× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2004

RE: Security Products - Firewall

My comments in line preceded with +

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





"Jones, John (US)" <John.Jones@xxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
12/16/2004 09:49 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
cc

Subject
RE: Security Products - Firewall






Comments inline.

John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787  F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: rob@xxxxxxxxx [mailto:rob@xxxxxxxxx] 
Sent: Thursday, December 16, 2004 8:01 AM
To: Midrange Systems Technical Discussion
Subject: Re: Security Products - Firewall

1 - We don't use Outlook.  We use Notes and Domino.

If done properly, Outlook & Exchange can be secured "well enough".

2 - We use Cisco routers and firewalls and have sent our technicians off
to extensive training on them.

We use both PIX & Checkpoint; one at either side of the DMZ.

3 - We have an exit point package, but have written some of our own
also.

Don't have yet.

4 - We are looking at SSO

We do this for some apps and are consolidating others into it.  I think
you should be cautious about what gets an SSO implementation and also,
more importantly, what requires a re-authentication and what takes the
existing authentication; i.e. once I'm logged on your PC, can I just hit
the browser and go straight to my HR data or do I have to authenticate
again?

5 - We have exhaustive documentation on how we believe users should be
set up in Windows, Notes and the iSeries.

We have roles and all accounts are assigned to the appropriate role for
the user.

6 - We have a formal Domino based workflow database for approval of new
user requests, request for access to certain areas, etc.

Do you have the same for when employee's leave?  How about temporary IDs
for temps, consultants, etc.?  We have a single email box that a manager
sends a message to.  That single message will trigger the appropriate
action on all IT systems from HR to LAN/Active Directory to midrange,
etc.

+ The payroll files are synced with a Notes database via LEI.  Changes 
such as terminations are flagged to our security officer.  She determines 
appropriate actions.  Commonly this may entail disabling some accounts. 
After x number of days they are deleted.  This gives us some time to clone 
the old user to the replacement.

7 - We have made extensive use of Authorization lists, etc to secure
each divisions data.  However we have not adopted "Application Only
Access".

We're using the business unit security within JDE.  Ditto on the app
only access although I would like to get there in 2005.

8 - We have formal documentation of how employees should treat data
processing resources.

Do employees sign off on this?  We make ours sign off at hire and every
year.  We also do a monthly communication focusing on some task of IT
usage like password policies, etc.  It's also on our intranet.

+ Working on changing our intranet to WAS Portal.  But that's a good idea 
for the announcement section.  Don't recall periodic sign off's.  But I 
seem to recall an initial sign off.

9 - We have our email scanned by Sprint's Messaging Labs.  And also use
Trend Micro's Scan Mail for Lotus Notes.

I forget the vendors beyond BrightMail (now part of Symantec) but we're
doing 5 layers of email filtering to trap spyware & viruses.  We also
block certain attachments.

+ Defense in depth is not a bad idea.  Had some this week (Merry 
Christmas) get by Message Labs but stopped by Trend.  And that was greater 
than 24 hours.

10 - All PC's have virus protection.

How are sigs kept current?

+ Pattern files are controlled via multiple updates per day.  I am 
thinking of changing our Notes from x times per day to one program 
document executed every 60 minutes.  Pattern files really update often. 
We've received multiple updates per day.  Only fools update once a week or 
less.  Daily is even too slow.

11 - We use a pass card on the computer room.

Is the authorization list reviewed periodically?  Not only for who can
access but for who has?

+ Possible security hole.  The history of who accesses is a dot matrix 
printer in the computer room.  Once you access, you could rip the report 
off.  Not sure if there is a way to print off the stored history - if any. 
 Not sure how often the security officer reviews the list of who has 
access.  Limited to systems department and the department isn't that huge.

12 - We make use of several of the system values to restrict passwords. 
Must balance that one with tempting users to write it on a post it note
to their computer.

Ditto.

13 - We have contracted with IBM to perform benevolent hacking and they
are in that process now.
and the list goes on.

We use FoundStone.  As a service provider, we also allow our clients to
conduct non-destructive pen tests against the systems & WAN segments
their data is on.


Do you have a security incident reporting mechanism and an incident
response team?

+ No.

This email is for the use of the intended recipient(s) only.  If you have 
received this email in error, please notify the sender immediately and 
then delete it.  If you are not the intended recipient, you must not keep, 
use, disclose, copy or distribute this email without the author's prior 
permission.  We have taken precautions to minimize the risk of 
transmitting software viruses, but we advise you to carry out your own 
virus checks on any attachment to this message.  We cannot accept 
liability for any loss or damage caused by software viruses.  The 
information contained in this communication may be confidential and may be 
subject to the attorney-client privilege. If you are the intended 
recipient and you do not wish to receive similar electronic messages from 
us in future then please respond to the sender to this effect.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.