[log in to unmask],Net wrote at 14:57 on 29/11/98
about "RE: Info please, ISDN ensures strong authentication?":
-----------------------------
>> It is just my ignorance showing,
I thought it probably was...
>The PSTN dial up uses the SecurID card and can be done from anywhere.
And if one takes a laptop into another surgery, as I did last week
on LMC business, and connects from their ISDN line... does it use
the card, or ...
>The ISDN connection uses two levels of security, CLI (caller line
>identification and CHAPS, Challenge, Handshake Authentification
>Protocol.
OK, CLI is available on PSTN as well.
CHAPS is used by my ISP, on a modem connection over PSTN.
>CLI firstly checks the ID of the calling line, the phone number it is
coming
>from just as the boxes you can get at home do.
What happens if one is using a surgery line with the CLI withheld?
Preusmably the security trips out.
One of the interesting features of ISDN is the ability to use say 6
lines as variably ISDN1 64k data + ISDN5 voice, up to ISDN6 data
(enough to run System 6000 over, reportedly)
Now, most surgeries I understand run with CLI withheld on voice out
lines, so that pateitns will only call in on the main line...
Are we about to lose that bit of operational convenience if we use
our lines for voice and data in an integrated and flexible fashion?
_Not_ a massive problem, but one to think about.
>CHAPS then goes through a handshaking procedure occurs with an
exchange of
>identification like fax machines do, (the number called
>appears on your fax)which can involve an exchange of passwords. This
is a
>standard protocol and could be made even more secure by a
>dial back procedure. There is no reason why you could not use this
with PSTN
>as long as you were calling from the same phone all
>the time.
So, what I get from this so far, is that the assumption is made that
whoever is calling from a known line is the Right Person, whereas if
you want to roam you need a roaming security device (seems fair to
me, except that I would have thought it sensible to have a variant
as software suitable to run on laptops, cheaper and less loseable
than the cards.)
But also, that there is nothing at all in this to stop connections
to GP Net by GPs at home, merely by making their home number one of
the accepted phone numbers for their password - assuming the
administration of GPNet is up to the possibility of a GP having
several lines and I don't see why it shouldn't be.
So, since GPs will be connecting from home, and the HA office of the
Chairman of the Board, and so on, we do need to ensure the security
and provision arrangements include all those with a need for
internet access and who are domiciled with GPs.
The questions of girl/boyfriends and visiting students from
overseas are left as teasers for the observers.
--- OffRoad 1.9r registered to Adrian Midgley
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|