I have an Intranet web site that has a form where user enters social security number and other sensitive information.
The Web server that processes the info is behind a Firewall.

I want to register an SSL certificate on the Web Server to protect the transmission of information from the Web Form to the Server. Please advise if this is necessary since the Web Form is an Intranet Site and the web server is behind a Firewall?

I assume I need SSL to protect the Web Form information from the Client workstation until it gets to the Firewall and then web server or how does this process work with protecting the information??

SSL uses an encryption key to encrypt the data sent via HTTP. So when the client's SS number goes through the series of tubes that make up the internet, it get's encrypted first, making it much more difficult to intercept. I'd say that anything involving personal information should use SSL, regardless of where or how. Firewalls help, but in today's world, you need all the failsafes you can get.

"So when the client's SS number goes through the series of tubes that make up the internet"

Thanks, this is the Intranet and the client is probably already behind the Firewall. But I just want to make sure I have a valid point with my Server Admins that I still need SSL Cert on the Web Server to protect my Intranet info that is coming from the Client Browser?

If this is a debate between you and your server admins, I would change the discussion immediately. If you pass the SSN's in clear text *and they get compromised*, your company may be required to report the compromise publicly (ie, stock ramifications), and manage identity theft issues for everyone in your database (i.e huge costs). I think it's Gramm-Leach-Bliley that will require this, you can read up on it.

This is not a debate that a developer and a system admin should be having, frankly. Your security/compliance department should have policy in place to address these kinds of things.

Bottom line, do the SSL thing. Theft of a bunch of encrypted SSN's does not require reporting.

Dave

* I am not your legal counsel, I'm just a dude on the internet :)

Are you jumping through these hoops to protect your form data posted by company employees from other company employees with network sniffers?

"Are you jumping through these hoops to protect your form data posted by company employees from other company employees with network sniffers?"

Basically all workstations and the Server are inside the same Firewall and this is on Intranet. I dont know what a network sniffer is and also want to make sure I have the best protection software for transferring SSN and other sensitive info from the workstation to the server.

The Form on the Workstation will be used by Company people only who are only inside the firewall. The Company people will input all information they get from oral communication with outside People who are entering the building. The Outside people will never enter the data, only the Company people will be allowed to touch the workstation and enter the data.

I can't imagine doing what you described and NOT using SSL. Intranet or Internet, firewall or not, there's always back doors and way's for people to to get protected information. Recently alot of big corporations have come under scrutiny for allowing peoples personal data to be stolen from their servers, even the entire State of Ohio (my state btw) had a good portion of its populus's information stolen.

My recommendation, use SSL or use paper and filing cabinets.

If this whole operation is inside the company firewall and there is no one but (relatively ignorant from an IT perspective) company employees using only company owned PCs connected to the company's intranet then SSL is a total waste of time. If the PCs are on the Internet then SSL has some meaning but not nearly as much as a lot of people think.

I can't imagine doing what you described and NOT using SSL. Intranet or Internet, firewall or not, there's always back doors and way's for people to to get protected information. Recently alot of big corporations have come under scrutiny for allowing peoples personal data to be stolen from their servers, even the entire State of Ohio (my state btw) had a good portion of its populus's information stolen.

My recommendation, use SSL or use paper and filing cabinets.
Not one single instance of the type you describe had anything to do with or would have been prevented in any way by the use of SSL. Here's what a guy who knows encryption has to say about it.

"Using encryption on the Internet is the equilvant of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." -- Gene Spafford

Sorry Ray, I will have to disagree on this one. The OP is asking about encryption, not the management of the SSN's on the end points. Absolutely he needs to deal with securing the storage and use of the data too.

I've never heard a security person claim that you could trust all the employees in a company before. The fact that this application resides within an intranet is interesting, but in no way removes the security requirement.

What has the corporate security officer or compliance officer said about this? That's where the policy needs to come from.

Dave

I want to register an SSL certificate on the Web Server to protect the transmission of information from the Web Form to the Server.Maybe we're reading different posts, Dave, but everything he's said so far has sounded like he's talking about encrypting the network traffic.
The OP is asking about encryption, not the management of the SSN's on the end points.That's my point. SSL is absolutely the least effective thing you can do to protect the data. It is least vulnerable on the wire and most vulnerable on the servers.

Could be I've made an assumtion here. Since he wasn't asking about how to manage the SSN's on the server, I assumed that wasn't in question, i.e. he'd already addressed it correctly. I thought this question came from some debate between he and the system administrator on whether it was necessary *in addtion* to everything else, to do SSL.

But I certainly agree with your point, if the SSN's are stored and floating around in the clear within the intranet already, there are much bigger problems right now than looking at SSL.

Dave

I'm in the same boat as tracknut. I (perhaps incorrectly?) assumed that this system is already in place in some form, and already well protected. That should be priority #1, but you must admit that using SSL can't hurt anything, especially in the med industry. Medical records are worth a ton on the black market, they are used to get other peoples prescription drugs/health benefits, etc. Throwing in some sniffers on an unencrypted network to catch stuff as it goes by is all to easy in todays world.

Certainly adding SSL or any other security precaution should not hurt, i.e. it should provide some added security and it should always be a part of Internet-related security. On a company backbone (intranet), though, it has a rather high cost/benefit compared to things you can do to address the proven threats since almost none of them involve grabbing something off the wire. The most successful attacks involve stealing the hardware containing the data or simply copying the data off the server where it's stored. That's what Spafford's analogy addresses.

Sniffer software for PCs is readily available but it's been rendered much less useful with the advent of twisted pair and switches. Of course if you're still running hubs or coax or token rings then a sniffer can be really handy. :)