[THIN] Re: speaking of security nazis

  • From: Kevin Stewart <kevin.g.stewart@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Tue, 25 Aug 2009 13:39:50 -0400

Putting Citrix servers in a DMZ is usually more difficult than it's worth.
Your best bet might be to secure the servers (ports, services, etc.),
include some kind of HBID software and a desktop security and management app
like Appsense. But most off assume no more trust on these servers than you'd
place on a mall kiosk. Do assume that users will break them and otherwise
find ways to "customize".

That said, I think the original question was more to do with the security of
CAG or CSG. In this case, think "ticketing". Using the CAG or CSG and the
Secure Ticket Authority, users get an ICA file containing a ticket that
expires very quickly. So even if a nefarious charcter can compromise a
user's ICA file, they'd literally have seconds to use it. Additionally, the
ICA file only contains half of the user's credentials (weakly encrypted),
vice all of it without the STA. In my experience, this single capability has
saved many Citrix environments from the IA axe.

Now if you're worried about the security of a Windows-based CSG, get a CAG,
but you'll pay more for concurrent user licenses. For the sake of
scalability though, CSGs work very well as virtual machines. A good security
solution for this approach is using an appliance-based load balancer in
front of your CGSs. We use F5 BigIPs which of course aren't Windows based,
only allow 443 SSL to the servers, and have some amazing load balancing and
health monitoring capabilities.

Kevin


On Tue, Aug 25, 2009 at 12:55 PM, Jeff Pitsch <jepitsch@xxxxxxxxx> wrote:

> I just got done with a contract with a bank that thought the exact same
> thing as Christopher security group.  If it's in the DMZ it's safer because
> they can "control" access to the resources in the protected network.  It
> doesn't make a ton of sense to me either but that's what they thought.  We
> had to have a couple of XenApp boxes in the DMZ and we punched like a
> million holes in the firewall just to make it all work with file shares and
> software that needed inside access.  It didn't matter that the firewall was
> swiss cheese though the security folks felt better about it.
>
>
> On Tue, Aug 25, 2009 at 12:49 PM, Hutchinson, Alan <
> Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:
>
>>  I'm still a little puzzled by the orifinal post which says that 'Office
>> and some business applications as well as file shares' are sitting on Citrix
>> servers in the DMZ. If these are 'true' business applications then there
>> must be 'holes' to access back-end systems. Either way I don't particularly
>> like the idea of Citrix and file servers in a DMZ - or am (as usual) missing
>> something?
>>
>> Regards,
>>
>> Alan.
>>
>>  ------------------------------
>> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
>> Behalf Of *Berny Stapleton
>> *Sent:* 25 August 2009 17:36
>>
>> *To:* thin@xxxxxxxxxxxxx
>> *Subject:* [THIN] Re: speaking of security nazis
>>
>>   The only problem is that they are wondering what you are tunneling
>> through ICA, virtual channels can carry a lot of stuff...
>>
>> 2009/8/25 Greg Reese <gareese@xxxxxxxxx>
>>
>>> that's kind of the cool thing about CAGS/CSG.  It only tunnels the ICA
>>> protocol.  if the client pc is infected with something, it's not going to
>>> jump from there to your servers.  If the client is infected with a keystroke
>>> logger, then you have a different problem but not different that you would
>>> have if they were infected with on and using a traditional vpn.
>>>
>>>
>>> On Tue, Aug 25, 2009 at 11:22 AM, Berny Stapleton <
>>> berny@xxxxxxxxxxxxxxxxx> wrote:
>>>
>>>> CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a
>>>> tunneling protocol, so they are worried about what else might get tunneled
>>>> over it.
>>>>
>>>> If they are that worried about it, give it to them for them to manage.
>>>> That will allay a lot of their fears.
>>>>
>>>> For the price of AppSense, you might be able to do two factor auth,
>>>> which apparently is one of their primary concerns. Also, have you looked at
>>>> something like SMS passcode or something like that as a cheaper two factor
>>>> auth?
>>>>
>>>> Berny
>>>>
>>>> 2009/8/25 Greg Reese <gareese@xxxxxxxxx>
>>>>
>>>> and Nazi mutants could over run the walls and raze the whole place to
>>>>> the ground.
>>>>>
>>>>> If they are happy with VPN, they should be happy with a CSG/CAG.
>>>>> Happier, since with a CSG/CAG, the client device is not an active node on
>>>>> the network like it is with a VPN.
>>>>>
>>>>> You can do a double hop DMZ with this if that will help them sleep
>>>>> better at night.
>>>>>
>>>>>
>>>>> On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher <
>>>>> CMWilson@xxxxxxxxxxxxx> wrote:
>>>>>
>>>>>>  It seems to be more about their perimeter security philosophy than
>>>>>> anything.  Multi-hop DMZ, with three rings to get through before you are
>>>>>> internal.  They don’t like that it hops right by their perimeter rings.
>>>>>> They also don’t like that it runs on Windows, so maybe the CAG would 
>>>>>> appease
>>>>>> that.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I’m not sure the kind of attack, but the argument goes something like
>>>>>> this.  If we provide remote access to this Citrix server, someone could
>>>>>> potentially hack it and get administrative access, and then what?  It 
>>>>>> seems
>>>>>> like an anti-windows bias coming from a unix oriented team.  In this
>>>>>> argument, vague as it is, if the server is the vulnerability I thought I
>>>>>> would attack it at the server level.  (Obviously we already patch and run
>>>>>> AV).  So I brought in AppSense.  I thought they would dig the lock down 
>>>>>> of
>>>>>> processes on the server, and security policies that filter on client
>>>>>> location.  They weren’t impressed. They want something else that sits in 
>>>>>> the
>>>>>> DMZ as a barrier.
>>>>>>
>>>>>>
>>>>>>
>>>>>> This team has apparently been pretty dogmatic about their policies,
>>>>>> but I am hoping to find someone who will reason with me J.   I
>>>>>> appreciate you guys helping me make my case.
>>>>>>
>>>>>>
>>>>>>  ------------------------------
>>>>>>
>>>>>> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]
>>>>>> *On Behalf Of *Robert K Coffman Jr. -Info From Data Corp.
>>>>>> *Sent:* Tuesday, August 25, 2009 10:04 AM
>>>>>> *To:* thin@xxxxxxxxxxxxx
>>>>>> *Subject:* [THIN] Re: speaking of security nazis
>>>>>>
>>>>>>
>>>>>>
>>>>>> >The security team believes Citrix Secure Gateway with single factor
>>>>>> authentication doesn’t provide enough protection from external attack
>>>>>>
>>>>>>
>>>>>> What kind of attack are they trying to prevent?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Both CSG and CAG use SSL...  With the CAG you could limit the exposure
>>>>>> of  WI to the internet.  I don't know CAG that well (yet), but other than
>>>>>> that I don't know that it is more secure than CSG.
>>>>>>
>>>>>>
>>>>>>
>>>>>> - Bob Coffman
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>


-- 
Kevin G. Stewart

Other related posts: