mailing list archives
Re: terminal server security vs vpn
From: <nobledark () hushmail com>
Date: Tue, 14 Aug 2007 16:35:57 -0400
Something else to take into consideration when making your decision
is whether or not there is the potential for traffic other than
Terminal Services. In this case it might make more sense to use a
VPN tunnel instead of the encrypted RDP / ICA connection so you can
have fewer ports on the firewall exposed to the Internet.
For example, if you end up needing POP3 or IMAP, you can certainly
protect those protocols with certificates and then open the related
ports on your firewall to expose those services in addition to the
RDP/ICA port. Web-based services aren't the greatest over RDP but
you could open port 443, cert your web app, and then make that
available as well.
The down-side of this is that you now have multiple firewall ports
open to the Internet. You also have the potential for anyone who is
sniffing at a downstream router to get a better idea of what
services you are offering through your firewall (even if they can't
read the data, they can tell what port it's running over). However,
if you are using a VPN to tunnel all of your traffic, you have
fewer Internet-facing ports open and less information on what
services (other than a VPN) that you are publishing.
My 2 cents....
On Tue, 14 Aug 2007 14:54:37 -0400 Ansgar -59cobalt- Wiechers
<bugtraq () planetcobalt net> wrote:
On 2007-08-14 Brent Kern wrote:
We went through this at our government agency and the remote
client is 128bit encrypted.
Without knowing the encryption algorithm that doesn't mean
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq
Save big on Printer Toner. Click Now!
- Re: terminal server security vs vpn, (continued)