Firewall Wizards mailing list archives
Re: Too Paranoid?
From: Mark Tinberg <mtinberg () securepipe com>
Date: Wed, 2 Oct 2002 02:38:40 -0500 (CDT)
On Sun, 29 Sep 2002, Paul D. Robertson wrote:
Even if they tunneled well, I'd still want the thing cordoned off from my internal network and forced to talk nicely with the specific desktop clients.
I agree, stick the W2K server in its own network with no access to the internal network and limited access to just the machines on the Internet required for the service to function. I would also say that as ActiveX is against your policy, and you are worried about the integrity of your users' workstations, that you think about installing the client component on a terminal server of some kind. This could be MS Terminal Services, Citrix, VNC or more UNIX centric software like Win4Lin, VMWare or WINE/X. The "client" machine (terminal server) can have its configuration heavily controlled and also needs no access into the protected network. The security risk to your internal machines then comes only through the terminal client software itself which is more under your control. I think that this is a good way to keep all that "special" client software and its associated problems off of your working desktop machines where security and configuration control are already hard enough. -- Mark Tinberg <MTinberg () securepipe com> Network Security Engineer, SecurePipe Inc. Remember: Wherever you go, there you are! Key fingerprint = AF6B 0294 EE33 D802 F7A1 38A4 CF52 5FE0 7470 E5F7 Your daily fortune . . . With a gentleman I try to be a gentleman and a half, and with a fraud I try to be a fraud and a half. -- Otto von Bismark _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Too Paranoid? Kevin Steves (Oct 02)
- Re: Too Paranoid? Ryan M. Ferris (Oct 02)
- <Possible follow-ups>
- Re: Too Paranoid? Mark Tinberg (Oct 02)