>
>I was asked if it's possible to use SecurID to control access
>to a web server ... i.e. to provide very limited access to
>the information presented on a server.
>
Yes it is possible. Will the Web Server have access to the Internet?
(Some companies use a Web Server as a means of distributing internal
information).
The Internet poses a particularly high security risk. Relying on
authentication tools (only) for protection is asking for trouble.
The use of SecurID, Skey, etc. for dialup lines may be OK in some
situations, but I wouldn't recommended it for access from the Internet
as they can be pretty easily bypassed.
If you are going to use this to restrict internal users (only)
from using the web server (which has no Internet access) to
provide regular info updates to the users, then this might be
deemed an acceptable risk.
Of course, the above also depends on the type and value of the
info you are trying to protect.
>In a way I think this doesn't make sense because by its vary nature
>a web server isn't secure anyway. It'd be like putting a deadbolt on
>the front door but leaving the windows unlocked.
>
>On the other hand, if the server is behind a firewall which provides
>very limited access, .... maybe it would be useful..
Putting the server behind your firewall (ie - on your internal network)
would put your lan/wan at risk. I would recommend putting the server
in front between the router (on the Internet side) and the firewall
or
(preferrably) ensure that the firewall is an applications gateway and
has the ability to subnet and then put the server on the subnet.
>
>What do you think? And what do you think about the actual implementation?
>Is it doable?
Doable, sure. Whether you want to or not really depends on the problem
you are trying to solve & the type, value & sensitivity of the info you
are trying to protect.
>
>Thanks in advance,
>Bill
>
>
>--
> Bill Heiser heiser @
world .
std .
com
>
>����
>����
>
Best Regards,
Frank
http://www.fortified.com/fortified
|
|
