Re: [fw-wiz] Defense in Depth to the Desktop

• Previous message: David Lang: "Re: [fw-wiz] Security of HTTPS"
• In reply to: Chris Pugrud: "[fw-wiz] Defense in Depth to the Desktop"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Chris Pugrud <cpugrud@yahoo.com>
Date: Sat, 25 Dec 2004 03:01:59 -0800 (PST)

On Thu, 2 Dec 2004, Chris Pugrud wrote:

>
> Consider the following example of a simplified network. The network is divided
> into two subnets; one subnet contains all of the client systems, while the
> second subnet contains all of the servers. The client subnet and the server
> subnet are separated by a session based, stateful, packet filtering firewall.
> The firewall is unidirectional; it only permits traffic that is initiated from
> a client to a server. Servers are allowed to reply to clients, but they can
> not initiate communication, TCP or UDP, to a client.
>
> Surprisingly, this example does not break Microsoft or most application [*1]
> protocols. The result is counterintuitive, but analysis and testing support
> this assertion.
<SNIP>
> Questions? (aka, what have I missed?)

One thing that will be a problem with this is the new trend for windows
sysadmins to use RDP to administer the desktops. you can set up additional
firewall rules to do this, but each exception to the policy complicates
things as well as making them less secure.

David Lang

-- 
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
  -- C.A.R. Hoare
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: David Lang: "Re: [fw-wiz] Security of HTTPS"
• In reply to: Chris Pugrud: "[fw-wiz] Defense in Depth to the Desktop"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]