I have thought about the myriad ways you can protect your core network from remote devices, and I think that you might be surprised to hear that something as obtuse as remote desktop clients could allow you to isolate your network from any device that is not totally under your control.
Publishing applications using web services allows you to restrict the access a client needs via the public internet to a very controllable port number and limited range of ip hosts. For example iNotes allows people from outside the core network to work with Lotus Notes from a browser. Their route in is specific and defined, yet their email integration makes them feel a part of our internal network. You solve your security issue by giving only enough access to do just what they need, a fine principal.
Well we all know how limited some web applications can be, so surely you couldn’t do that for all applications – I mean, if a staff member needed to be able to do ANY part of their day job all of a sudden, from absolutely any internet connected PC, how could they? Well, what RDP gives you is browser-based access to a Terminal Server that you can load up with just those apps someone needs to be able to run. You treat it like a desktop client, but its available to anyone who is running IE and can connect from the internet to a server (farm) via port 3389 (or other if you want to hide it) and has the credentials. And the thing is that you get what looks and acts just like your windows desktop, direct by logging in from the browser, and you don’t actually need much bandwidth to run it.
Remote Desktop Protocol is like a KVM switch that traverses the internet. You operate the mouse & keyboard, and see the responses on the screen in your browser, but all of the processing, all of the file access, everything you do is carried out from a single securely managed server in one of your datacentres, loaded up with just the applications you need to carry out a specific job and nothing more. You remove risk by granting the rights to do a very precise set of tasks to with a certain set of tools, not some free for all client desktop you have limited control over.I have enjoyed the pleasures of having remote desktop client access for a number of years in various companies. And I have been the involved in successfully deploying most of those services for those customers. Once you see that using Terminal Servers is so simple, as easy as smoke and mirrors, you can see its such an obvious solution for so many current headaches in providing people outside your perimeter to have access to what’s inside it. To do only what you allow them to. To do it with only the tools you allow them to use. And you allow this only to people you want to.
Security is about choosing when to allow a person to do something specific – it’s not about trying to prevent everyone else from doing the things you don’t want them to all of the time.