Thread: TS over the internet - directly attach, or require a VPN?
View Single Post
  #11  
Old 01-05-2006, 07:15 AM
Jeff Pitsch
 
Posts: n/a
Default Re: TS over the internet - directly attach, or require a VPN?
Most companies do not host their webservers from their internal network.
This is not a hard concept to grasp. Your wanting to provide a direct line
to your internal network. Companies do not do that (typically). It is a
very bad security measure. Do you seriously not see the implications in
that? Do you not understand that their are things called DMZ's where
webservers reside? Nothing is invulnerable but your going out of your way
to make it easier for someone to get to your internal network. Why woul
dyou do that? A solution even as simple as 2xLoadbalancer is still better
than what your suggesting.

Jeff Pitsch
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"kiln" <kiln@brick-like.com> wrote in message
news:MPG.1e1472eaa5ca38f498999c@msnews.microsoft.c om...
> Your comments confuse me, and they are in the vein of other comments
> here that don't make sense to me. I don't think any "connection,
> firewall/vpn or not", is completley safe from penetration. Maybe there
> are some websites etc that are completely and utterly invulnerable to
> attack but I doubt it, as new exploits are always coming to light. Yet
> the risk/benefit ratio must be acceptable, else half of the internet
> would go away.
>
> I don't understand why, as far as I can tell, you and others think TS on
> the internet would only be acceptible if it was invulnerable to
> penetration? What makes it different from any web server? That's why I
> brought up etrade and online banks etc. There must be something behind
> what you're saying but I can't figure it out. It sounds like you only
> recommend using TS on internal LANS, unless it presents only anonymous
> and uninteresting data?
>
> You also said "Why would you host a TS box at another location and not
> provide any services?" I don't understand that either. I think you are
> referring to my statement than the ts box I'm talking about would not be
> connected to an internal lan, it's be at an external web host's site.
> That doesn't mean it does not provide any services? Right???
>
> In article <cgxqf.219831$tD4.37575@tornado.ohiordc.rr.com>,
> void@nowhere.lan says...
>> In article <MPG.1e13c30bad53402198999a@msnews.microsoft.com>,
>> kiln@brick-like.com says...
>> > I'm not a network person so I don't have a lot of exposure. What's
>> > interesting about this is that at the end of the day, a ts setup as
>> > you've outlined would seem to be more secure than most websites that
>> > deal with important matters (etrade, online banking etc), even if they
>> > use https etc. No public websites use vpn/ip addresses. So it makes me
>> > wonder, in my case, since there is no corporate lan at risk, is the vpn
>> > needed? The server would contain data that is less sensitive than an
>> > online bank.
>>
>> Ask yourself this - does your connection, firewall/vpn or not, have any
>> undisclosed or unknown holes that might allow the public to access some
>> part of the solution that you don't want them to access?
>>
>> If you can not answer the question with a NO and feel 100% sure that
>> it's true, then you need to look at your exposure risk - what if someone
>> gets into the system and has complete access?
>>
>> Why would you host a TS box at another location and not provide any
>> services?
>>
>>


Reply With Quote