RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Claussen, Ken (
Date: 05/12/04

  • Next message: Claussen, Ken: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: "Gwendolynn ferch Elydyr" <>, <>
    Date: Wed, 12 May 2004 11:51:16 -0400

    Is this really so hard to setup Thin Client access for mobile users?
    If your existing links are not "Sturdy" enough to handle some additional
    Thin Client traffic you have bigger problems. In most cases this will
    reduce the overall WAN/Internet traffic as opposed to Fat Clients (Full
    We use the same Internet connection for access to our Citrix servers as
    we do for general Internet Access. Since most of the access happens
    after hours, it balances itself pretty well. In addition the Citrix
    client uses minimal bandwidth when used with applications which are not
    graphics intensive. This solution works very well for our Roaming
    Laptops. They are put in a DMZ and then access all Corporate apps
    through Citrix. The only open port to the inside for these folks is
    Citrix. They do not have rights to the servers drives so transfer of
    Viruses is difficult if not impossible. In addition the same servers
    used for the DMZ folks are also used for External users, we did not need
    to provision extra servers to make this work. The DMZ also has access to
    Windows Update (across the Internet) and our AV Vendors update site.

    We also use Windows IPSec Policy to block access to most ports
    (135,137,139,445,1026,etc) for Inbound traffic and certain high Risk
    (25,81,IRC,135,137,139,445,1026,etc) ports for Outbound traffic. This
    works well since these laptops are not part of the domain and don't need
    these ports open, plus it is free (with Windows). This also keeps them
    from transmitting an infection to internal systems via Netbios/SMB if
    they accidentally connect to the Internal Network. They know they are
    not supposed to, but it still happens.

    -----Original Message-----
    From: Gwendolynn ferch Elydyr []
    Sent: Monday, May 10, 2004 3:48 PM
    To: Mason Schmitt
    Subject: Re: [fw-wiz] Worms, Air Gaps and Responsibility

    > The thin client gets around this headache nicely.

    ... and gets you back into a different set of headaches - provisioning
    servers and links that are sturdy enough to handle a pile of remote

    "A cat spends her life conflicted between a deep, passionate and
    profound desire for fish and an equally deep, passionate and profound
    desire to avoid getting wet. This is the defining metaphor of my life
    right now."

    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Claussen, Ken: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • Re: Thin Client recommendations
      ... Citrix is a great solution. ... > We are currently in the midst of determining which thin client product ... > are guaranteed to be 12 students or less to facilitate one-on-one ... learn to recover trace data left behind by ...
    • [SLE] Wyse Thin Client -- would it work with Linux?
      ... I happened across a vendor who's selling Wyse Thin Client computers real cheap ... It's intended to work with Windows NT. ... it can access remote servers using ... applications via multiuser Windows NT® applications servers ...
    • Thin Client Unit - Workgroup or Domain?
      ... At this time we are connecting to our thin client servers with thin ... is then started up and the students connect to the terminal servers ...
    • Re: Computer in lobby
      ... thin client, a PC is not justified for this application. ... on the thin client would be the browser. ... > Based on the PIX Reserved IP. ... >> It needs to have limited internet access (only accessible to certain ...
    • Re: Terminal Servers
      ... Terminal Servers allow multiple users to log in "locally" to a specific server. ... This is achieved via a protocol that is generally called a Thin Client protocol because it doesn't use much network bandwidth. ...