Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Remote Desktop, DMZ

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 1 May 2007 12:40:01 -0700
  Security often involves trade-offs.  For many kinds of 
situations, one can talk about "best practices" for addressing
security concerns, but individual circumstances may require 
some adjustment to fit.

  There is, of course, no reason LAN users cannot access 
services hosted in their own enterprise's DMZ, but I believe
you've intuited correctly that DMZ services are intended to
be accessible from the whole Internet, whereas you just want 
to provide remote access to a tiny handful of users.

  I believe the technology you really need to look at is
*VPN*, which allows you to bring in authenticated users over
an encrypted connection into your network.  You place the server
side of the VPN host in the DMZ (so Internet users can reach it),
and its internal side where only a dedicated firewall/monitor tap
separates decrypted sessions from the internal resources you need 
them to be able to reach.
  (Many networks just dump the internal side of the VPN directly 
onto the internal network, but I don't think that's a great idea.)

David Gillett




-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of Edmund
Sent: Tuesday, April 24, 2007 4:16 AM
To: security-basics () securityfocus com
Subject: Remote Desktop, DMZ

Dear All,

A Remote-Desktop system should be placed within the DMZ, am I correct?

If that is the case, what if the Remote Desktop system 
requires access to an application server; but, this 
application server  cannot be placed in the DMZ because LAN 
users also need access to it?

I've been mulling it over and haven't quite figured out how 
or where to put this remote desktop system.
In the DMZ, it will have a hard time being part of the 
domain(is this actually necessary?) or even access an 
application server (which
is also part of the domain).    If I put
the Remote desktop system in the internal LAN, the risks are 
not particularly appealing should the RD system get compromised.

Can someone out there give me some hints/pointers as to how I 
might go about in putting a remote desktop system in an 
existing network setting?

Thanks

Ed
Previous By Date Next
Previous By Thread Next

Current thread: