RE: VPN & Security Question
- From: "Patrick Rouse" <PatrickRouse@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 12 Jun 2005 09:59:01 -0700
Just one port: TCP Port 3389
If you want a web client, then you need IIS to deliver it, which opens 80 or
443, but these are not required.
Citrix Presentation Server comes with their Secure Gateway which allows you
to run everything over 443 (HTTPS).
http://www.workthin.com/tshta.htm
I don't believe in using VPN to connect home/SOHO users because it's very
difficult to know the status of their end of the connection. In my opinion a
tunnel is only secure if you can control both ends, otherwise you don't know
what you're letting in.
VPN for linking permanent office connections, i.e. router to router
connections using IPSec are necessary for doing business when you need to
connect a remote office to the main data center. These are ideal because
users don't know they exist.
--
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
"Cybersteve" wrote:
> Patrick -
>
> What ports would have to be opened to allow users to pass through a NAT
> enabled firewall to access TS on the inside network? I've always assumed a
> VPN was a critical piece of security best practices, but I'm open to new
> information. If you have a link, I’d love to read more on this.
>
> Thanks,
> --
> Endurance is more important then truth.
>
>
> "Patrick Rouse" wrote:
>
> > Even in an industry like banking I would neve use VPN to increase security of
> > an RDP or ICA Connection. For increased security (if you're not satisifed
> > with the 128 bit encryption that RDP provides) look into secondary
> > authentication like Biometrics or SecureID/SafeWord.
> >
> > VPNs are great for connecting remote offices, but way too much
> > administrative burden to use for individual remote user connections.
> >
> > Brian Madden and I (along with the rest of the TS MVPs) had this same
> > conversation with the MSFT TS Product team who was not willing to say that TS
> > should be deployed over the Internet w/o VPN, but we told them that we do it
> > and recommend it all the time w/o any issues.
> >
> > Show me an exploited RDP Connection before deciding you need more security.
> > Make sure you have a good password policy and that your TS is behind a
> > firewall and you should be fine.
> >
> > --
> > Patrick Rouse
> > Microsoft MVP - Terminal Server
> > http://www.workthin.com
> >
> >
> > "mrussogfc" wrote:
> >
> > > Richard what industry do you work in? If you work in banking or some other
> > > high risk area you may have to use VPN otherwise why bother.
> > > --
> > > callwalker
> > >
> > >
> > > "Richard Brooks" wrote:
> > >
> > > > I hope this is not a stupid question but is a VPN really necessary for
> > > > secure terminal services? If you change the servers administrator name to
> > > > something encrypted and use 8 alpha numeric character strong passwords and
> > > > set the encryption to high, how would someone gain access to the server?
> > > > With brute force, you would not only have to try all passwords but all
> > > > usernames as well. And if the encryption is set to high, Man in the middle
> > > > attacks would not be very effective either. Also, you would set policy so
> > > > only an administrator can log in to the server, so social engineering would
> > > > not be an issue either. So, why add the extra VPN layer that only degrades
> > > > performance?
> > > >
> > > > Thanks
> > > >
> > > >
> > > >
> > > >
.
- Follow-Ups:
- RE: VPN & Security Question
- From: Cybersteve
- RE: VPN & Security Question
- References:
- VPN & Security Question
- From: Richard Brooks
- RE: VPN & Security Question
- From: mrussogfc
- RE: VPN & Security Question
- From: Patrick Rouse
- RE: VPN & Security Question
- From: Cybersteve
- VPN & Security Question
- Prev by Date: RE: VPN & Security Question
- Next by Date: Re: termina session lockdown
- Previous by thread: RE: VPN & Security Question
- Next by thread: RE: VPN & Security Question
- Index(es):
Relevant Pages
|
