|
Posted by rot-eron on October 16, 2005, 2:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I recently came across a unique security architecture in an Insurance
Firm I am dealing with. They put a Citrix/TS farm in their DMZ, hosting
only IE and closed outbound port 80/443.
This way, internal users can *not* access the web, unless they use the
TS, which is easier to manager, easier to secure, and sits in the DMZ -
without access to the internal network. The additional benefit is that
the internal network is, in a way, separate/disconnected from the
Internet - with all the security benefits associated with that.
Has anyone seen this elsewhere?
What do you think of this approach to solving the browsing
security-related problems?
Rot
|
|
Posted by Duane Arnold on October 17, 2005, 12:00 am
If you were Registered and logged in, you could reply and use other advanced thread options
@g44g2000cwa.googlegroups.com:
> Hi,
>
>
> I recently came across a unique security architecture in an Insurance
> Firm I am dealing with. They put a Citrix/TS farm in their DMZ, hosting
> only IE and closed outbound port 80/443.
>
> This way, internal users can *not* access the web, unless they use the
> TS, which is easier to manager, easier to secure, and sits in the DMZ -
> without access to the internal network. The additional benefit is that
> the internal network is, in a way, separate/disconnected from the
> Internet - with all the security benefits associated with that.
>
> Has anyone seen this elsewhere?
> What do you think of this approach to solving the browsing
> security-related problems?
>
No and I have worked in a Citrix Terminal Server Farm situation. It
sounds kind of rediculous.
Duane :)
|
|
Posted by on October 17, 2005, 8:07 am
If you were Registered and logged in, you could reply and use other advanced thread options
wouldnt put critical apps on that TS though.
This pretty much fixes the spyware issue..
|
|
Posted by Volker Birk on October 17, 2005, 9:36 am
If you were Registered and logged in, you could reply and use other advanced thread options > I recently came across a unique security architecture in an Insurance
> Firm I am dealing with. They put a Citrix/TS farm in their DMZ, hosting
> only IE and closed outbound port 80/443.
It is very dumb to use the IE of all browsers.
> This way, internal users can *not* access the web, unless they use the
> TS, which is easier to manager, easier to secure, and sits in the DMZ -
> without access to the internal network. The additional benefit is that
> the internal network is, in a way, separate/disconnected from the
> Internet - with all the security benefits associated with that.
> Has anyone seen this elsewhere?
Yes. And it has many disadvantages. Just try to download a file.
> What do you think of this approach to solving the browsing
> security-related problems?
Nothing.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister
|
|
Posted by Leythos on October 18, 2005, 1:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
>
> I recently came across a unique security architecture in an Insurance
> Firm I am dealing with. They put a Citrix/TS farm in their DMZ, hosting
> only IE and closed outbound port 80/443.
>
> This way, internal users can *not* access the web, unless they use the
> TS, which is easier to manager, easier to secure, and sits in the DMZ -
> without access to the internal network. The additional benefit is that
> the internal network is, in a way, separate/disconnected from the
> Internet - with all the security benefits associated with that.
>
> Has anyone seen this elsewhere?
> What do you think of this approach to solving the browsing
> security-related problems?
While it solves the problem of browsing the web, there is more to it
than just blocking outbound 80/443 from the client networks.
Putting a TS in the DMZ, and then allowing the TS box to access services
in the LAN, is the same as having the TS in the lan for most purposes.
If the TS box is completely stand along, with no connection to the LAN
except through non-file/print/MS ports, allowing only things like SQL
Data or some other service based application connection, then it's a
good idea since there is no means for a TS authenticated user to
authenticate with any node in the LAN side.
If the TS is able to authenticate with the LAN nodes, then you have
compromised the security of the LAN-DMZ networks.
--
spam999free@rrohio.com
remove 999 in order to email me
|
| Similar Threads | Posted | | Secure Auditor new release and Secure your database with Secure Auditor | April 14, 2008, 5:15 am |
| Secure Auditor new release and Secure your database with Secure Auditor | April 14, 2008, 5:16 am |
| Connecting to office Terminal Server from behind home Linksys router | August 11, 2004, 7:32 pm |
| internet speed browsing slow | February 9, 2005, 4:33 am |
| User continually gets logon prompt when browsing the web | January 31, 2005, 2:39 pm |
| Network neighbourhood browsing between VPN'ed locations? | April 10, 2007, 9:45 pm |
| proxy server 2.0 on exchange 5.5 (irritating pop on box when browsing newsgroups) | July 21, 2004, 2:17 am |
| Firewall close TCP port without explanation (during browsing web) under Windows | February 5, 2008, 9:16 am |
| Network browsing takes ages when one computer is declared as Internet zone on a 4-computer network | July 18, 2004, 1:42 pm |
| F-Secure and No-IP | March 7, 2005, 10:15 pm |
|
XML site map