Computerworld - One of my duties as the information security manager is to approve firewall change requests. With 17 firewalls throughout the world, reviewing such requests can take a lot of my time. I don't mind that, though, since that process makes me aware of some of the business functions within the company. For example, it was through the change-request process that I was made aware that we are required to report to the U.S. Customs Service information about the shipment of goods.
As I've mentioned, we manufacture hardware used in the manufacturing of semiconductors. We're required to notify the government just about every time we ship equipment to a foreign country.
We use SAP software to process our sales orders. It includes a U.S. Customs Management module to facilitate the printing of the required documents, and a more automated procedure, the Automated Export System (AES), for sending transit declarations electronically. We use AES, and that's the reason for this most recent change request.
Currently, we are using a dial-up connection to a U.S. Customs server hosted by a third party, since the Customs Service doesn't have the resources to host this reporting infrastructure. I learned about all of this when one day I reviewed a change request to open up our firewall to allow one of our SAP servers to establish a virtual private network (VPN) connection to an external server; the SAP server is located on our internal, protected network. I asked why one of our critical servers needed to make an outbound connection, and the engineer making the request explained that the Customs Service is discontinuing support of the dial- up method for transferring shipping information. Instead, we will need to use a VPN tunnel to transfer the required information.
After several rounds of e-mail messages with the engineer, I called a short meeting so that I could fully understand the requirement. (I do this often, whenever the e-mail thread for a particular topic amounts to a small novel.) I was thinking that if the only purpose of the VPN is to transfer information regarding shipments, then why couldn't we make a connection just once per day? I also wanted to know a little more about this VPN client.
I got my answers, and they made me uncomfortable. As it turns out, we will need to make a connection every half hour for 15 minutes. In addition, there is return traffic from the U.S. Customs server, which transmits acknowledgment reports back to us.
Troubling Implications
I didn't like the
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
