Re: Too Paranoid?

[Mark Tinberg <mtinberg () securepipe com>]

On Sun, 29 Sep 2002, Paul D. Robertson wrote:

> Even if they tunneled well, I'd still want the thing cordoned off from my 
> internal network and forced to talk nicely with the specific desktop 
> clients.  

I agree, stick the W2K server in its own network with no access to the 
internal network and limited access to just the machines on the Internet 
required for the service to function.  I would also say that as ActiveX is 
against your policy, and you are worried about the integrity of your users' 
workstations, that you think about installing the client component on a 
terminal server of some kind.  This could be MS Terminal Services, Citrix, 
VNC or more UNIX centric software like Win4Lin, VMWare or WINE/X.

The "client" machine (terminal server) can have its configuration heavily
controlled and also needs no access into the protected network.  The
security risk to your internal machines then comes only through the
terminal client software itself which is more under your control.  I think
that this is a good way to keep all that "special" client software and its
associated problems off of your working desktop machines where security
and configuration control are already hard enough.

-- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
Remember:  Wherever you go, there you are!
Key fingerprint = AF6B 0294 EE33 D802 F7A1  38A4 CF52 5FE0 7470 E5F7

        Your daily fortune . . . 

With a gentleman I try to be a gentleman and a half, and with a fraud I
try to be a fraud and a half.
                -- Otto von Bismark

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards