Hi,
i have several clients who are using MT as a FW. They are also having Hotspot functionality within their site. Is there any ‘specific’ FW setup in order to comply GDPR law?
did anyone ‘had’ this issue… resp needed to ‘correct’ its config on the FW?
tx for any tip and help and insight 
korg
GDPR is about personal identification. As long as you don’t log data which could identify a person, you’re fine. So is that applicable in the case you specified?
Yes and no…
so, if i .. for example enable logging in with facebook or some other social media… i do not need any ‘extra’ config within the customers fw? I am also thinking about..
do i need extra security for example.. to connect to the server only through VPN and not RDP port… ‘must’ i disable rdp port… and so on?
so, here i am not only considering ‘logging’ personal data… but also.. IT/FW/MT ‘security’ measures so that no one can access local network and gain access to some.. lets say.. list of customers…
is GDPR also auditing fw security measures resp setup?
korg
GDPR is not specific about what measure should be taken, but “appropriate ones” to ensure customers privacy, based on “industry standards”. It also expect inherent security within the systems, it’s called “security / privacy by default / design”
default: safe settings out of the box
design: safe system architecture
Are those clients “companies”, then GDPR doesn’t apply (directly to you, but maybe as data processor, depending on agreement with data controller)
or (private) individuals / persons, then it does.
about logging in with facebook, isn’t that through a secure connection? you don’t have access to the actual credentials / user data do you? then a token is received to conform their identity, right?
Can that token/data be used to identify the user (name, address, email, …)? I’m guessing no?
See https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/
I’ve found one of the GDPR parts of secure MT’s.. in this case its talking about SOHO NAS security…
Port knocking is the subject… they are using it in order to secure access for the winbox serivce…
https://mum.mikrotik.com/presentations/BU19/presentation_6879_1560110235.pdf
so, apart from the question ‘is port knocking feature important for the security of my company’… MY question is… is port knocking feature… one of the possibilities resp ‘conditions’ for every and each company to compile one of the GDPR requests?
tx
korg
GDPR doesn’t specify any specific measures: so its up for interpretation.
Personally I would prefer a certificate based VPN above port knocking.