[THIN] Re: speaking of security nazis

  • From: "Wilson, Christopher" <CMWilson@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 25 Aug 2009 13:25:00 -0500

"all fairness, if that's a statement that the business is pushing and
you've external access .. they're only playing at being Security Nazis."

True that.  They are playing, but they have the upper hand in internal
politics.

 

Thanks for all the input, guys.  I'll let you know how it turns out in a
few weeks.

________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Wood
Sent: Tuesday, August 25, 2009 12:10 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

Two-factor authentication is not in the budget, so not an option ... in
all fairness, if that's a statement that the business is pushing and
you've external access .. they're only playing at being Security Nazis. 

 

They'll be some sort of 'oo what if they get admin access' stuff going
on here as well I bet- in which case shell out on Environment and
Application Manager from Appsense  - lock out applications and give
reporting; lock out application access and give reporting. Get an
independent assessment of the access by a 3rd party.

 

If you want something *else*... I've seen one product that suggests it
does protocol inspection on 1494 - but all *that's* going to do is see
if you're injecting anything naughty into the ICA stream. For the life
of me I can't find the company now. 

 

What you're more than likely asking for is a product that will monitor a
session and then alert when someone opens a command prompt or the
CMC...and essentially that's locked out with windows & citrix security
and policies, and more locked down and reported on with Appsense. It's
all a bit moot if you've not bothered to secure your external access by
only using a username/password mind - or but your servers raw on to the
internet. 

 

It's amazing how many hits you'll get back looking for raw published
citrix servers in google, and scary how many you can connect to
anonymously and erm.. apparently shocking on how many you can launch a
command prompt on... so I've been told.

 

You could obviously monitor sessions with session recording and playback
- there are 3rd party tools available now which means you don't need to
be running enterprise edition to allow this.

 

Ask them for a MoSCoW security policy statement and then provide an
assessment based on the available security with/without the likes of
Appsense.

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Wilson, Christopher
Sent: 25 August 2009 15:45
To: thin@xxxxxxxxxxxxx
Subject: [THIN] speaking of security nazis

 

The AppSense conversation reminds me of something else I want to bounce
off you guys.

 

I am working at a company now that places I high priority on security -
perhaps more than I'm used to.  I'm planning a consolidation of several
Citrix farms, one of which resides a DMZ.  A small subset of business
apps are hosted here (Office and files shares really), because it was
deemed too great a risk to provide access to the whole internal Citrix
environment.   The security team believes Citrix Secure Gateway with
single factor authentication doesn't provide enough protection from
external attack and thus won't point it at internal farms.  (This is
foreign to me since I think of this as a limited VPN, and they do have
VPN access.)

 

So here's where I'm interested in your input.  Two-factor authentication
is not in the budget, so not an option.   Is CSG that much of a risk to
merit this kind of concern?  Is CAG sufficiently better to mitigate some
of this concern?  How are others doing it?  My own experience is that
I've seen lots of CSG, a little CAG, and two factor authentication
primarily at larger companies.   

 

I want to be able to roll this DMZ farm internal, and provide the
benefits of remote access for all apps they've been missing out on.  But
I'll have to get past the security guys first.

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2009