I have a web site that will connect to our HR system for employees to
view benefit info, pay stubs, w2's etc from outside the office at home.
Which is a better way to secure access to this server, just use an ssl
certificate or should I use an ssl vpn? The web server can sit either
inside the network or in a DMZ. Either way I hope to use two factor
authentication such as RSA tokens to add a layer of protection.

It is really hard to give you a sound advice since we don't have enough
information here (e.g. all functionality requirements for the website), but
if this is more or less standard HR webpage then SSL should be more then
enough...

Show quoteHide quote

brianhessel***@gmail.com wrote:
It sounds like this is personal, non-public information.  That may be
covered by HIPAA, GLB, or some other regulation, so I would be careful.
Perhaps a talk with corporate counsel would be smart.

You may get better security with an SSL-based VPN since some come with
tools that check the client for security such as the age of the virus
database, etc. You will also get increased cost, since you should be
able to roll your own certs.  I would look at the functionality of the
SSL-VPNs and see if they would help you sleep better at night ;).  They
should all talk Radius, which will allow you to integrate 2 factor
authentication.

HTH,

nick

Windows 2003 R2 and WSE 3.0 Kerberos issue
Muliple Websites on Mutliple IP address with certicles [SSL]
File permissions vary based on access method problem
Remote administration security group.....
Access Databases & IIS 6.0
Urgent help needed!
Multiple virtual SSL sites on 1 IIS6 server
IIS 6.0 Hide Domain Name during Authentication
IIS IP and domain name restrictions - automated access denial
.exe file downloads return 404 in IIS6.0