Thanks for this handy guide. Some of this we’re
already doing (the VNC stuff, the antivirus, keeping
automatically updated with Microsoft patches), some
seem like a no-brainer (I’m going to look into
limiting to outbound access with the firewall), but I
have a couple of questions.
First, the email server. Seems like an excellent idea,
and I can see how it is more secure than what we’re
setting up, but what do you think is the realistic
security threat to a small medical practice if we are
using Exchange in our main server with the McAfee spam
filtering and email mal-ware/virus protection? The
idea of the second box for mail is very appealing, and
it’s not the hardware expense I’m worried about but
rather the IT setup/maintenance expense.
Second, and I’ll show my total cluelessness here,
what’s so bad about using internet based mail? I was
under the (apparently mistaken) impression that
leaving all that mail on an internet server rather
than my local network, and being extrememly careful to
only download attachments from 100% known sources, was
Third. I know you’re not satisfied with our solutions,
but I was curious what you thought about the way Greg
and I and I’m sure others are handling our wireless
network security? In other words, changing the default
network naming and password to keep out the 30 second
hacks, but sticking with 128 bit WEP as our main
security. This is in a single location small office.
If it would take about a week’s worth of traffic to
break that encryption, aren’t we world’s safer than we
were with paper charts, where a crowbar and 60 seconds
have always been all that’s required to hack the
security in the past?
Thanks for your participation. It’s amazing what a
variety of useful stuff I’ve gotten from this list.
—- “Robinson, Eric” <email@example.com> wrote:
> Hi Group,
> For several years I was the chief network analyst
> for the State of
> Nevada Dept. of Transportation. I was responsible
> for various aspects of
> network and server security for our 1000-node
> statewide WAN, but mostly
> for issues related to our perimeter (firewall and
> DMZs), VPN, and
> intrusion detection.
> It is possible to have tight, smart security without
> great expense or
> burdensome infrastructure. Here at PSM, we now have
> eCW securely
> deployed to 9 geographically diverse sites in
> Northen Nevada. eCW has
> inherent security vulnerabilities, but they can me
> mitigated by a strong
> perimeter and wise practices.
> It is not necessary to open ANY inbound ports in
> your firewall or
> perimter router.
> 1. When you install VNC, make sure to install ONLY
> the server portion,
> not the viewer or documentation. Do NOT allow it
> register as a system
> service or load at startup.
> 2. Select “Launch VNC Server.” On the initial setup
> screen, give it a
> strong password and uncheck the option to listen for
> socket connections.
> 3. Configure your firewall to allow only HTTP and
> HTTPS outbound for all
> users to any address, and FTP for only certain
> critical users. This may
> annoy gamers, chatters, and video watchers. If you
> have the authority to
> do so, tell them it is a HIPAA requirement. (It is,
> if you kind of
> squint.) Allow outbound TCP ports 6000-9999 from any
> inside address to
> each of the five Class C subnets that eCW
> technicians use. They are:
> 4. When an eCW technician needs into your computer,
> select Launch VNC
> Server. This puts the VNC icon in your system tray.
> Right-click the icon
> and say “Add New Client.” Enter the IP address the
> technician gives you.
> Viola! Now they are controlling the machine, but you
> initiated the
> connection. There is no vulnerability or “listening
> port” that people
> can see from the outside.
> 5. When the session is over, the technician will end
> the VNC session.
> Since the machine does not have a socket listening,
> nobody else can
> connect to the machine, even if you forget to exit
> 6. Do NOT use VNC for your own remote control
> purposes within your
> organization. Use the DameWare Mini Remote Control
> tool, which is more
> secure, easier to use, and ever-so-slightly more
> expensive than free.
> (You don’t have to license it for all of your
> computers. Buy one copy
> for about $100.00 and you can use it to support an
> unlimited number of
> desktops.) This point goes to ease of administration
> and support, not
> strictly to security. I often use a DameWare remote
> control session to
> start VNC and give eCW access. DameWare e-mails me
> whenever someone
> attempts to controls a PC. Very cool.
> 7. The above steps will secure your perimeter pretty
> well. However, the
> ABSOLUTE BEST STEP YOU CAN TAKE TO SECURE YOUR
> NETWORK after correctly
> configuring your firewall is to:
> A. Install your own e-mail server in a
> DMZ, and install a
> malware scanner on that server. A malware scanner
> strips such things as
> worms and other dangerous file attachments from
> e-mail messages. A
> tech-saavy person can set up an adequate linux
> server running postfix,
> spamassassin, and anomy sanitizer for under $150.00.
> Our DMZ mail server
> is a Dell 450MHz Optiplex purchased on eBay for
> $95.00. (We have a
> dual-processor Dell running Microsoft Exchange
> server inside the
> firewall, but such is not strictly necessary.) If
> you’re not a linux
> fan, you can still do the same thing with a Windows
> server for under
> B. Block access to web-based e-mail
> services such as Yahoo
> Mail, Hotmail, Juno, etc.
> 8. Make sure any Windows NT, 2000, or XP machines
> are set to
> automatically download and apply security patches
> from Microsoft.com.
> 9. Make everybody store their shared files on an
> actual file server.
> Turn off file shares on all other machines.
> 10. And of course, keep your antivirus scanner
> updated on all machines.
> Follow these 10 simple steps and you will be almost
> 100% safe from the
> sort of hackers who scan the Internet looking for
> targets of
> opportunity. (In 6 years of operation, we have not
> had a single
> intrusion incident or virus outbreak.) The remaining
> issues with regard
> to weak eCW passwords and unencrypted data are much
> less worrisome, and
> will be addressed in due time.
> Eric Robinson
> Director of Information Technology
> Physician Select Management
=== message truncated ===
C R A I G B R A D L E Y , M D
f a m i l y m e d i c i n e , i n c l u d i n g o b s t e t r i c s
w e b l o g : http://www.drbradley.com/blog
p a t i e n t s i t e : http://www.drbradley.com
N A C O G D O C H E S
T E X A S
+ > i < j o h n 3 : 3 0
Post generated using Mail2Forum (http://m2f.sourceforge.net)