Ask the Expert

How should we distribute our unique firewall password to our clients?

My company needs to securely distribute a unique firewall password to its supply chain partners for a network-based firewall application. The alternatives we're considering are sending it via email, snail mail or posting it to a customer Web portal. My firm is resisting encrypting the email and our portal is still single-factor authentication. Is snail mail a viable and safe option? Is there a more optimal solution?

    Requires Free Membership to View

As primitive as it sounds, given the circumstances you mention, your best option is snail mail. No matter how you post the password online, whether by posting it on your Web portal or sending via email, it's exposed to any number of online vulnerabilities.

Sending it by encrypted email provides mitigating control, but since there's resistance in your organization, that's not an option. And, for the same reason, using another encryption scheme, like public key infrastructure (PKI), to store the password might be overkill, especially if the vendor who needs the password or the project itself is small. The expense and time in implementing PKI could cause further resistance in your organization.

As for posting it on your Web portal, even if such a portal were hardened, secured and password protected with multifactor authentication, there's always a risk that the Web site could be breached and the password exposed.

With snail mail, however, the only way someone could steal the passwords would be if they had physical access to the corporate mailroom. Though mailroom security may vary from company to company, it's still relatively more secure than anything online.

The other question to ask is whether you're issuing the same password to all of your vendors that need this firewall access. Each vendor should have their own unique password. Depending on the firewall, you should be able to configure it to allow access for multiple accounts. Otherwise, if the same single password is stolen from one vendor, this represents a single point of failure from an information security perspective since, then, all your vendors have been breached.

This was first published in September 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: