Firewall Wizards mailing list archives

RE: Worms, Air Gaps and Responsibility

From: Gwendolynn ferch Elydyr <gwen () reptiles org>
Date: Mon, 10 May 2004 16:51:49 -0400 (EDT)

On Mon, 10 May 2004, Mike McNutt wrote:

A recent SANS webcast talked about using true thin client

hardware or

terminal server clients (and equivalents such as citrix, X, etc) for
providing remote users or risky users access to document stores, and
other LAN resources.  I think that using a thin client as a security
tool is a great idea.


Heh. What do they say? "Everything old is new again"?

For the terminal server hardware, I've got a bit less to say [but are
you -sure- where that image came from?] - but in the case of the


Are you suggesting that someone/something can hijack a thin-client
connection and provide [accurate-in-terms-of-user-interaction] *false*
images of the remote system?  Wow.  Never actually thought of that,
myself.  At first glimpse, the effort seems daunting (but I guess
anything is possible).


Wow, no!  What I was talking about was thin client hardware. Most of it
gets an OS image from somewhere - and depending on where and how it
obtains that image, there's the standard problem of "how do I trust that
what this machine has been loaded with is appropriate".

software thin clients, you're -still- running on a platform with
unknown security, and reaching into the enterprise.


Care to expand on: "running on a platform with unknown security"?   Are
you talking about the thin-client "client application" itself?


If you have a user running a thin client on their home desktop, you have
a platform whose security is unknown to you.

Thin clients also
don't address the question of having a box with a live connection to
the Internet and your enterprise - it just moves it around.


What exactly is the "question" related to having a box on the Internet
that you are referring to?  It sounds like you are poo-pooing remote
users' use of the Internet for connectivity to the office because the
office has to maintain a connection to the Internet...  Is that bad?  Or
is it *potentially* bad?


Ah. Let me step through this ;>

You've got [for the sake of arguement] a home computer, connected to the
Internet via a cable modem.

The user starts up a thin client, which connects to their employer.

At this point in time, you've got a connection to the Internet, and a
connection to the employer.  There is no separation of priveledge here.
You have what is supposed to be a "secure" connection feeding data
from the employer co-existing with an "insecure" connection - the Internet.

This is, by definition, not a good thing.

... Which puts the resolution back in the hands of the administrator, so
he/she at least has a chance of addressing/rectifying the problem.  I'll
take that headache any day over the headche of reviewing/patching/protecting
my systems from the infected ones.  Not like there is actually a choice,
though.


It just swings back and forth *shrug* There are arguements to be made for
thin and thick clients [but not thick users ;>] - but I think you'd find
that it's all about shifting problems around, not solving them.

I don't understand what point you are trying to make here; thin clients
like Citrix or TS (I can't speak to X) certainly have a productive role
for remote users and currently offer some real advantages over security
concerns of other approaches.  It's the functionality vs. security
arguement; you must assess the risk before making your choice, and
thin-clients provide an awful lot of functionality for the security risk.


The point that I'm trying to make really boils down to "policy, not
technology".  The niftiest piece of tech in the world doesn't make a
bit of difference if it's set up poorly - or the local policy says
"allow everything".

Further, although there are uses for thin clients, they're not a
panacea for all woes.  I would be interested in seeing your particular
arguements in favour of thin clients, though ;>

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Worms, Air Gaps and Responsibility, (continued)
- - Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
    - Re: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 07)
    - Re: Worms, Air Gaps and Responsibility Devdas Bhagat (May 07)
  - RE: Worms, Air Gaps and Responsibility R. DuFresne (May 07)
  - RE: Worms, Air Gaps and Responsibility R. DuFresne (May 07)
- RE: Worms, Air Gaps and Responsibility Melson, Paul (May 07)
  - Re: Worms, Air Gaps and Responsibility Adam Shostack (May 07)
  - Message not available
    - RE: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 07)
- Re[2]: Worms, Air Gaps and Responsibility Jean-Denis Gorin (May 07)
- RE: Worms, Air Gaps and Responsibility Mike McNutt (May 10)
  - RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
    - RE: Worms, Air Gaps and Responsibility Victor Williams (May 11)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
  - RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 12)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 13)
  - RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)
    - RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
    - RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 17)
    - RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
    - RE: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)

(Thread continues...)