RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Claussen, Ken (Ken_at_kccweb.com)
Date: 05/12/04

  • Next message: Claussen, Ken: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: "Gwendolynn ferch Elydyr" <gwen@reptiles.org>, <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 12 May 2004 11:51:16 -0400
    
    

    Is this really so hard to setup Thin Client access for mobile users?
    If your existing links are not "Sturdy" enough to handle some additional
    Thin Client traffic you have bigger problems. In most cases this will
    reduce the overall WAN/Internet traffic as opposed to Fat Clients (Full
    Desktops).
    We use the same Internet connection for access to our Citrix servers as
    we do for general Internet Access. Since most of the access happens
    after hours, it balances itself pretty well. In addition the Citrix
    client uses minimal bandwidth when used with applications which are not
    graphics intensive. This solution works very well for our Roaming
    Laptops. They are put in a DMZ and then access all Corporate apps
    through Citrix. The only open port to the inside for these folks is
    Citrix. They do not have rights to the servers drives so transfer of
    Viruses is difficult if not impossible. In addition the same servers
    used for the DMZ folks are also used for External users, we did not need
    to provision extra servers to make this work. The DMZ also has access to
    Windows Update (across the Internet) and our AV Vendors update site.

    We also use Windows IPSec Policy to block access to most ports
    (135,137,139,445,1026,etc) for Inbound traffic and certain high Risk
    (25,81,IRC,135,137,139,445,1026,etc) ports for Outbound traffic. This
    works well since these laptops are not part of the domain and don't need
    these ports open, plus it is free (with Windows). This also keeps them
    from transmitting an infection to internal systems via Netbios/SMB if
    they accidentally connect to the Internal Network. They know they are
    not supposed to, but it still happens.
    Ken

    -----Original Message-----
    From: Gwendolynn ferch Elydyr [mailto:gwen@reptiles.org]
    Sent: Monday, May 10, 2004 3:48 PM
    To: Mason Schmitt
    Cc: firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility

    <Snip>
    ...
    <Snip/>
    > The thin client gets around this headache nicely.

    ... and gets you back into a different set of headaches - provisioning
    servers and links that are sturdy enough to handle a pile of remote
    connections.

    cheers!
    ========================================================================
    ==
    "A cat spends her life conflicted between a deep, passionate and
    profound desire for fish and an equally deep, passionate and profound
    desire to avoid getting wet. This is the defining metaphor of my life
    right now."

    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Claussen, Ken: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"