Yes, I understand that. The MetaFrame server is protected from direct attack and the data stream is well protected between the MetaFrame server and the ICA Client. Securing the data stream is only half the story though if you're trying to prevent your systems from being hacked. CSG doesn't stop someone from accessing the MetaFrame server indirectly via the CSG, by trying various usernames & passwords (either manually or with a program). As I see it, CSG does a great job of ensuring that the ICA data is tamper-proof and delivered securely between the MetaFrame server and the ICA client. Ie it provides added encryption and confidence that the data hasn't been tampered with or otherwise accessed. It doesn't do anything to prevent anyone from trying username/password combinations to get in to the server though. If a hacker (really a cracker) gets lucky with a username & password, they can be assured that the communication between them and the MetaFrame server is secure though. :) To be confident that a MetaFrame server can't be accessed by anyone on the Internet other than authorised users requires SecureID or similar technology to be used in conjunction with CSG. ...Chris -----Original Message----- From: Chris Lynch [mailto:lynch00@xxxxxxx] Sent: Friday, 6 September 2002 12:14 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG - Hacking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That adds additional security. You are only talking about the CSG part. Without a ticket, you can't get in. Period. The ticket is generated in the Nfuse site AFTER you have authenticated to the MF farm, either with your AD/NT account or NDS account. You can provide ADDITIONAL security in the Nfuse site by using SecureID from RSA. That is how the CSG works. Once you have authenticated to your Nfuse site (which must send your user credentials to the MF Farm to get the list of applications for you and also validates your user account), you click on the application link. This is where the ticket is created. The Nfuse server contacts the internal, protected Secure Ticket Authority (STA) to generate a ticket. Then the ICA file is generated and sent to the client. The ICA file is then opened with the ICA client, and it parses the ICA file. Within the ICA file contains the CSG FQDN, and the STA identifier along with the ticket. The ICA client uses this information to contact the CSG. The client passes the info about the STA identifier along with the ticket, and the CSG must validate the ticket before the final connection to the MF server has been established. If there is no ticket present in the communication from the client to the CSG, the connect is terminated. If the ticket has expired (either because there is latency, or someone is attempting to hijack the ticket), the connection is terminated. Simple as that. Also, the ticket is never used the same time again; for security purposes. This also prevents hijacking of the ticket, and the possible hijacking of the ICA session. Hope that helps you further understand the CSG. CHRIS LYNCH - MCSE, CCNA, CCA NETWORK ENGINEER - INFORMATION TECHNOLOGY NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691 Chris.lynch@xxxxxxxxxx Tel 949.367.3406 - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Coleman Sent: Thursday, September 05, 2002 6:34 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: CSG - Hacking Unless I'm missing something, even with a CSG in place, you can still get hacked. CSG basically just encrypts the traffic by tunnelling ICA traffic through SSL from the DMZ to the Internet, it does nothing on the user authentication side of things. There's nothing (other than appropriate account lockout policies) preventing someone trying to get in with random (or not-so-random) usernames & passwords. With the stuff available from CDN, a low-life could write an app to do it automatically. One way (the only way?) to prevent this type of attack is to integrate CSG with something like SecureID. ...Chris - -----Original Message----- From: Chris Lynch [mailto:lynch00@xxxxxxx] Sent: Friday, 6 September 2002 9:42 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG - Hacking - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Exactly. The only thing anyone could even try to do is DoS the CSG box. You CANNOT hack into the system. If you had the CSG in Realy mode, then I would say yeah. But this is not the mode you install CSG in. You have to manually specify in a command-line switch when you execute the installation. Also, with the 1.1 version, the ticket is longer than the original release. Much harder to "crack" or guess. Also, after the ticket has been generated, it will expire after 100ms, which is the default. Let me know if you have any further questions about this, CHRIS LYNCH - MCSE, CCNA, CCA NETWORK ENGINEER - INFORMATION TECHNOLOGY NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691 Chris.lynch@xxxxxxxxxx Tel 949.367.3406 - - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Stansel, Paul Sent: Thursday, September 05, 2002 5:03 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: CSG - Hacking Heh...you're talking about a session encrypted with 128bit SSL. Unless they are remoting the client box, it ain't gonna happen. - - -Paul > ---------- > From: Ray.Albert@xxxxxxxxxxxxxxx[SMTP:Ray.Albert@xxxxxxxxxxxxxxx] > Reply To: thin@xxxxxxxxxxxxx > Sent: Thursday, September 05, 2002 5:16 PM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] CSG - Hacking > > > > Can anyone let me know if there is a way for a user to Hack a > citrix published session? > > What we are looking at is giving some or clients access to a > published application through NFUSE Classic and use CSG. This > will be in the DMZ. The application will not be in the DMZ. > > Our network and security have doubts about giving someone access to > an internal application. > > Anyone have any thoughts on this? > > Please Help. > > Ray Albert > ChoicePoint Inc > ray.albert@xxxxxxxxxxxxxxx > > > > ********************************************** > This weeks sponsor 99Point9.com > 99Point9 helps solve your unresolved technical > server-based questions, issues and incidents. > http://www.99point9.com > *********************************************** > > For Archives, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link. > > http://thethin.net/citrixlist.cfm > ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPXfy3Pl56xfvzmMfEQLjywCgzlRuYupfxwB9YNdr24kkSxcHAhAAoKEX 8H3sbkdA0/14xa39miyrH+9T =mNjr - -----END PGP SIGNATURE----- ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm NOTICE !!!!! This e-mail message is privileged and confidential and is intended only for the use of the addressee. If you are not the intended recipient: confidentiality and privilege is not waived; please contact us immediately to advise of receipt by you; and you are not to read, disseminate, copy or take any action in respect to the contents of this e-mail. Any views or opinions presented are solely those of the author, except where it is specifically stated by the sender to be views of Connected Solutions Group. This e-mail has been scanned, logged and cleared by Mail Marshal ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPXgWcvl56xfvzmMfEQJxyQCfcVQWmOH6zkFslVHOnjhV+kEDOdAAmwWS rjQSkYYPEAAJGbRRNVXAeWbh =WNLq -----END PGP SIGNATURE----- ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm NOTICE !!!!! This e-mail message is privileged and confidential and is intended only for the use of the addressee. If you are not the intended recipient: confidentiality and privilege is not waived; please contact us immediately to advise of receipt by you; and you are not to read, disseminate, copy or take any action in respect to the contents of this e-mail. Any views or opinions presented are solely those of the author, except where it is specifically stated by the sender to be views of Connected Solutions Group. This e-mail has been scanned, logged and cleared by Mail Marshal ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm