Re: [fw-wiz] Worms, Air Gaps and Responsibility

From: David Lang (
Date: 05/10/04

  • Next message: Mark Gumennik: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: Mason Schmitt <>
    Date: Mon, 10 May 2004 14:03:45 -0700 (PDT)

    On Mon, 10 May 2004, Mason Schmitt wrote:

    > On May 10, 2004 12:48 pm, Gwendolynn ferch Elydyr wrote:
    > > On Mon, 10 May 2004, Mason Schmitt wrote:
    > > > A recent SANS webcast talked about using true thin client hardware or
    > > > terminal server clients (and equivalents such as citrix, X, etc) for
    > > > providing remote users or risky users access to document stores, and
    > > > other LAN resources. I think that using a thin client as a security
    > > > tool is a great idea.
    > >
    > > Heh. What do they say? "Everything old is new again"?
    > >
    > It's bizarre how we follow ourselves around in circles. It won't be long
    > before everyone gets fed up with centralization and then begins to
    > decentralize using P2P...
    > > For the terminal server hardware, I've got a bit less to say [but are
    > > you -sure- where that image came from?] - but in the case of the
    > > software thin clients, you're -still- running on a platform with
    > > unknown security, and reaching into the enterprise. Thin clients also
    > > don't address the question of having a box with a live connection to
    > > the Internet and your enterprise - it just moves it around.
    > >
    > Yes, but the imposition of another layer (the terminal server) in between the
    > internal resource and the VPN client does give you extra separation and
    > potentially more fine grained control over who has access to what. So, rather
    > than having a VPN tunneling the big bad world into your network, you only
    > allow the VPN to talk to the terminal server. From the terminal server you
    > should then be able to restrict access to only those resources that are
    > necessary.

    Also who said that the terminal server needs a full VPN connection? when
    you have a remote machine connected through a VPN useing current desktop
    software (i.e. microsoft) you end up needing to allow virtually everything
    in order for the remote machine to be able to function.

    if you are useing citrix you have two choices

    1. trust the citrix encryption authentication and run it directly over the
    Internet (no VPN)

    2. create a VPN and run citrix through that, and put in a firewall to
    allow only the one TCP port for citrix through to the internal citrix

    in either case you have reduced your security exposure from 'all ports
    from any software running on the client' to ' they have to hack the citrix
    server and launch their attack from there'

    it's far easier to instrament the one citrix server to catch someone
    hacking at it then it is to do the same thing to every remote machine.

    now if you allow citrix to access the disks on the remote machines you
    weaken this noticably, but it's still a matter of someone opening/running
    an infected binary rather then a memory resident program being able to
    attack you.

    David Lang
    firewall-wizards mailing list

  • Next message: Mark Gumennik: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • Re: vpn heck: managing multiple vpns
      ... We have a win 2003 terminal server with users accessing legacy apps at ... customers have been implementing vpn's. ... Does anyone have an elegant way to manage multiple, conflicting vpn ... Citrix is better for your needs. ...
    • Re: VPN-DFS
      ... Terminal Server. ... Does Citrix Client or Terminal ... VPN link in order ...
    • Re: Citrix vs Teminal Service
      ... As for "not as secure as Citrix" comment, if you were to install a Citrix ... Secure Gateway for users to access the terminal servers over SSL, ... Windows CALs and Terminal Server CALs. ... Load balance your server farm based on metrics like CPU Load, ...
    • RE: This time, how secure is Citrix?
      ... Perhaps you can solve both your issues with an SSL-based VPN. ... This should limit the exposure you have in the Citrix platform. ... This time, how secure is Citrix? ...
    • Re: router - firewall
      ... Adzap, VPN, OpenSwan, ... > connections several ways: ... > the connection is to the Terminal Server, ... > We setup most offices with a VPN into a firewall appliance, ...