RE: Worms, Air Gaps and Responsibility

["Claussen, Ken" <Ken () kccweb com>]

Is this really so hard to setup Thin Client access for mobile users? 
If your existing links are not "Sturdy" enough to handle some additional
Thin Client traffic you have bigger problems. In most cases this will
reduce the overall WAN/Internet traffic as opposed to Fat Clients (Full
Desktops).
We use the same Internet connection for access to our Citrix servers as
we do for general Internet Access. Since most of the access happens
after hours, it balances itself pretty well. In addition the Citrix
client uses minimal bandwidth when used with applications which are not
graphics intensive. This solution works very well for our Roaming
Laptops. They are put in a DMZ and then access all Corporate apps
through Citrix. The only open port to the inside for these folks is
Citrix. They do not have rights to the servers drives so transfer of
Viruses is difficult if not impossible. In addition the same servers
used for the DMZ folks are also used for External users, we did not need
to provision extra servers to make this work. The DMZ also has access to
Windows Update (across the Internet) and our AV Vendors update site. 

We also use Windows IPSec Policy to block access to most ports
(135,137,139,445,1026,etc) for Inbound traffic and certain high Risk
(25,81,IRC,135,137,139,445,1026,etc) ports for Outbound traffic. This
works well since these laptops are not part of the domain and don't need
these ports open, plus it is free (with Windows). This also keeps them
from transmitting an infection to internal systems via Netbios/SMB if
they accidentally connect to the Internal Network.  They know they are
not supposed to, but it still happens.
Ken

-----Original Message-----
From: Gwendolynn ferch Elydyr [mailto:gwen () reptiles org] 
Sent: Monday, May 10, 2004 3:48 PM
To: Mason Schmitt
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility

<Snip>
...
<Snip/>
> The thin client gets around this headache nicely.

... and gets you back into a different set of headaches - provisioning
servers and links that are sturdy enough to handle a pile of remote
connections.

cheers!
========================================================================
==
"A cat spends her life conflicted between a deep, passionate and
profound desire for fish and an equally deep, passionate and profound
desire to avoid getting wet.  This is the defining metaphor of my life
right now."

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards