Mason, > This method will also have to meet HIPAA (Health > Insurance Portability and Accountability Act) security and encryption > regulations. I would prefer this method to be e-mail based but we > could live with FTP.
While encrypting either plaintext e-mail or FTP traffic may bring you in compliance with the "letter" of HIPAA regulations, it likely doesn't bring you in compliance with the intent of HIPAA. The fact of the matter is that regular old e-mail and FTP are insecure. Plain text e-mail has no authentication for either the sender or receiver, offers no integrity, and no confidentiality. FTP offers no authentication for the receiver, (essentially) no authentication for the sender, no integrity, and no confidentiality. Wrapping either e-mail or FTP in a VPN doesn't guarantee that the messages themselves are genuine, intact, and private from end-to-end. If you plan to use an e-mail-based solution, I suggest encrypting all messages using either S/MIME or PGP. This will give you strong, mutual authentication/identification, message integrity, and confidentiality. No VPN is required in this case, but it can certainly be used as an additional layer of security if you like. If you want to use an FTP-based solution, I suggest you NOT use FTP and instead use SCP (Secure Copy Protocol, part of the Secure Shell package). SCP can be configured to support strong, mutual authentication using RSA or DSA public keys, and offers confidentiality and integrity of the transmitted data. SCP is, essentially, a point-to-point VPN for copying files. Given that I'm a paid security paranoid, I'd probably be inclined to encrypt the data using PGP first, and then use SCP to move the data to its destination. In this way, the data is protected while sitting on the servers, in transit, and the severs themselves are protected (if appropriately configured) from unauthorized users accessing the encrypted files remotely. That said... > I currently have GB Pro and am considering moving up to GB-Flash > for the VPN capability. However, I could also use NT's PPTP VPN with > encryption which I believe uses 128-bit encryption. My questions are: I believe that the GB Pro does support manually-keyed IPSec VPNs. If manual keying is acceptable, then you don't need to upgrade. > 1) Which do all of you prefer and why? My recommendations are above. If you must use a VPN, avoid PPTP at all costs. Use IPSec with at least 3DES (not DES -- single DES is not secure) or stronger encryption and strong, random keys that make full use of the ASCII character set. > 2) Do you trust MS PPTP (is it really secure)? No, I don't trust PPTP and it is not as secure as IPSec. If you must use PPTP, be sure to use PPTPv2 as the original version had significant security issues. See http://www.counterpane.com/pptp-paper.html and http://www.counterpane.com/pptpv2-paper.html for additional information on the flaws in PPTP. > 3) What encryption level does GnatBox use for VPN? There are multiple choices of encryption algorithms, including none and single DES, neither of which should not be used. Regardless of the algorithm chosen, be sure to use a strong key. Weak, guessable keys will undermine even the strongest encryption. > 4) Will either of these methods meet HIPAA requirements? > > 5) For those of you at the mercy of HIPAA, how are you meeting these > requirements when secure transfer of data is concerned? I don't have the answers to these questions, but some of the HIPAA gurus at my company probably do have the answers. Feel free to contact me offline if you're looking for consulting help. Hope this helps, -Bill
