Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Defense in Depth to the Desktop

From: David Lang <david.lang () digitalinsight com>
Date: Sat, 25 Dec 2004 03:01:59 -0800 (PST)
On Thu, 2 Dec 2004, Chris Pugrud wrote:



Consider the following example of a simplified network.  The network is divided
into two subnets; one subnet contains all of the client systems, while the
second subnet contains all of the servers.  The client subnet and the server
subnet are separated by a session based, stateful, packet filtering firewall.
The firewall is unidirectional; it only permits traffic that is initiated from
a client to a server.  Servers are allowed to reply to clients, but they can
not initiate communication, TCP or UDP, to a client.

Surprisingly, this example does not break Microsoft or most application [*1]
protocols.  The result is counterintuitive, but analysis and testing support
this assertion.

<SNIP>

Questions? (aka, what have I missed?)
One thing that will be a problem with this is the new trend for windows sysadmins to use RDP to administer the desktops. you can set up additional firewall rules to do this, but each exception to the policy complicates things as well as making them less secure. 

David Lang

--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no 
deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
 -- C.A.R. Hoare
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: