Great Circle Associates Firewalls
(September 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Internet access guidelines
From: "Christopher L. Werner" <cwerner @ fh . us . bosch . com>
Date: Tue, 19 Sep 1995 12:39:48 -0400
To: "Kenneth W. Betcher" <kbetcher @ City . Winnipeg . MB . CA>
Cc: firewalls @ GreatCircle . com 
At 08:42 AM 9/19/95 -0600, Kenneth W. Betcher wrote:
>My superiors and I understand the need for a good Security Policy and
>Firewall.  My question concerns Internet access by employees from
>outside the Firewall protected corporate network.  I'd like to add an
>extension to the Security Policy that recommends minimum security
>guidelines for these instances.
>
>Example:
>An employee takes home a lap top or portable PC.  The PC's disk drive
>contains corporate data not necessarily confidential but corporate data
>none-the less.  From home the employee connects to the Internet via a
>modem through an Internet Service provider he personally subscribes to.
>
>What should we include in the guidelines as minimum security
>recommendations?


1) If your not running Windows 95, which supports multitasking, physical
attacks to the PC without authentication are not a problem (single task - PC
to Net).

2) If your user is only communicating to sources other than the company,
only the transfer of virus plagued software via ftp need be a concern. But
you already have virus protection on all your systems :-)

3) If your user needs to telnet to the corporate firewall two things would
be advisable: (1)One time passwords - s/key, OPIE, SecureID, etc. (2) Secure
telnet encryption - Raptor remote and others. First you *never* want the
user to use that password again - assume someone else has obtained it, and
second - once connected you really don't want someone to spoof the
connection and read all the data without you knowing it (especially if it's
a corporate database).

4) If your user needs to read his e-mail you should use APOP or another
authentication method which allows one-time passwords to authenticate to the
POP server (or firewall as with Pine).

In summary - Protect the data on the PC, protect the access to the firewall
(pw), and protect the data being passed between. 

I'm happy you begin by stating that the user is using a company PC, how
often have the users wondered if their *personal private* PC could get at
the corporate data! Have fun! :-)

--------------------------------------------------------------------
     Opinions expressed are mine and not those of my employer.
--------------------------------------------------------------------
Christopher L. Werner                Robert Bosch Corporation
System Engineer                      38000 Hills Tech Dr.
(810)553-1389                        Farmington Hills, MI 48331-3417
Follow-Ups:
Indexed By Date Previous: Re: Secure version of Sendmail
From: mdr @ vodka . sse . att . com
Next: Re: WordMacro.Nuclear virus
From: peter @ nmti . com (Peter da Silva)
Indexed By Thread Previous: Re: Internet access guidelines
From: Mark_W_Loveless @ smtp . bnr . com
Next: Re[2]: Internet access guidelines
From: brian @ ilinx . ilinx . com (Brian J. Murrell)
Google
 
Search Internet Search www.greatcircle.com