[THIN] Re: speaking of security nazis

  • From: Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Tue, 25 Aug 2009 17:52:12 +0100

Subset of information which is replicated, read only is a possibility too...


Doesn't really stop data loss as such, but certianly slows it down and stops
things which are destructive.

2009/8/25 Hutchinson, Alan <Alan.Hutchinson@xxxxxxxxxxxxxxxxxx>

>  I'm still a little puzzled by the orifinal post which says that 'Office
> and some business applications as well as file shares' are sitting on Citrix
> servers in the DMZ. If these are 'true' business applications then there
> must be 'holes' to access back-end systems. Either way I don't particularly
> like the idea of Citrix and file servers in a DMZ - or am (as usual) missing
> something?
>
> Regards,
>
> Alan.
>
>  ------------------------------
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Berny Stapleton
> *Sent:* 25 August 2009 17:36
>
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: speaking of security nazis
>
> The only problem is that they are wondering what you are tunneling through
> ICA, virtual channels can carry a lot of stuff...
>
> 2009/8/25 Greg Reese <gareese@xxxxxxxxx>
>
>> that's kind of the cool thing about CAGS/CSG.  It only tunnels the ICA
>> protocol.  if the client pc is infected with something, it's not going to
>> jump from there to your servers.  If the client is infected with a keystroke
>> logger, then you have a different problem but not different that you would
>> have if they were infected with on and using a traditional vpn.
>>
>>
>> On Tue, Aug 25, 2009 at 11:22 AM, Berny Stapleton <
>> berny@xxxxxxxxxxxxxxxxx> wrote:
>>
>>> CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a
>>> tunneling protocol, so they are worried about what else might get tunneled
>>> over it.
>>>
>>> If they are that worried about it, give it to them for them to manage.
>>> That will allay a lot of their fears.
>>>
>>> For the price of AppSense, you might be able to do two factor auth, which
>>> apparently is one of their primary concerns. Also, have you looked at
>>> something like SMS passcode or something like that as a cheaper two factor
>>> auth?
>>>
>>> Berny
>>>
>>> 2009/8/25 Greg Reese <gareese@xxxxxxxxx>
>>>
>>> and Nazi mutants could over run the walls and raze the whole place to the
>>>> ground.
>>>>
>>>> If they are happy with VPN, they should be happy with a CSG/CAG.
>>>> Happier, since with a CSG/CAG, the client device is not an active node on
>>>> the network like it is with a VPN.
>>>>
>>>> You can do a double hop DMZ with this if that will help them sleep
>>>> better at night.
>>>>
>>>>
>>>> On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher <
>>>> CMWilson@xxxxxxxxxxxxx> wrote:
>>>>
>>>>>  It seems to be more about their perimeter security philosophy than
>>>>> anything.  Multi-hop DMZ, with three rings to get through before you are
>>>>> internal.  They don’t like that it hops right by their perimeter rings.
>>>>> They also don’t like that it runs on Windows, so maybe the CAG would 
>>>>> appease
>>>>> that.
>>>>>
>>>>>
>>>>>
>>>>> I’m not sure the kind of attack, but the argument goes something like
>>>>> this.  If we provide remote access to this Citrix server, someone could
>>>>> potentially hack it and get administrative access, and then what?  It 
>>>>> seems
>>>>> like an anti-windows bias coming from a unix oriented team.  In this
>>>>> argument, vague as it is, if the server is the vulnerability I thought I
>>>>> would attack it at the server level.  (Obviously we already patch and run
>>>>> AV).  So I brought in AppSense.  I thought they would dig the lock down of
>>>>> processes on the server, and security policies that filter on client
>>>>> location.  They weren’t impressed. They want something else that sits in 
>>>>> the
>>>>> DMZ as a barrier.
>>>>>
>>>>>
>>>>>
>>>>> This team has apparently been pretty dogmatic about their policies, but
>>>>> I am hoping to find someone who will reason with me J.   I appreciate
>>>>> you guys helping me make my case.
>>>>>
>>>>>
>>>>>  ------------------------------
>>>>>
>>>>> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
>>>>> Behalf Of *Robert K Coffman Jr. -Info From Data Corp.
>>>>> *Sent:* Tuesday, August 25, 2009 10:04 AM
>>>>> *To:* thin@xxxxxxxxxxxxx
>>>>> *Subject:* [THIN] Re: speaking of security nazis
>>>>>
>>>>>
>>>>>
>>>>> >The security team believes Citrix Secure Gateway with single factor
>>>>> authentication doesn’t provide enough protection from external attack
>>>>>
>>>>>
>>>>> What kind of attack are they trying to prevent?
>>>>>
>>>>>
>>>>>
>>>>> Both CSG and CAG use SSL...  With the CAG you could limit the exposure
>>>>> of  WI to the internet.  I don't know CAG that well (yet), but other than
>>>>> that I don't know that it is more secure than CSG.
>>>>>
>>>>>
>>>>>
>>>>> - Bob Coffman
>>>>>
>>>>
>>>>
>>>
>>
>

Other related posts: