Security Basics mailing list archives
RE: Remote Desktop, DMZ
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 1 May 2007 12:40:01 -0700
Security often involves trade-offs. For many kinds of situations, one can talk about "best practices" for addressing security concerns, but individual circumstances may require some adjustment to fit. There is, of course, no reason LAN users cannot access services hosted in their own enterprise's DMZ, but I believe you've intuited correctly that DMZ services are intended to be accessible from the whole Internet, whereas you just want to provide remote access to a tiny handful of users. I believe the technology you really need to look at is *VPN*, which allows you to bring in authenticated users over an encrypted connection into your network. You place the server side of the VPN host in the DMZ (so Internet users can reach it), and its internal side where only a dedicated firewall/monitor tap separates decrypted sessions from the internal resources you need them to be able to reach. (Many networks just dump the internal side of the VPN directly onto the internal network, but I don't think that's a great idea.) David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Edmund Sent: Tuesday, April 24, 2007 4:16 AM To: security-basics () securityfocus com Subject: Remote Desktop, DMZ Dear All, A Remote-Desktop system should be placed within the DMZ, am I correct? If that is the case, what if the Remote Desktop system requires access to an application server; but, this application server cannot be placed in the DMZ because LAN users also need access to it? I've been mulling it over and haven't quite figured out how or where to put this remote desktop system. In the DMZ, it will have a hard time being part of the domain(is this actually necessary?) or even access an application server (which is also part of the domain). If I put the Remote desktop system in the internal LAN, the risks are not particularly appealing should the RD system get compromised. Can someone out there give me some hints/pointers as to how I might go about in putting a remote desktop system in an existing network setting? Thanks Ed
Current thread:
- RE: Remote Desktop, DMZ David Gillett (May 01)