On Fri, 5 Apr 2002, Mikael Olsson wrote: > > [on L7 inspection] > > There's an interesting counter-argument that entails giving up trying to > > control what the lusers do. Give them AV, give them a desktop protection > > product, and make them gateway in to the corporate resources, or give them > > "remote display" access only (Citrix, Terminal Server, Xwindows...) > > Interesting. I think I hate it, but, nevertheless, interesting. > > Doesn't this sort of break horribly as soon as someone lands a trojan > on one of those desktops?
Well, you'd probably want the desktop protection thing to do some stopping of that, and I suppose IDS, but a trojan on the desktop still only gets the attacker the display of the luser in question, and no direct server compromise. > (I myself generally use remote display type stuff to tunnel OUT to > less secure networks rather than the other way around so I haven't > given too much thought to it.) That's an additional mechanism. > > It's not the admin that wants that stuff, it's the admin that has to > > enable that stuff, and when it's a checkbox with no consistancy of > > inspection or tracking it doesn't matter which type of firewall you have. > > There are enough bad examples on all sides. > > Sheesh, aren't you staying current? ;) > > The everyday admin these days isn't getting high blood pressure over > users and management demanding new services. The everyday admin these > days is the tech-savvy luser that wants to run kazaa to get movies and > games, and then play said games, and that swears over firewall vendors > being slow in supporting SIP and NAT traversal through UPnP [2]. *laf* > [2] UPnP looks like a nice can of worms. I wonder who'll be first in > convincing some internal application to bore inbound holes through > UPnP-enabled firewalls for them. I'm waiting for the first UPnP Linux-loading worm ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
