[THIN] Re: speaking of security nazis

  • From: Kevin Stewart <kevin.g.stewart@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Tue, 25 Aug 2009 14:18:11 -0400

Even if they could look inside the tunnel, they aren't going to see anything
but bits from a screen scrape.

Kevin

On Tue, Aug 25, 2009 at 2:13 PM, Wilson, Christopher <CMWilson@xxxxxxxxxxxxx
> wrote:

>  Yup, that’s exactly what they are concerned about.  Can’t see inside the
> tunnel.
>
>
>
> I’m looking into the 2 factor options.  I did see SMS Passcode, but SMS is
> not a standard feature on company cell phones for, you guessed it, security
> reasons.
>
>
>
> This is all helpful discussion.  I’m still optimistic that problem can be
> resolved with negotiation.
>
>
>  ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Berny Stapleton
> *Sent:* Tuesday, August 25, 2009 11:23 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: speaking of security nazis
>
>
>
> CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a
> tunneling protocol, so they are worried about what else might get tunneled
> over it.
>
> If they are that worried about it, give it to them for them to manage. That
> will allay a lot of their fears.
>
> For the price of AppSense, you might be able to do two factor auth, which
> apparently is one of their primary concerns. Also, have you looked at
> something like SMS passcode or something like that as a cheaper two factor
> auth?
>
> Berny
>
> 2009/8/25 Greg Reese <gareese@xxxxxxxxx>
>
> and Nazi mutants could over run the walls and raze the whole place to the
> ground.
>
> If they are happy with VPN, they should be happy with a CSG/CAG.  Happier,
> since with a CSG/CAG, the client device is not an active node on the network
> like it is with a VPN.
>
> You can do a double hop DMZ with this if that will help them sleep better
> at night.
>
>
>
> On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher <
> CMWilson@xxxxxxxxxxxxx> wrote:
>
> It seems to be more about their perimeter security philosophy than
> anything.  Multi-hop DMZ, with three rings to get through before you are
> internal.  They don’t like that it hops right by their perimeter rings.
> They also don’t like that it runs on Windows, so maybe the CAG would appease
> that.
>
>
>
> I’m not sure the kind of attack, but the argument goes something like
> this.  If we provide remote access to this Citrix server, someone could
> potentially hack it and get administrative access, and then what?  It seems
> like an anti-windows bias coming from a unix oriented team.  In this
> argument, vague as it is, if the server is the vulnerability I thought I
> would attack it at the server level.  (Obviously we already patch and run
> AV).  So I brought in AppSense.  I thought they would dig the lock down of
> processes on the server, and security policies that filter on client
> location.  They weren’t impressed. They want something else that sits in the
> DMZ as a barrier.
>
>
>
> This team has apparently been pretty dogmatic about their policies, but I
> am hoping to find someone who will reason with me J.   I appreciate you
> guys helping me make my case.
>
>
>  ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Robert K Coffman Jr. -Info From Data Corp.
> *Sent:* Tuesday, August 25, 2009 10:04 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: speaking of security nazis
>
>
>
> >The security team believes Citrix Secure Gateway with single factor
> authentication doesn’t provide enough protection from external attack
>
>
> What kind of attack are they trying to prevent?
>
>
>
> Both CSG and CAG use SSL...  With the CAG you could limit the exposure of
> WI to the internet.  I don't know CAG that well (yet), but other than that I
> don't know that it is more secure than CSG.
>
>
>
> - Bob Coffman
>
>
>
>
>



-- 
Kevin G. Stewart

Other related posts: