From: Bryan Ponnwitz (bponnwitzwwsport.com)
Date: Thu Mar 22 2007 - 16:39:54 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If performance is an issue, Terminal Services or Citrix is the way to
go. You will NEVER be able to make an app working over a share mapped
over the Internet run as fast as it would through some sort of remote
connection.

In response to making this app "harder to support", if the remote sys
admin is not willing to put the necessary security safe guards in place,
then I would never open up my network to access by his system - period.
There has to be some sort of encryption (even if between the firewalls
to avoid application support problems) if you're using Windows shares
over the Internet.

And as far as "poorly configured VPNs": Isn't half-assing it the way
that most MS "admins" work? ;-P If you can't setup a proper VPN policy,
go back to school!

Does this application vendor have a web-based portal to the data? That
would eliminate all of these problems. Could you work with the vendor
to develop one?

Bryan Ponnwitz

-----Original Message-----
From: James (njan) Eaton-Lee [mailto:james.mailinggmail.com]
Sent: Thursday, March 22, 2007 4:30 PM
To: Bryan Ponnwitz
Cc: aehealdgmail.com; focus-mssecurityfocus.com
Subject: Re: Shared drives through a firewall

Bryan Ponnwitz wrote:
> If you're worried about connection security, just use a VPN. Or
better
> yet, if the servers are both Win2K or better, use IPSec. IPSec is
> Microsoft's recommended solution for extending domain communications
to
> another LAN across the Internet. I've read the KB article on it, but
> don't have time to look for it right now.

IPSec/VPN mitigates some of the security issues pertaining to this
scenario, but it doesn't solve all of the issues, and it raises some of
its own.

The OP mentioned performance issues - VPNs certainly don't resolve this
issue, and would almost certainly make it worse, especially on a
bad/latent connection. Depending upon who the users of this
infrastructure are and how it's implemented, there are the obvious VPN
NAT/reliability concerns too.

A badly implemented VPN, or one implemented with equipment not capable
of packet filtering on VPN traffic (as is common in environments in
which people consider such nasty things as opening SMB traffic up to the

internet) would allow clients - albeit authenticated clients - access to

the entire internal network. Again, depending upon the identity of the
users of this infrastructure are, this might be highly undesirable.

A VPN or IPSec solution is also going to be harder to support, and
potentially make you very unpopular with whoever supports third party
clients when users don't have the rights necessary to configure a VPN,
install certificates, or setup IPSec (SMB/HTTP/FTP all work as a limited

user).

They're also very likely to be affected by outbound firewalling on third

party LANs, too...

In short: I'm not saying that VPNs can't help, you just need to use them

carefully; they're not a panacea, and they're far from ideal for a range

of scenarios!

  - James

--
   James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

   "The universe is run by the complex interweaving of three
   elements: Energy, matter, and enlightened self-interest." - G'Kar

  https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]