[THIN] Re: speaking of security nazis

  • From: "Wilson, Christopher" <CMWilson@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 25 Aug 2009 13:15:56 -0500

Xactly.  Swiss-cheezing the firewall seems pointless.  I think that's
one reason the are only offering minimal apps.

 

________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Tuesday, August 25, 2009 11:55 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

I just got done with a contract with a bank that thought the exact same
thing as Christopher security group.  If it's in the DMZ it's safer
because they can "control" access to the resources in the protected
network.  It doesn't make a ton of sense to me either but that's what
they thought.  We had to have a couple of XenApp boxes in the DMZ and we
punched like a million holes in the firewall just to make it all work
with file shares and software that needed inside access.  It didn't
matter that the firewall was swiss cheese though the security folks felt
better about it.

On Tue, Aug 25, 2009 at 12:49 PM, Hutchinson, Alan
<Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:

I'm still a little puzzled by the orifinal post which says that 'Office
and some business applications as well as file shares' are sitting on
Citrix servers in the DMZ. If these are 'true' business applications
then there must be 'holes' to access back-end systems. Either way I
don't particularly like the idea of Citrix and file servers in a DMZ -
or am (as usual) missing something?

 

Regards,

 

Alan.

 

________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Berny Stapleton
Sent: 25 August 2009 17:36 


To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

The only problem is that they are wondering what you are tunneling
through ICA, virtual channels can carry a lot of stuff...

2009/8/25 Greg Reese <gareese@xxxxxxxxx>

that's kind of the cool thing about CAGS/CSG.  It only tunnels the ICA
protocol.  if the client pc is infected with something, it's not going
to jump from there to your servers.  If the client is infected with a
keystroke logger, then you have a different problem but not different
that you would have if they were infected with on and using a
traditional vpn. 

 

On Tue, Aug 25, 2009 at 11:22 AM, Berny Stapleton
<berny@xxxxxxxxxxxxxxxxx> wrote:

CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a
tunneling protocol, so they are worried about what else might get
tunneled over it.

If they are that worried about it, give it to them for them to manage.
That will allay a lot of their fears.

For the price of AppSense, you might be able to do two factor auth,
which apparently is one of their primary concerns. Also, have you looked
at something like SMS passcode or something like that as a cheaper two
factor auth?

Berny

2009/8/25 Greg Reese <gareese@xxxxxxxxx> 

         

        and Nazi mutants could over run the walls and raze the whole
place to the ground.
        
        If they are happy with VPN, they should be happy with a CSG/CAG.
Happier, since with a CSG/CAG, the client device is not an active node
on the network like it is with a VPN.
        
        You can do a double hop DMZ with this if that will help them
sleep better at night. 

         

        On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher
<CMWilson@xxxxxxxxxxxxx> wrote:

        It seems to be more about their perimeter security philosophy
than anything.  Multi-hop DMZ, with three rings to get through before
you are internal.  They don't like that it hops right by their perimeter
rings.  They also don't like that it runs on Windows, so maybe the CAG
would appease that.  

         

        I'm not sure the kind of attack, but the argument goes something
like this.  If we provide remote access to this Citrix server, someone
could potentially hack it and get administrative access, and then what?
It seems like an anti-windows bias coming from a unix oriented team.  In
this argument, vague as it is, if the server is the vulnerability I
thought I would attack it at the server level.  (Obviously we already
patch and run AV).  So I brought in AppSense.  I thought they would dig
the lock down of processes on the server, and security policies that
filter on client location.  They weren't impressed. They want something
else that sits in the DMZ as a barrier.  

         

        This team has apparently been pretty dogmatic about their
policies, but I am hoping to find someone who will reason with me :-).
I appreciate you guys helping me make my case.

         

        
________________________________


        From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K Coffman Jr.
-Info From Data Corp.
        Sent: Tuesday, August 25, 2009 10:04 AM
        To: thin@xxxxxxxxxxxxx
        Subject: [THIN] Re: speaking of security nazis

         

        >The security team believes Citrix Secure Gateway with single
factor authentication doesn't provide enough protection from external
attack 

        
        What kind of attack are they trying to prevent?  

         

        Both CSG and CAG use SSL...  With the CAG you could limit the
exposure of  WI to the internet.  I don't know CAG that well (yet), but
other than that I don't know that it is more secure than CSG.

         

        - Bob Coffman

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2009