If performance is an issue, Terminal Services or Citrix is the way to
go. You will NEVER be able to make an app working over a share mapped
over the Internet run as fast as it would through some sort of remote
connection.
In response to making this app "harder to support", if the remote sys
admin is not willing to put the necessary security safe guards in place,
then I would never open up my network to access by his system - period.
There has to be some sort of encryption (even if between the firewalls
to avoid application support problems) if you're using Windows shares
over the Internet.
And as far as "poorly configured VPNs": Isn't half-assing it the way
that most MS "admins" work? ;-P If you can't setup a proper VPN policy,
go back to school!
Does this application vendor have a web-based portal to the data? That
would eliminate all of these problems. Could you work with the vendor
to develop one?
Bryan Ponnwitz
-----Original Message-----
From: James (njan) Eaton-Lee [mailto:james.mailing@gmail.com]
Sent: Thursday, March 22, 2007 4:30 PM
To: Bryan Ponnwitz
Cc: aeheald@gmail.com; focus-ms@securityfocus.com
Subject: Re: Shared drives through a firewall
Bryan Ponnwitz wrote:
If you're worried about connection security, just use a VPN. Or
better
yet, if the servers are both Win2K or better, use IPSec. IPSec is
Microsoft's recommended solution for extending domain communications
to
another LAN across the Internet. I've read the KB article on it, but
don't have time to look for it right now.
IPSec/VPN mitigates some of the security issues pertaining to this
scenario, but it doesn't solve all of the issues, and it raises some of
its own.
The OP mentioned performance issues - VPNs certainly don't resolve this
issue, and would almost certainly make it worse, especially on a
bad/latent connection. Depending upon who the users of this
infrastructure are and how it's implemented, there are the obvious VPN
NAT/reliability concerns too.
A badly implemented VPN, or one implemented with equipment not capable
of packet filtering on VPN traffic (as is common in environments in
which people consider such nasty things as opening SMB traffic up to the
internet) would allow clients - albeit authenticated clients - access to
the entire internal network. Again, depending upon the identity of the
users of this infrastructure are, this might be highly undesirable.
A VPN or IPSec solution is also going to be harder to support, and
potentially make you very unpopular with whoever supports third party
clients when users don't have the rights necessary to configure a VPN,
install certificates, or setup IPSec (SMB/HTTP/FTP all work as a limited
user).
They're also very likely to be affected by outbound firewalling on third
party LANs, too...
In short: I'm not saying that VPNs can't help, you just need to use them
carefully; they're not a panacea, and they're far from ideal for a range
of scenarios!
- James
--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org
"The universe is run by the complex interweaving of three
elements: Energy, matter, and enlightened self-interest." - G'Kar
https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--
