Actually a simpler solution and also a way to keep costs down, is to colo
the Citrix box at any one of those major ISPs that provide the service.
Ensure the SLA is up to snuff, and let them be responsible if some hacks
at the box.
Insert a perimeter router with a specific rule set for that particular
application and deny everything else to the internal box. On the 2nd
interface on the internal box, enable IP filtering and a good ACL set.
If you one wants to get fancy, install a Steel Belted RADIUS box somewhere
on the network, create an Citrix or application specific admin group with
TTL rules etc.. and there you go.. no muss no fuss.. :)
##########################################################
'Turn on, Boot Up, Jack in'
#########################################################
On Wed, 5 Jul 2000 [EMAIL PROTECTED] wrote:
> Any system that is going to have "public" access should be placed in the
> DMZ but Terminal Server/Citrix servers present some special challenges
> because they are usually designed to permit outside access to internal
> systems. I can't speak to NT Terminal Server but the Citrix box I used
> did have an encrypted login procedure. This may make it possible to use
> domain authentication to login external users. Unfortunately it will be
> necessary to open some ports to get the server into the domain. My
> preferrence would be to establish local accounts on the server, run the
> application local and only grant access to the internal resources required
> by the application.
>
> This increases the admin factor slightly but provides better security. You
> might also consider establishing a separate domain for external users with
> associated "trust relationships" to the internal network. This is the
> appoach that Microsoft uses.
>
> -- Bill Stackpole, CISSP
>
>
>
>
>
> "Bill Stewart" <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 07/05/00 05:49 AM
> Please respond to bstewart
>
>
> To: <[EMAIL PROTECTED]>
> cc:
> Subject: Server placement
>
> Hi all,
>
> I am a new Network Admin and have a question about server placement behind
> a
> firewall. Is it better to place a publicly accessible server on the DMZ
> with a hardened OS or to place it behind the firewall with the appropriate
> ports open? I am using NAT so does this really add another level of
> security? More info: I'm getting a lot of pressure to have this box a
> member of our domain (rather than stand-alone, which I normally do). This
> is going to be a Win2K server running Terminal Services with the firewall
> opened up for RDP (TCP 3389) to the one machine (which is using one to one
> NAT). If the machine is only on the LAN and behind the firewall does the
> OS
> need to be hardened?
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
