Firewall Wizards mailing list archives
Re: Worms, Air Gaps and Responsibility
From: Mason Schmitt <hr824 () sunwave net>
Date: Mon, 10 May 2004 13:36:24 -0700
On May 10, 2004 12:48 pm, Gwendolynn ferch Elydyr wrote:
On Mon, 10 May 2004, Mason Schmitt wrote:A recent SANS webcast talked about using true thin client hardware or terminal server clients (and equivalents such as citrix, X, etc) for providing remote users or risky users access to document stores, and other LAN resources. I think that using a thin client as a security tool is a great idea.Heh. What do they say? "Everything old is new again"?
It's bizarre how we follow ourselves around in circles. It won't be long before everyone gets fed up with centralization and then begins to decentralize using P2P...
For the terminal server hardware, I've got a bit less to say [but are you -sure- where that image came from?] - but in the case of the software thin clients, you're -still- running on a platform with unknown security, and reaching into the enterprise. Thin clients also don't address the question of having a box with a live connection to the Internet and your enterprise - it just moves it around.
Yes, but the imposition of another layer (the terminal server) in between the internal resource and the VPN client does give you extra separation and potentially more fine grained control over who has access to what. So, rather than having a VPN tunneling the big bad world into your network, you only allow the VPN to talk to the terminal server. From the terminal server you should then be able to restrict access to only those resources that are necessary. I'm thinking of implementing this by putting a linux box in a DMZ running X (listening to localhost only) and allowing ssh connections to the box and then tunneling an X session through the ssh connection. On the linux box, I can use iptables to write rules based upon users and groups so that way I can control each user's or each group's access to a particular resource. Does this seem like a reasonable approach to the problem for a small number of users (5)? None of my users need to actually grab files from a LAN fileserver and take them elsewhere, they mostly need it to access in-house apps that are only accessable on the LAN.
... and gets you back into a different set of headaches - provisioning servers and links that are sturdy enough to handle a pile of remote connections.
For a small number of remote users, this need not be a big headache. -- Mason Schmitt _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re[2]: Worms, Air Gaps and Responsibility, (continued)
- Re[2]: Worms, Air Gaps and Responsibility Paul Van Noord (May 07)
- Re[2]: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 07)
- Re[2]: Worms, Air Gaps and Responsibility Eric Maiwald (May 07)
- Re: Worms, Air Gaps and Responsibility Vinicius Moreira Mello (May 10)
- Re: Worms, Air Gaps and Responsibility Bret Watson (May 10)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility Mason Schmitt (May 10)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility Mason Schmitt (May 10)
- Re: Worms, Air Gaps and Responsibility David Lang (May 10)
- Re: Worms, Air Gaps and Responsibility George Capehart (May 07)
- RE: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 06)
- Re: Worms, Air Gaps and Responsibility Crispin Cowan (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Bennett Todd (May 07)