|
Here is an answer supplied by Frederic Dahm of Lotus, who helps us out from
time to time. I hope your family and friends are all OK.
Chuck Connell
I read this and the comment that I can make is that whether something
affords enough security or not is entirely predicated on the Security
Policy.
Simply put, the Security Policy outlines two basic things. First, a
statement of sensitivity that will outline the sensitivity of the
information processed by the information systems (which would point which
information requires protection), including costs of
disclosure/corruption/destruction of this information. Second, a threat and
risk assessment that will outline in what manner this information could
potentially be compromised and the possible attacks. The security policy is
something that should be supported and signed off by upper management.
This said, to convince their managers, they only have to provide them with
the company's security policy.
Specifically to the questions asked:
1) Depending on the security policy, I think that SSL is secure enough.
SSL's security varies whether you are implementing client certificates or not. If
client certificates are not used, then its security is lessened, because
only the server's identity is really accounted for and not the user's. SSL
with client certificate is only slightly less secure than server-side SSL
with a SecurID token (used in conjunction with RSA Security's ACE/Server
for Domino). The extra gain in security comes from the fact that with the
SecurID token you are engaging in multifactor authentication, which is
basically the need to provide two sets of credentials: user ID/password and
the SecurID passcode. This makes it more secure, since it is based on a
time-critical shared secret between the client and the server.
Point in case: Royal bank believes that SSL plus a special ID and password
are enough to secure the access to my financial information from the
Internet. I would tend to agree with that, since all that one can do is
transfer money from one account to another and check balances. So the risk
is not high (the main risk here is the disclosure of financial information)
and consequently, the security is in consequence. Credit Suisse, however,
permits me to do more and thus, they have sent me (free of charge) a
SecurID token to use when logging on to their systems. I can perform
transfers to other bank accounts (at the Credit Suisse or not) while logged
in and thus, since the risk is greater, so are the defenses.
2) Authentication will not prevent viruses from being sent inbound to the
organization. What is being done is better authentication coupled with
session encryption. Given the nature of a mail virus, it can bypass both.
3) I don't have much in terms of details regarding their firewall
infrastructure. Seems to me, off the cuff like this, that a good
implementation would be to let WebMail traffic through the outside boundary
firewall to a Reverse Proxy server in the DMZ (this would protect to a
certain degree the Reverse Proxy Server. The WebMail server would then be
inside the corporate network. Aside for that, I would refer to the Security
Policy to better define what security services to apply in this new
configuration.
There are also other solutions, such as VPNs and passthru server for Notes
clients. Again, this is determined on the Security Policy and the services
they want to provide to their user population needing access to data
outside the corporate network.
Cheers,
Frederic.
|
