Firewall Wizards mailing list archives

Re: Link from DMZ to Internal Apps

From: Rick Smith at Secure Computing <rick_smith () securecomputing com>
Date: Thu, 21 Feb 2002 10:16:17 -0600

This has been a terrific thread.

I strongly agree with Carl Friedberg on the policy issue: you can't say "No" to a powerful user unless you have a
policy in place about how sensitive information must be protected and how it can be used.

Given that you're in the health care business, this must be coordinated with HIPAA requirements or some folks will find
themselves in deep trouble someday. Simply conjure up the image of what happens to people who make accounting mistakes
in Medicare (potential jail time) and you'll get people's attention. It's not clear to me what (if any) sanctions apply
to HIPAA violations, but most senior staff members will appreciate how inflexible and humorless the Government is about
rule breaking by health care organizations. Moreover, a good data leak that violates federal guidelines could leave
them open for civil suits, and health care companies hate those.

Ron DuFresne brings up an important, related point when he points out that the organization loses control of data when
it gets downloaded to a household PC or laptop. You probably want to limit risks by providing "thin client" access to
the data via a Web page (process everything on the host and only deliver the results to the end user). Of course, even
that approach will leave bits of sensitive data at the endpoint. However, this might be deemed an acceptable risk.

Having flogged the application proxy horse myself for many years, I also agree with Benjamin Grubin on the subject of
Whale, et al. Technically I can agree with my colleagues at Whale, but I've found that in practice very few sites are
willing or able to develop and maintain an effective proxy that really reflects the details of their application. The
more detailed (harder to create and maintain) the proxy is, the more attacks it can intercept and prevent. The less
detailed (easier to create and maintain) you are, the more attacks that will slip through, regardless of what type of
strong platform you use. (insert plug for Sidewinder's application proxies, type enforcement, etc. here).

Rick.
smith () securecomputing com roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Link from DMZ to Internal Apps Guess Who (Feb 18)
- Re: Link from DMZ to Internal Apps Marcus J. Ranum (Feb 18)
  - Re: Link from DMZ to Internal Apps R. DuFresne (Feb 19)
- Re: Link from DMZ to Internal Apps Rick Smith at Secure Computing (Feb 21)
- <Possible follow-ups>
- RE: Link from DMZ to Internal Apps Carl Friedberg (Feb 18)
- Re: Link from DMZ to Internal Apps Joseph Steinberg (Feb 19)
- Re: Re: Link from DMZ to Internal Apps Uri Lichtenfeld (Feb 19)
  - RE: Re: Link from DMZ to Internal Apps Benjamin P. Grubin (Feb 20)
- RE: Re: Link from DMZ to Internal Apps Ames, Neil (Feb 21)