[THIN] Re: speaking of security nazis

  • From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 25 Aug 2009 18:10:13 +0100

Two-factor authentication is not in the budget, so not an option . in all
fairness, if that's a statement that the business is pushing and you've
external access .. they're only playing at being Security Nazis. 

 

They'll be some sort of 'oo what if they get admin access' stuff going on
here as well I bet- in which case shell out on Environment and Application
Manager from Appsense  - lock out applications and give reporting; lock out
application access and give reporting. Get an independent assessment of the
access by a 3rd party.

 

If you want something *else*. I've seen one product that suggests it does
protocol inspection on 1494 - but all *that's* going to do is see if you're
injecting anything naughty into the ICA stream. For the life of me I can't
find the company now. 

 

What you're more than likely asking for is a product that will monitor a
session and then alert when someone opens a command prompt or the CMC.and
essentially that's locked out with windows & citrix security and policies,
and more locked down and reported on with Appsense. It's all a bit moot if
you've not bothered to secure your external access by only using a
username/password mind - or but your servers raw on to the internet. 

 

It's amazing how many hits you'll get back looking for raw published citrix
servers in google, and scary how many you can connect to anonymously and
erm.. apparently shocking on how many you can launch a command prompt on. so
I've been told.

 

You could obviously monitor sessions with session recording and playback -
there are 3rd party tools available now which means you don't need to be
running enterprise edition to allow this.

 

Ask them for a MoSCoW security policy statement and then provide an
assessment based on the available security with/without the likes of
Appsense.

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Wilson, Christopher
Sent: 25 August 2009 15:45
To: thin@xxxxxxxxxxxxx
Subject: [THIN] speaking of security nazis

 

The AppSense conversation reminds me of something else I want to bounce off
you guys.

 

I am working at a company now that places I high priority on security -
perhaps more than I'm used to.  I'm planning a consolidation of several
Citrix farms, one of which resides a DMZ.  A small subset of business apps
are hosted here (Office and files shares really), because it was deemed too
great a risk to provide access to the whole internal Citrix environment.
The security team believes Citrix Secure Gateway with single factor
authentication doesn't provide enough protection from external attack and
thus won't point it at internal farms.  (This is foreign to me since I think
of this as a limited VPN, and they do have VPN access.)

 

So here's where I'm interested in your input.  Two-factor authentication is
not in the budget, so not an option.   Is CSG that much of a risk to merit
this kind of concern?  Is CAG sufficiently better to mitigate some of this
concern?  How are others doing it?  My own experience is that I've seen lots
of CSG, a little CAG, and two factor authentication primarily at larger
companies.   

 

I want to be able to roll this DMZ farm internal, and provide the benefits
of remote access for all apps they've been missing out on.  But I'll have to
get past the security guys first.

Other related posts: