RE: Worms, Air Gaps and Responsibility

["Mike McNutt" <mike.mcnutt () aqssys com>]

> -----Original Message-----
> From: Gwendolynn ferch Elydyr [mailto:gwen () reptiles org]
> Sent: Monday, May 10, 2004 2:48 PM
> To: Mason Schmitt

[...]

> On Mon, 10 May 2004, Mason Schmitt wrote:
> > A recent SANS webcast talked about using true thin client 
> hardware or
> > terminal server clients (and equivalents such as citrix, X, etc) for
> > providing remote users or risky users access to document stores, and
> > other LAN resources.  I think that using a thin client as a security
> > tool is a great idea.
>
> Heh. What do they say? "Everything old is new again"?
>
> For the terminal server hardware, I've got a bit less to say [but are
> you -sure- where that image came from?] - but in the case of the

Are you suggesting that someone/something can hijack a thin-client connection and provide 
[accurate-in-terms-of-user-interaction] *false* images of the remote system?  Wow.  Never actually thought of that, 
myself.  At first glimpse, the effort seems daunting (but I guess anything is possible).

> software thin clients, you're -still- running on a platform with
> unknown security, and reaching into the enterprise.  

Care to expand on: "running on a platform with unknown security"?   Are you talking about the thin-client "client 
application" itself?  

> Thin clients also
> don't address the question of having a box with a live connection to
> the Internet and your enterprise - it just moves it around.

What exactly is the "question" related to having a box on the Internet that you are referring to?  It sounds like you 
are poo-pooing remote users' use of the Internet for connectivity to the office because the office has to maintain a 
connection to the Internet...  Is that bad?  Or is it *potentially* bad?

> > The thin client gets around this headache nicely.
>
> ... and gets you back into a different set of headaches - provisioning
> servers and links that are sturdy enough to handle a pile of remote
> connections.

... Which puts the resolution back in the hands of the administrator, so he/she at least has a chance of 
addressing/rectifying the problem.  I'll take that headache any day over the headche of reviewing/patching/protecting 
my systems from the infected ones.  Not like there is actually a choice, though.

I don't understand what point you are trying to make here; thin clients like Citrix or TS (I can't speak to X) 
certainly have a productive role for remote users and currently offer some real advantages over security concerns of 
other approaches.  It's the functionality vs. security arguement; you must assess the risk before making your choice, 
and thin-clients provide an awful lot of functionality for the security risk.  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards