Is one of these TS solutions any more/less secure than the other?

[vi edit]

I'm looking to put a terminal server for the accountants to have a machine to log into to access their accounting programs from home. The applications seem to run fine over TS and my employers are really pushing to have this up and running.

I've got two ways I could do it that will allow it to work, but I wasn't sure if either one was a more preferable choice.

#1 would be to have the server have a WAN side of LAN side of things. WAN side would have public IP and dangled out on DMZ side of the firewall. I'd lock down the firewall to only allow TS port to shoot through it. LAN side would have private IP and would be used to access the accounting software on the network.

#2 would be to set up the server with a private IP on the LAN and then have the firewall do a one-to-one NAT with a public IP to fire it over to the private IP assigned to the box. Once again, only the TS ports would be opened.

First off, is there a better way to do it? Second is one of these more preferable than the other?

 

[FUBAR]

So do you have a 2 firewall setup? One outside the DMZ and one doing fw/routing duty for the internal?

If that's the case and you have other DMZ hosts then #1 is less secure. The reason being that if you have another box get hacked in the dmz it could then have unrestricted access to the TS box which then has complete access to the internal side. You generally want to stay away from bridging your DMZ and the LAN that way.

 

[SaigonK]

I would agree that #2 is a better solution, leaving your box connected from WAN to LAn like #1 would be a real issue if things were breached.

 

[gaidin123]

What about a VPN? This seems like a good application for one. Financial data has to be rather important to protect and, while TS is encrypted I'd imagine it's possible to intercept?

I'd probably take #2 but allow that private IP to only talk with a VPN server. That way you don't expose the TS port to the net in general as in #1 and even in #2 if I understand it correctly, you are still exposing the accounting server somewhat indirectly to the net in general.

If you only allow a secondary NIC in the accounting server (or an IP alias) to talk to a VPN server in your DMZ then that would help even more and probably would make management happy when they hear "vpn".

Gaidin

 

[vi edit]

I've dabbled a bit with the VPN access of my firewall (Sonic Wall Pro) but it seems to be horribly slow over dial up. The accounting software is very simplistic and works well over dial up using TS.

The other problem with VPN is that it doesn't allow them to access the software from pc's without the VPN client. And yes, I'm aware that I'm potentially risking breechment of the network with either possibility. I'm just not sure how to put in a solution that was a compromise between cost effective and secure.

 

[vi edit]

I guess I need to clarify things better...

The TS box wouldn't actually have the accounting software/information on it. It would have the clients on it that the accountants would use to access the accounting information on another server. Don't know if that changes things or not. No actual sensitive information would be stored on the TS box, just the applications needed to access the information(that require yet another login after the TS login)

 

[cmetz]

vi_edit, this is a problem for which you really should use a VPN.

No matter how you approach allowing access to that terminal server, the fact is, once someone is in that box, they can get to your internal network. Now that box is a trusted component of your entire network's security perimiter, which is bad.

If your clients are running Win2K or WinXP, there's a built-in IPsec client. Earlier versions of Windows have PPTP, which is not secure but better than nothing. You can build a VPN concentrator out of a PC.

 

[gaidin123]

VPNs are relatively slow in comparison to typical network/LAN speeds, and there's really no way around that unless your clients are on broadband connections.

It would be fairly simple to require any employee who wishes to access this financial software from home be running Win2k minimum for the security features it has built in if nothing else. If broadband is an option in their areas, and it's considered a critical job function, perhaps the company can pitch in for paying for the broadband connections? If upper management is requiring that financial software be able to be accessed remotely then they should be prepared to do it securely.

I'd set up a VPN server and give it a try and have a few users on different internet connections give it a try. You just have them connect to the VPN, then connect to your terminal server, and run the application. That way the only data transferred over the pipe is encrypted, compressed TS sessions. If it's acceptable on dialup, it will only be marginally slower on VPN (unless you have a really slow vpn server ).

Gaidin

 

[vi edit]

Thanks for the posts guys

Would you recommend using the VPN support of my firewall, or would a PC based VPN server be your suggestion? I've looked around a bit at VPN support under Win2k, and have some books on it as well.

 

[gaidin123]

With the sonicwall can you use standard Win2k/XP VPN clients? If so, I'd go that route first. If it's too slow, try a standalone Win2k vpn box. If you need special client software, or you already know that the firewall isn't up to the task/load I'd bring up a spare Win2k server box and run its VPN server.

The configuration either way shouldn't be much. I know the Win2k vpn setup should take you all of 1 minute once the OS is installed and patched. The Sonicwall shouldn't be to difficult.

Gaidin

 

[vi edit]

In order to use the sonic wall, I had to 1) purchase a VPN license for each user, and 2) install a client software on each machine that would use the VPN access. It wouldn't use the VPN client native to Win2k as far as I could tell