My
apologies for not being more specific. The proposal is to allow Terminal
Server access from a remote dialup dmz to a server on the internal
network.
My
feelings are as you have expressed, but I wanted to make sure I wasn't
being overly cautious.
The
argument, by the way, has been "if you trust them at work, then why can't they
be trusted at home?".
Kevin Lundy
Said:
What is the recommendation (best practice) to provide dial-in access?Would you provide dial-up with TCP/IP and still require SecureRemote? Alittle cumbersome, I think, but I sure wouldn't want to take chances.
This is probably my biggest concern. Our dial-in
access uses SecurID, so I feel confident that the access is secure (I'm trusting
the phone company, should I?), however, I don't know where they are dialing in
from. If it's a standalone pc, great. If it's on a network (Cable,
DSL, who knows what), I envision someone using the dialing user's pc as their
launch pad into our network.
Terminal Server is just one possible solution for
external access that is already being implemented on the internal network.
Ultimately, what everyone really wants is access to everything that they can get
to from work, from anywhere, using SecurID. Since I don't want data
flying in the clear, there has to be some kind of "front end". Does
Terminal Server have such a front end? Is there a product that uses SSL or
HTTPS that can be utilized this way securely? Any and all ideas are
welcome.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 10, 2000 8:40 PM
To: Tucker, Greg; [EMAIL PROTECTED]
Subject: RE: [FW1] Microsoft Terminal Server Concerns
Importance: HighI probably would have spent more time answering this question if the author had spent more time explaining the configuration, along with the proposed entry of Terminal Server into the environment. The obvious answer is, if the Terminal Server is on the DMZ, then why in the heck would you do it? You are opening a wide hole to segmented servers. If the terminal server is on the internal net, then you open every host not being protected by the fw.Why not let the firewall do it's job and do some sort of encryption?Thomas Poole-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 07, 2000 5:16 PM
To: ''Fw-1-Mailinglist (E-mail)'
Subject: RE: [FW1] Microsoft Terminal Server ConcernsI hate to make assumptions, but can I assume that since no one responded to this, that nobody has any concerns???-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tucker, Greg
Sent: Wednesday, July 05, 2000 1:58 PM
To: ''Fw-1-Mailinglist (E-mail)'
Subject: [FW1] Microsoft Terminal Server ConcernsI've had a request to allow dial-up access to Microsoft Terminal Server.Can anyone list concerns, or point me to a sight the discusses what security issues to be concerned about when allowing this capability?Thanks.
