Well ideally - but then the security boys see that you've got internal and DMZ servers on the same physical box, and *then* they want to know how you're maintaining security *within* that virtual environment... -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Magnus Hjorleifsson Sent: 26 August 2009 12:23 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: speaking of security nazis The trick there would be to bit infra. (zdc, ...etc) on that same xenserber that has cag(vpx) Sent from my iPhone On Aug 26, 2009, at 4:48, "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx> wrote: > Ctx lose money per cag device was a story I heard .. so VMs make > sense to > the vendor; I doubt there'll be a massive pass on in savings to the > user. > > ..and 'stick you xenserver vm image in the DMZ' means (potentially) > you've > got to put a physical device in the DMZ to host the VM... so you've > not > really "saved" on a device and now you've got a virtual host(s) OS & > HW to > update and maintain not just the CAG > > Of course, moot if you've already got the kit there > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] > On Behalf > Of Warren Simondson > Sent: 25 August 2009 23:57 > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: speaking of security nazis > > One thing to note on the pricing and pluses of a CAG - very shortly > the > CAG's will be available > and supported as a Virtual device, meaning that the price > 'apparently' will > be more affordable > becasue you won't be buying the hardware device anymore, just the > Xenserver > VM image and > the Licenses. So you can stick your Xenserver in the DMZ and have > the CAG > available. CAG EE > like the 7000 series also have the benefit of HA. There not that > hard to set > up butthey can take > a little while to get right, especially with all the new firmwares > being > release over the past 6 > months. > -- > Warren Simondson > > Ctrl-Alt-Del IT Consultancy Pty Ltd > > Website: http://www.ctrl-alt-del.com.au > > > > > > > > > On Wed, Aug 26th, 2009 at 1:04 AM, Greg Reese <gareese@xxxxxxxxx> > wrote: > >> SSL encryption is SSL encryption regardless of whether it comes from >> the CSG >> or the CAG. The CAG is a hardware appliance and has some other >> goodies and >> toys in it. But for proxying incoming connections to your protected >> Citrix >> farm, the engine is the same. >> >> The CAG will give you some endpoinit policies that CSG does not. >> Things >> like no mapped drives if AV defs aren't current. You could (and >> should) >> craft a Citrix policy to deny mapped drives to external clients >> anyway. >> Encrypt XML. that sort of thing. >> >> On Tue, Aug 25, 2009 at 9:45 AM, Wilson, Christopher >> <CMWilson@xxxxxxxxxxxxx >>> wrote: >> >>> The AppSense conversation reminds me of something else I want to >> bounce >>> off you guys. >>> >>> >>> >>> I am working at a company now that places I high priority on >> security - >>> perhaps more than I'm used to. I'm planning a consolidation of >> several >>> Citrix farms, one of which resides a DMZ. A small subset of >> business apps >>> are hosted here (Office and files shares really), because it was >> deemed too >>> great a risk to provide access to the whole internal Citrix >> environment. >>> The security team believes Citrix Secure Gateway with single >> factor >>> authentication doesn't provide enough protection from external >> attack and >>> thus won't point it at internal farms. (This is foreign to me >> since I think >>> of this as a limited VPN, and they do have VPN access.) >>> >>> >>> >>> So here's where I'm interested in your input. Two-factor >> authentication is >>> not in the budget, so not an option. Is CSG that much of a risk >> to merit >>> this kind of concern? Is CAG sufficiently better to mitigate some >> of this >>> concern? How are others doing it? My own experience is that I've >> seen lots >>> of CSG, a little CAG, and two factor authentication primarily at >> larger >>> companies. >>> >>> >>> >>> I want to be able to roll this DMZ farm internal, and provide the >> benefits >>> of remote access for all apps they've been missing out on. But >> I'll have to >>> get past the security guys first. >>> >> > > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > //www.freelists.org/list/thin > Follow ThinList on Twitter > http://twitter.com/thinlist > Thin List discussion is now available in blog format at: > http://thinmaillist.blogspot.com > Thinlist MOBILE Feed > http://thinlist.net/mobile > ************************************************ > > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > //www.freelists.org/list/thin > Follow ThinList on Twitter > http://twitter.com/thinlist > Thin List discussion is now available in blog format at: > http://thinmaillist.blogspot.com > Thinlist MOBILE Feed > http://thinlist.net/mobile > ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin Follow ThinList on Twitter http://twitter.com/thinlist Thin List discussion is now available in blog format at: http://thinmaillist.blogspot.com Thinlist MOBILE Feed http://thinlist.net/mobile ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin Follow ThinList on Twitter http://twitter.com/thinlist Thin List discussion is now available in blog format at: http://thinmaillist.blogspot.com Thinlist MOBILE Feed http://thinlist.net/mobile ************************************************