Re: [fw-wiz] Worms, Air Gaps and Responsibility
From: David Lang (david.lang_at_digitalinsight.com)
To: Mason Schmitt <email@example.com> Date: Mon, 10 May 2004 14:03:45 -0700 (PDT)
On Mon, 10 May 2004, Mason Schmitt wrote:
> On May 10, 2004 12:48 pm, Gwendolynn ferch Elydyr wrote:
> > On Mon, 10 May 2004, Mason Schmitt wrote:
> > > A recent SANS webcast talked about using true thin client hardware or
> > > terminal server clients (and equivalents such as citrix, X, etc) for
> > > providing remote users or risky users access to document stores, and
> > > other LAN resources. I think that using a thin client as a security
> > > tool is a great idea.
> > Heh. What do they say? "Everything old is new again"?
> It's bizarre how we follow ourselves around in circles. It won't be long
> before everyone gets fed up with centralization and then begins to
> decentralize using P2P...
> > For the terminal server hardware, I've got a bit less to say [but are
> > you -sure- where that image came from?] - but in the case of the
> > software thin clients, you're -still- running on a platform with
> > unknown security, and reaching into the enterprise. Thin clients also
> > don't address the question of having a box with a live connection to
> > the Internet and your enterprise - it just moves it around.
> Yes, but the imposition of another layer (the terminal server) in between the
> internal resource and the VPN client does give you extra separation and
> potentially more fine grained control over who has access to what. So, rather
> than having a VPN tunneling the big bad world into your network, you only
> allow the VPN to talk to the terminal server. From the terminal server you
> should then be able to restrict access to only those resources that are
Also who said that the terminal server needs a full VPN connection? when
you have a remote machine connected through a VPN useing current desktop
software (i.e. microsoft) you end up needing to allow virtually everything
in order for the remote machine to be able to function.
if you are useing citrix you have two choices
1. trust the citrix encryption authentication and run it directly over the
Internet (no VPN)
2. create a VPN and run citrix through that, and put in a firewall to
allow only the one TCP port for citrix through to the internal citrix
in either case you have reduced your security exposure from 'all ports
from any software running on the client' to ' they have to hack the citrix
server and launch their attack from there'
it's far easier to instrament the one citrix server to catch someone
hacking at it then it is to do the same thing to every remote machine.
now if you allow citrix to access the disks on the remote machines you
weaken this noticably, but it's still a matter of someone opening/running
an infected binary rather then a memory resident program being able to
firewall-wizards mailing list