Firewall Wizards mailing list archives
Re: Worms, Air Gaps and Responsibility
From: David Lang <david.lang () digitalinsight com>
Date: Mon, 10 May 2004 14:03:45 -0700 (PDT)
On Mon, 10 May 2004, Mason Schmitt wrote:
On May 10, 2004 12:48 pm, Gwendolynn ferch Elydyr wrote:On Mon, 10 May 2004, Mason Schmitt wrote:A recent SANS webcast talked about using true thin client hardware or terminal server clients (and equivalents such as citrix, X, etc) for providing remote users or risky users access to document stores, and other LAN resources. I think that using a thin client as a security tool is a great idea.Heh. What do they say? "Everything old is new again"?It's bizarre how we follow ourselves around in circles. It won't be long before everyone gets fed up with centralization and then begins to decentralize using P2P...For the terminal server hardware, I've got a bit less to say [but are you -sure- where that image came from?] - but in the case of the software thin clients, you're -still- running on a platform with unknown security, and reaching into the enterprise. Thin clients also don't address the question of having a box with a live connection to the Internet and your enterprise - it just moves it around.Yes, but the imposition of another layer (the terminal server) in between the internal resource and the VPN client does give you extra separation and potentially more fine grained control over who has access to what. So, rather than having a VPN tunneling the big bad world into your network, you only allow the VPN to talk to the terminal server. From the terminal server you should then be able to restrict access to only those resources that are necessary.
Also who said that the terminal server needs a full VPN connection? when you have a remote machine connected through a VPN useing current desktop software (i.e. microsoft) you end up needing to allow virtually everything in order for the remote machine to be able to function. if you are useing citrix you have two choices 1. trust the citrix encryption authentication and run it directly over the Internet (no VPN) 2. create a VPN and run citrix through that, and put in a firewall to allow only the one TCP port for citrix through to the internal citrix server. in either case you have reduced your security exposure from 'all ports from any software running on the client' to ' they have to hack the citrix server and launch their attack from there' it's far easier to instrament the one citrix server to catch someone hacking at it then it is to do the same thing to every remote machine. now if you allow citrix to access the disks on the remote machines you weaken this noticably, but it's still a matter of someone opening/running an infected binary rather then a memory resident program being able to attack you. David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re[2]: Worms, Air Gaps and Responsibility, (continued)
- Re[2]: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 07)
- Re[2]: Worms, Air Gaps and Responsibility Eric Maiwald (May 07)
- Re: Worms, Air Gaps and Responsibility Vinicius Moreira Mello (May 10)
- Re: Worms, Air Gaps and Responsibility Bret Watson (May 10)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 10)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility Mason Schmitt (May 10)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- Re: Worms, Air Gaps and Responsibility Mason Schmitt (May 10)
- Re: Worms, Air Gaps and Responsibility David Lang (May 10)
- Re: Worms, Air Gaps and Responsibility George Capehart (May 07)
- RE: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 06)
- Re: Worms, Air Gaps and Responsibility Crispin Cowan (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 07)
- Re: Worms, Air Gaps and Responsibility Paul D. Robertson (May 07)
- Re: Worms, Air Gaps and Responsibility Bennett Todd (May 07)
- Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)