Re: Secure access to LAN resources (WAS: terminal services)

["Paul D. Robertson" <proberts () patriot net>]

On Tue, 28 Jan 2003, Behm, Jeffrey L. wrote:

> Hi Paul,
>
> On Tue, 28 Jan 2003 proberts () patriot net wrote:
>
> > On Tue, 28 Jan 2003 natfirewall () netscape net wrote:
> > > Greetings,
> > >
> > > I am being asked to open port 3389 on our Corporate firewall and
> > > direct incoming traffic on that port to a specific IP on 
> > our internal
> > > network.  Being the paranoid that I am, I do not want to do 
> > this but I
> >
> > I wouldn't do that for any money.
>
> I thought everyone had a "price."  ;-)

I'd hope that there are still people around who can't be bought- if not, 
we're in bad, bad shape!  When you work with great stalwarts of behaviour 
and ethics like Bill Murray, you're constantly reminded of what nice 
people don't do ;)

> Wouldn't having a VPN simply _move_ the DoS to another machine/system, not
> protect against it? My understanding is that VPN protects the data via
> encrypted tunnel. Just because the data is encrypted doesn't imply it is
> _desirable._ I suppose if you limit who can talk in the tunnel, then that
> would help...is that what you are getting at?

Yes, VPN devices are designed to do strong authentication.  What I left 
unsaid (but was covered by another poster) is that you must couple it with 
strong authentication.  Also, VPN devices are designed to be placed 
outside firewalls, Terminal Server really isn't.  While that's no 
guarantee it'll be safe, it sure helps.  Finally, you can pick a VPN 
server based on security- other than possibly going to Citrix, you're 
pretty much stuck with a single-vendor solution with TS.

> While on this subject, but down a different and more general tangent...
> Any opinions/gotcha's/don't do's/do do's <-yuck/etc. on using
> products/appliances such as Aventail or Neoteris as a _secure_ way to allow
> employees and/or external clients/partners into resources on your LAN? These
> devices supposedly create a VPN tunnel using SSL for encryption, which is
> allowed out through most companies firewalls and allows the outsider to
> connect to this DMZ appliance which, in turn, allows/denies access to LAN
> resources based on authenticated users and the rulesets configured by the
> admin.

The more you can limit who connects, the less likely you'll get a bad 
connection.  The stronger your authentication, the less likely someone 
will be able to compromise an ID and password (I'd almost always want 
hard physical token-based authentication.)

> (Aside: This may help lessen the support calls but opens up other issues,
> such as "Does the other company know their computers are being connected to
> your company's LAN? I.E. What are the legal and/or ethical ramifications?)

If you're tunneling it via HTTPS, then there certainly are ethical 
ramifications, and most likely legal ones if their usage policies are 
well-written.

> Is there such a thing as _secure_ access to LAN resources over the Internet?

Nuke "over the Internet..."

It's always a trade-off between risk and protection.  The real question 
*shouldn't* be "Is it secure" because that gets us into religious stuff 
too quickly, it's "can I mitigate the risk well enough to make it 
worth-while."  It's difficult for us security geeks to find that line (as 
an aside, I chose my title just to keep reminding me of the fact that it's 
a risk decision, not a security decision.)

For most of us, the risk of opening a port to a device on the internal 
network without some sort of arbitration is too large, we can mitigate 
that risk by adding some sort of gateway that takes care of some of the 
issues.

Your questions on the ethics and legality are very good ones.  How many 
places even make visitors adhere to usage policies?  How many cover 
tunneling?  How many educate their users to ask if it's ok?

Certainly, that's a discussion I'm willing to have on the list- I think 
it's important that people think about these things.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards