On Monday 03 December 2001 08:58, Jere Retzer wrote: > This might be a good application for Windows Terminal Server or Citrix. As > you suggest, keep all the data on the corporate server. You still may have > the potential for the user copying and saving data or printing > confidential information but you could at least have a policy that says > this is not allowed. Terminal Server and Citrix have their own problems. (One of which is that the connections are very slow if you are on a dial-up connection. You are also limited to 256 colors, unless they have changed the protocols.) This also brings up another common security problem. Incorrectly secured modem banks that bypass any and all firewalls. What good is a firewall if the script kiddie can just war-dial the block of phones and find which ones answer as modems. (Programs that do this have existed for at least 15 years, if not longer.) Some places spend huge amount of money making the firewall secure, but forget about the bank of dialup lines. 56k backdoor anyone? Also, how much of that information remains in temporary files and swap when the user disconnects? Interesting to find out how much confidential tidbits are left on the client after you disconnect from the host. > Not strong enough in my opinion but maybe legally sufficient. John > Christiansen, what do you say concerning the legal sufficiency of a policy > to that effect? > > >>> John E Jewkes-AAA0OR <aar0mi@private> 11/30/01 08:10PM >>> > > OR, as we did at ThrustMaster (Now CenterSpan Communications) when I > was there, We set up two separate dial-in accounts for those folks who > did > work from home. One which allowed them ONLY access to the Intranet for > at home work, and one that allowed ONLY access to the Internet. All their > > secure information was kept on a Server at work, not in the home PC, and > 'Auto-Login' was NOT allowed. For example, when dialing up for the > Intranet, > all their secure data was on 'Network Drive 'I:', but the dial-in access > automatic > redirected their data to Drive U:. Anyone attempting to log-in using a > direct link > to Drive I: was assumed to be a hacker, and was locked out. It took a > request > via person to the IT manager, Paul, to get the connect autority reset. > When dialing up for the Internet, All login was redirected by > script to Drive > W: again, anyone trying to go directly to Drive X: would be blocked. > Pretty good > set-up in my opinion. (IMO)... ;-) > hope this info gives someone a thought. > > 73 de John Jewkes W6HNC/AAA0OR > US Army MARS State Director, Oregon > > On Fri, 30 Nov 2001 18:33:48 -0800 jradke@private writes: > Heidi, > > Strictly my opinion but take into consideration: > > Users VPN to corporate via the Internet so what should they be able to > access? You want them to follow the same security policy that you have to > protect your users at work! FREQUENTLY users connect to the Internet, > startup their VPN tunnel to work and leave it up all day (while they also > surf the net) all the while their home PC has a very tasty connection to > corporates network! What's easier to hack? A home PC running 98,ME, or > your corporate firewall? > > Enforce the security policy by preventing the users from accessing the > Internet through their local ISP connection. Most VPN solutions can setup > the user profile to use the secured tunnel as the default gateway not the > Internet. This means if the user wants to access the Internet they must > do so through the tunnel using the rules setup on your firewall. You can > also disallow the user from accessing the Internet through the tunnel at > all! Understand that the purpose of the tunnel is to gain access to > network resources securely, remotely and for work purposes. If the user > needs to access the net then they need to do it when not connected to > corporate. > > In brief, do not allow users access to the Internet except through the > corporate firewall, if at all. > > -JGR > -----Original Message----- > From: Heidi [mailto:mcps@private] > Sent: Friday, November 30, 2001 2:56 PM > To: CRIME > Subject: Re: CRIME secure mail programs/internet > > > Thank you to all who have responded to my questions. All your > suggestions are very much appreciated and will help me greatly with > trying to point out these security/confidentiality issues to this > organization. I am always open to more suggestions and recommendations. > Thank you. Heidi
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:36 PDT