Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: David Lang <david.lang () digitalinsight com>
Date: Sat, 25 Dec 2004 03:01:59 -0800 (PST)
On Thu, 2 Dec 2004, Chris Pugrud wrote:
Consider the following example of a simplified network. The network is divided into two subnets; one subnet contains all of the client systems, while the second subnet contains all of the servers. The client subnet and the server subnet are separated by a session based, stateful, packet filtering firewall. The firewall is unidirectional; it only permits traffic that is initiated from a client to a server. Servers are allowed to reply to clients, but they can not initiate communication, TCP or UDP, to a client. Surprisingly, this example does not break Microsoft or most application [*1] protocols. The result is counterintuitive, but analysis and testing support this assertion.
<SNIP>
Questions? (aka, what have I missed?)
One thing that will be a problem with this is the new trend for windows sysadmins to use RDP to administer the desktops. you can set up additional firewall rules to do this, but each exception to the policy complicates things as well as making them less secure.
David Lang -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Defense in Depth to the Desktop, (continued)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 14)
- Re: Defense in Depth to the Desktop Marcus J. Ranum (Dec 14)