[WEB4LIB] Re: Does Your Library Use SSL to Protect Patron Data?

[Chris Deweese]

Server Security isnt the only issue, you can have the most secure server you want.  But if your workstations arent secure or if you have attacment happy employees who will open anything from Netbus to Backoriface then guess what?  So much for secure servers.  While servers are the target most hackers wont bother attacking a networks server if they can find a weak workstation to put a trojan on and then they can compromise the server by sniffing passwords on the workstation or just using the workstations mapped network shares or finding password files.  Also if someone is sniffing a network they have to be doing it from that networks "side." For instance I can't go home and sniff my library systems network from my cable modem.  I need a router or a workstation or a server that I compromised on the systems network to do the sniffing.  So if someone is sniffing they are sniffing from inside your network and its being transmitted to them.
Internet security is very broad and in its most strict depths requires more work than just making sure you have service packs and patches installed.
SSL and encrypted telnet (SSH) are great tools to use to protect information.  They are only as good as the password used to decrypt and also that the private key is hidden from anyone.  While SSH can be found in free forms under the GNU public license, SSL is definately on the expensive side.
But I believe the points presented are that it takes more than just SSL to keep things more secure than they would be without it.

Chris Deweese
Webmaster
Lewis & Clark Library System
(http://www.lcls.lib.il.us/)