Firewall Wizards mailing list archives
Re: terminal services
From: Don Kendrick <don () netspys com>
Date: Tue, 28 Jan 2003 15:26:16 -0500
Open from where? The world? Yikes!!! What's that address :)Seriously, I come from the school that one never ever opens ports from the world directly into the internal network. A DMZ, maybe. Never inside. Doesn't matter if it's WTS or mail or web, not to the internal net. By allowing it all the way in you are throwing away "defense in depth" and any notion of a layered architecture.
If you can get it on the DMZ, would I do it? Open to the world? No. A specific IP? Maybe, depends what I give that WTS host access to. If I don't know source IP and therefore have to open to the world (ie traveling DHCP user out in the world somewhere), I'd be looking at VPN using Strong Authentication and only open it to VPN clients.
DonOn Tuesday, January 28, 2003, at 03:00 PM, natfirewall () netscape net wrote:
Greetings,I am being asked to open port 3389 on our Corporate firewall and direct incoming traffic on that port to a specific IP on our internal network. Being the paranoid that I am, I do not want to do this but I need better reasons/ammunition other than saying "it would be bad". I am looking for pointers to information hopefully in support of my fear of M$ security. Also, the more recent the information the better.Not being close minded, I would also be interested in seeing any information which would make me feel warm and fuzzy about opening the port.TIA __________________________________________________________________The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jspGet your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- terminal services natfirewall (Jan 28)
- Re: terminal services R. DuFresne (Jan 28)
- Re: terminal services Don Kendrick (Jan 28)
- Re: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services David Lang (Jan 28)
- Re: terminal services Duncan Sharp (Jan 28)
- Re: terminal services Paul D. Robertson (Jan 28)
- <Possible follow-ups>
- RE: terminal services Noonan, Wesley (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Noonan, Wesley (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Barney Wolff (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)