, as we did at ThrustMaster (Now CenterSpan Communications) when I 
    was there, We set up two separate dial-in accounts for those folks who
    did 
    work from home. One which allowed them ONLY access to the Intranet for
    at home work, and one that allowed ONLY access to the Internet. All their
    
    secure information was kept on a Server at work, not in the home PC, and 
    'Auto-Login' was NOT allowed. For example, when dialing up for the
    Intranet,
    all their secure data was on 'Network Drive 'I:', but the dial-in access
    automatic
    redirected their data to Drive U:. Anyone attempting to log-in using a
    direct link
    to Drive I: was assumed to be a hacker, and was locked out. It took a
    request
    via person to the IT manager, Paul, to get the connect autority reset. 
            When dialing up for the Internet, All login was redirected by
    script to Drive
    W: again, anyone trying to go directly to Drive X: would be blocked.
    Pretty good
    set-up in my opinion. (IMO)... ;-)
    hope this info gives someone a thought.
    
    73 de John Jewkes W6HNC/AAA0OR 
    US Army MARS State Director, Oregon
    
    On Fri, 30 Nov 2001 18:33:48 -0800 jradke@private writes:
    Heidi,
     
    Strictly my opinion but take into consideration:
     
    Users VPN to corporate via the Internet so what should they be able to
    access? You want them to follow the same security policy that you have to
    protect your users at work! FREQUENTLY users connect to the Internet,
    startup their VPN tunnel to work and leave it up all day (while they also
    surf the net) all the while their home PC has a very tasty connection to
    corporates network! What's easier to hack? A home PC running 98,ME, or
    your corporate firewall?
     
    Enforce the security policy by preventing the users from accessing the
    Internet through their local ISP connection. Most VPN solutions can setup
    the user profile to use the secured tunnel as the default gateway not the
    Internet. This means if the user wants to access the Internet they must
    do so through the tunnel using the rules setup on your firewall. You can
    also disallow the user from accessing the Internet through the tunnel at
    all! Understand that the purpose of the tunnel is to gain access to
    network resources securely, remotely and for work purposes. If the user
    needs to access the net then they need to do it when not connected to
    corporate.
     
    In brief, do not allow users access to the Internet except through the
    corporate firewall, if at all.
     
    -JGR
    -----Original Message-----
    From: Heidi [mailto:mcps@private] 
    Sent: Friday, November 30, 2001 2:56 PM
    To: CRIME
    Subject: Re: CRIME secure mail programs/internet
    
    
    Thank you to all who have responded to my questions.  All your
    suggestions are very much appreciated and will help me greatly with
    trying to point out these security/confidentiality issues to this
    organization.  I am always open to more suggestions and recommendations. 
    Thank you. Heidi
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:36 PDT