Re: VPN & Terminal Server was: VPN for *DSL/CableModem Users

["daN." <dan () nesmail com>]

Well, that depends :) If you where using NT Dumb terminals then there 
really wouldn't be much of an issue here (other than you are still 
excepting connections into your corporate LAN over the Internet)...but by 
using emulation software it's still possible for someone to break into 
their machine via some other software on their PC and launch the secure 
remote client on the users desktop, it is then quite easy to retrieve NT 
sign on data used in the SecurRemote client with a simple keyboard logger 
on the compromised PC...

mutated.


At 06:10 PM 8/23/00 -0700, Adrian Brinton wrote:
> We are looking at using NT Terminal Server as a solution to this. Users
> connect via DSL/Cable/Dialup or whatever, using the SecurRemote client,
> and only have access to a terminal server in a DMZ. They can get to the
> office resources they need, but not directly from home. This way, if a
> home machine were compromised, there would be no direct path to the
> corporate network.
>
> Can anyone comment on downsides to this (security-wise, not Terminal
> Server limitations)?
>
>
> Adrian Brinton
> Network Engineer
>
> -----Original Message-----
> From: Michael C. Ibarra [mailto:ibarra () hawk com]
> Sent: Thursday, August 17, 2000 2:15 PM
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] VPN for *DSL/CableModem Users
>
>
> Hello:
>
>  I've been asked to perform the horrible task of allowing
>  in remote/home internet connections into a corporate LAN.
>  The firewall/s in question are a FW-1 and IPFilter (separate
>  machines) combo. The pipe decided upon was either DSL or
>  cable modems, based of course on availibilty. The present
>  method is an isdn/SecureID/dialback method. The present
>  corporate policy allows no inbound traffic from the inter-
>  net and allows a limited outbound connections, mainly http.
>  My feeling is that users, unable to reach their AOL/Napster/
>  whatever type of services could place a modem into these home
>  PC's, corporate owned but that doesn't matter, making that
>  box an insecure gateway or transfer point for a virus to the
>  corporate network. VPN's IMO would do little to protect a
>  machine which has a greater chance of becoming compromised,
>  besides breaking corporate security policy since all non-VPN
>  connections would probably allow those same services not
>  normally allowed in the office. My question, and thank you
>  for reading this far, is what VPN software and/or hardware
>  is recommended and what can be done to enforce the present
>  corporate policy (aside from asking users to sign an agreement).
>
> Thank you all,
>
> -mike
>
>
>
>           The information contained in this message
>            is not necessarily the opinion of Hawk
>                    Technologies, Inc.
>
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards