Re: terminal server security vs vpn

[<nobledark () hushmail com>]

Something else to take into consideration when making your decision 
is whether or not there is the potential for traffic other than 
Terminal Services. In this case it might make more sense to use a 
VPN tunnel instead of the encrypted RDP / ICA connection so you can 
have fewer ports on the firewall exposed to the Internet. 

For example, if you end up needing POP3 or IMAP, you can certainly 
protect those protocols with certificates and then open the related 
ports on your firewall to expose those services in addition to the 
RDP/ICA port. Web-based services aren't the greatest over RDP but 
you could open port 443, cert your web app, and then make that 
available as well.

The down-side of this is that you now have multiple firewall ports 
open to the Internet. You also have the potential for anyone who is 
sniffing at a downstream router to get a better idea of what 
services you are offering through your firewall (even if they can't 
read the data, they can tell what port it's running over). However, 
if you are using a VPN to tunnel all of your traffic, you have 
fewer Internet-facing ports open and less information on what 
services (other than a VPN) that you are publishing.

My 2 cents....

On Tue, 14 Aug 2007 14:54:37 -0400 Ansgar -59cobalt- Wiechers 
<bugtraq () planetcobalt net> wrote:
> On 2007-08-14 Brent Kern wrote:
> > We went through this at our government agency and the remote 
> desktop
> > client is 128bit encrypted.
>
> Without knowing the encryption algorithm that doesn't mean 
> anything. At
> all.
>
> Regards
> Ansgar Wiechers
> -- 
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq

--
Save big on Printer Toner. Click Now!
http://tagline.hushmail.com/fc/Ioyw6h4eo8Qw2tfNkhZd6ORfqWNsHgJ8Llnf9jkn5AQBb7daCdMB1i/