[THIN] Re: CSG - Hacking
- From: Chris Coleman <Chris.Coleman@xxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Fri, 6 Sep 2002 13:19:44 +0930
Yes, I understand that. The MetaFrame server is protected from direct attack
and the data stream is well protected between the MetaFrame server and the
ICA Client. Securing the data stream is only half the story though if you're
trying to prevent your systems from being hacked. CSG doesn't stop someone
from accessing the MetaFrame server indirectly via the CSG, by trying
various usernames & passwords (either manually or with a program).
As I see it, CSG does a great job of ensuring that the ICA data is
tamper-proof and delivered securely between the MetaFrame server and the ICA
client. Ie it provides added encryption and confidence that the data hasn't
been tampered with or otherwise accessed. It doesn't do anything to prevent
anyone from trying username/password combinations to get in to the server
though. If a hacker (really a cracker) gets lucky with a username &
password, they can be assured that the communication between them and the
MetaFrame server is secure though. :)
To be confident that a MetaFrame server can't be accessed by anyone on the
Internet other than authorised users requires SecureID or similar technology
to be used in conjunction with CSG.
...Chris
-----Original Message-----
From: Chris Lynch [mailto:lynch00@xxxxxxx]
Sent: Friday, 6 September 2002 12:14 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CSG - Hacking
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That adds additional security. You are only talking about the CSG
part. Without a ticket, you can't get in. Period. The ticket is
generated in the Nfuse site AFTER you have authenticated to the MF
farm, either with your AD/NT account or NDS account. You can provide
ADDITIONAL security in the Nfuse site by using SecureID from RSA.
That is how the CSG works.
Once you have authenticated to your Nfuse site (which must send your
user credentials to the MF Farm to get the list of applications for
you and also validates your user account), you click on the
application link. This is where the ticket is created. The Nfuse
server contacts the internal, protected Secure Ticket Authority (STA)
to generate a ticket. Then the ICA file is generated and sent to the
client. The ICA file is then opened with the ICA client, and it
parses the ICA file. Within the ICA file contains the CSG FQDN, and
the STA identifier along with the ticket. The ICA client uses this
information to contact the CSG. The client passes the info about the
STA identifier along with the ticket, and the CSG must validate the
ticket before the final connection to the MF server has been
established.
If there is no ticket present in the communication from the client to
the CSG, the connect is terminated. If the ticket has expired
(either because there is latency, or someone is attempting to hijack
the ticket), the connection is terminated. Simple as that. Also,
the ticket is never used the same time again; for security purposes.
This also prevents hijacking of the ticket, and the possible
hijacking of the ICA session.
Hope that helps you further understand the CSG.
CHRIS LYNCH - MCSE, CCNA, CCA
NETWORK ENGINEER - INFORMATION TECHNOLOGY
NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691
Chris.lynch@xxxxxxxxxx Tel 949.367.3406
- -----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Chris Coleman
Sent: Thursday, September 05, 2002 6:34 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: CSG - Hacking
Unless I'm missing something, even with a CSG in place, you can still
get hacked. CSG basically just encrypts the traffic by tunnelling ICA
traffic through SSL from the DMZ to the Internet, it does nothing on
the user authentication side of things.
There's nothing (other than appropriate account lockout policies)
preventing someone trying to get in with random (or not-so-random)
usernames & passwords. With the stuff available from CDN, a low-life
could write an app to do it automatically.
One way (the only way?) to prevent this type of attack is to
integrate CSG with something like SecureID.
...Chris
- -----Original Message-----
From: Chris Lynch [mailto:lynch00@xxxxxxx]
Sent: Friday, 6 September 2002 9:42 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CSG - Hacking
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Exactly. The only thing anyone could even try to do is DoS the CSG
box. You CANNOT hack into the system. If you had the CSG in Realy
mode, then I would say yeah. But this is not the mode you install
CSG in. You have to manually specify in a command-line switch when
you execute the installation. Also, with the 1.1 version, the ticket
is longer than the original release. Much harder to "crack" or
guess. Also, after the ticket has been generated, it will expire
after 100ms, which is the default.
Let me know if you have any further questions about this,
CHRIS LYNCH - MCSE, CCNA, CCA
NETWORK ENGINEER - INFORMATION TECHNOLOGY
NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691
Chris.lynch@xxxxxxxxxx Tel 949.367.3406
- - -----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Stansel, Paul
Sent: Thursday, September 05, 2002 5:03 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: CSG - Hacking
Heh...you're talking about a session encrypted with 128bit SSL.
Unless they are remoting the client box, it ain't gonna happen.
- - -Paul
> ----------
> From: Ray.Albert@xxxxxxxxxxxxxxx[SMTP:Ray.Albert@xxxxxxxxxxxxxxx]
> Reply To: thin@xxxxxxxxxxxxx
> Sent: Thursday, September 05, 2002 5:16 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] CSG - Hacking
>
>
>
> Can anyone let me know if there is a way for a user to Hack a
> citrix published session?
>
> What we are looking at is giving some or clients access to a
> published application through NFUSE Classic and use CSG. This
> will be in the DMZ. The application will not be in the DMZ.
>
> Our network and security have doubts about giving someone access to
> an internal application.
>
> Anyone have any thoughts on this?
>
> Please Help.
>
> Ray Albert
> ChoicePoint Inc
> ray.albert@xxxxxxxxxxxxxxx
>
>
>
> **********************************************
> This weeks sponsor 99Point9.com
> 99Point9 helps solve your unresolved technical
> server-based questions, issues and incidents.
> http://www.99point9.com
> ***********************************************
>
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link.
>
> http://thethin.net/citrixlist.cfm
>
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents. http://www.99point9.com
***********************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPXfy3Pl56xfvzmMfEQLjywCgzlRuYupfxwB9YNdr24kkSxcHAhAAoKEX
8H3sbkdA0/14xa39miyrH+9T
=mNjr
- -----END PGP SIGNATURE-----
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents. http://www.99point9.com
***********************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
NOTICE !!!!!
This e-mail message is privileged and confidential and is intended
only for the use of the addressee.
If you are not the intended recipient:
confidentiality and privilege is not waived;
please contact us immediately to advise of receipt by you; and
you are not to read, disseminate, copy or take any action in respect
to the contents of this e-mail.
Any views or opinions presented are solely those of the author,
except where it is specifically stated by the sender to be views of
Connected Solutions Group.
This e-mail has been scanned, logged and cleared by Mail Marshal
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents. http://www.99point9.com
***********************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPXgWcvl56xfvzmMfEQJxyQCfcVQWmOH6zkFslVHOnjhV+kEDOdAAmwWS
rjQSkYYPEAAJGbRRNVXAeWbh
=WNLq
-----END PGP SIGNATURE-----
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
NOTICE !!!!!
This e-mail message is privileged and confidential and is intended only for the
use of the addressee.
If you are not the intended recipient:
confidentiality and privilege is not waived;
please contact us immediately to advise of receipt by you; and
you are not to read, disseminate, copy or take any action in respect to the
contents of this e-mail.
Any views or opinions presented are solely those of the author, except where it
is specifically stated by the sender to be views of Connected Solutions Group.
This e-mail has been scanned, logged and cleared by Mail Marshal
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
Other related posts:
