Even if they could look inside the tunnel, they aren't going to see anything but bits from a screen scrape. Kevin On Tue, Aug 25, 2009 at 2:13 PM, Wilson, Christopher <CMWilson@xxxxxxxxxxxxx > wrote: > Yup, that’s exactly what they are concerned about. Can’t see inside the > tunnel. > > > > I’m looking into the 2 factor options. I did see SMS Passcode, but SMS is > not a standard feature on company cell phones for, you guessed it, security > reasons. > > > > This is all helpful discussion. I’m still optimistic that problem can be > resolved with negotiation. > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Berny Stapleton > *Sent:* Tuesday, August 25, 2009 11:23 AM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: speaking of security nazis > > > > CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a > tunneling protocol, so they are worried about what else might get tunneled > over it. > > If they are that worried about it, give it to them for them to manage. That > will allay a lot of their fears. > > For the price of AppSense, you might be able to do two factor auth, which > apparently is one of their primary concerns. Also, have you looked at > something like SMS passcode or something like that as a cheaper two factor > auth? > > Berny > > 2009/8/25 Greg Reese <gareese@xxxxxxxxx> > > and Nazi mutants could over run the walls and raze the whole place to the > ground. > > If they are happy with VPN, they should be happy with a CSG/CAG. Happier, > since with a CSG/CAG, the client device is not an active node on the network > like it is with a VPN. > > You can do a double hop DMZ with this if that will help them sleep better > at night. > > > > On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher < > CMWilson@xxxxxxxxxxxxx> wrote: > > It seems to be more about their perimeter security philosophy than > anything. Multi-hop DMZ, with three rings to get through before you are > internal. They don’t like that it hops right by their perimeter rings. > They also don’t like that it runs on Windows, so maybe the CAG would appease > that. > > > > I’m not sure the kind of attack, but the argument goes something like > this. If we provide remote access to this Citrix server, someone could > potentially hack it and get administrative access, and then what? It seems > like an anti-windows bias coming from a unix oriented team. In this > argument, vague as it is, if the server is the vulnerability I thought I > would attack it at the server level. (Obviously we already patch and run > AV). So I brought in AppSense. I thought they would dig the lock down of > processes on the server, and security policies that filter on client > location. They weren’t impressed. They want something else that sits in the > DMZ as a barrier. > > > > This team has apparently been pretty dogmatic about their policies, but I > am hoping to find someone who will reason with me J. I appreciate you > guys helping me make my case. > > > ------------------------------ > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Robert K Coffman Jr. -Info From Data Corp. > *Sent:* Tuesday, August 25, 2009 10:04 AM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: speaking of security nazis > > > > >The security team believes Citrix Secure Gateway with single factor > authentication doesn’t provide enough protection from external attack > > > What kind of attack are they trying to prevent? > > > > Both CSG and CAG use SSL... With the CAG you could limit the exposure of > WI to the internet. I don't know CAG that well (yet), but other than that I > don't know that it is more secure than CSG. > > > > - Bob Coffman > > > > > -- Kevin G. Stewart