[THIN] Re: A question from my security guys about exposure

  • From: "Martin F. Daly" <mdaly@xxxxxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Wed, 09 Oct 2002 08:44:28 -0400

interesting question....
    seems to me that you still need to watch what's going on...we limit 
access even via our vpn connected users...but i see what you're saying. 
We take for granted that our greatest risk is from the outside, not the 
inside...remote vpn extends the "inside" to the "outside" to a degree...
will be watching this thread with some interest to see what input others 
have...
--- marty ---

Stansel, Paul wrote:

>Setup: MF XPe, Nfuse 1.7 with CSG, no SSL relay configured.  Most users only
>have access to published apps, though some have desktops.  We are using a
>mix of ICA web clients and full PN clients, though will be moving to 99% web
>clients.
>
>Scenario: We have an at-home worker who has a PC that is direct connected to
>the Internet through a cable-modem or DSL (take your pick).  The worker has
>a VPN connection to our network.  Their PC at home has been back-doored.
>Now when the worker connects through the VPN, they are opening a connection
>to our network for whoever back-doored them.
>
>Now change the scenario, such that instead of a VPN connection, the worker
>is connecting to us via a Citrix connection over the web.  Their PC still
>has the back-door on it.  What is the equivelant exposure under this
>scenario?  Can the person that controls the back-door hijack the Citrix
>session somehow or gain access to the resources on the network while the
>connection is active?  I am guessing the exposure is not as great since that
>workstation isn't truly a node on the network as it would be under a VPN
>solution, but I am curious as to what other risks may exist and how we can
>safeguard against them if they exist.
>
>Thanks,
>Paul
>**********************************************
>This weeks sponsor 99Point9.com
>99Point9 helps solve your unresolved technical
>server-based questions, issues and incidents.
>http://www.99point9.com
>***********************************************
>
>For Archives, to Unsubscribe, Subscribe or 
>set Digest or Vacation mode use the below link.
>
>http://thethin.net/citrixlist.cfm
>  
>


**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 10-2002