[THIN] Re: speaking of security nazis

  • From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Wed, 26 Aug 2009 12:31:35 +0100

Well ideally - but then the security boys see that you've got internal and
DMZ servers on the same physical box, and *then* they want to know how
you're maintaining security *within* that virtual environment...

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Magnus Hjorleifsson
Sent: 26 August 2009 12:23
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

The trick there would be to bit infra. (zdc, ...etc) on that same  
xenserber that has cag(vpx)

Sent from my iPhone

On Aug 26, 2009, at 4:48, "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>  
wrote:

> Ctx lose money per cag device was a story I heard .. so VMs make  
> sense to
> the vendor; I doubt there'll be a massive pass on in savings to the  
> user.
>
> ..and 'stick you xenserver vm image in the DMZ' means (potentially)  
> you've
> got to put a physical device in the DMZ to host the VM... so you've  
> not
> really "saved" on a device and now you've got a virtual host(s) OS &  
> HW to
> update and maintain not just the CAG
>
> Of course, moot if you've already got the kit there
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]  
> On Behalf
> Of Warren Simondson
> Sent: 25 August 2009 23:57
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: speaking of security nazis
>
> One thing to note on the pricing and pluses of a CAG - very shortly  
> the
> CAG's will be available
> and supported as a Virtual device, meaning that the price  
> 'apparently' will
> be more affordable
> becasue you won't be buying the hardware device anymore, just the  
> Xenserver
> VM image and
> the Licenses. So you can stick your Xenserver in the DMZ and have  
> the CAG
> available. CAG EE
> like the 7000 series also have the benefit of HA. There not that  
> hard to set
> up butthey can take
> a little while to get right, especially with all the new firmwares  
> being
> release over the past 6
> months.
> -- 
> Warren Simondson
>
> Ctrl-Alt-Del IT Consultancy Pty Ltd
>
> Website: http://www.ctrl-alt-del.com.au
>
>
>
>
>
>
>
>
> On Wed, Aug 26th, 2009 at 1:04 AM, Greg Reese <gareese@xxxxxxxxx>  
> wrote:
>
>> SSL encryption is SSL encryption regardless of whether it comes from
>> the CSG
>> or the CAG.  The CAG is a hardware appliance and has some other
>> goodies and
>> toys in it.  But for proxying incoming connections to your protected
>> Citrix
>> farm, the engine is the same.
>>
>> The CAG will give you some endpoinit policies that CSG does not.
>> Things
>> like no mapped drives if AV defs aren't current.  You could (and
>> should)
>> craft a Citrix policy to deny mapped drives to external clients
>> anyway.
>> Encrypt XML.  that sort of thing.
>>
>> On Tue, Aug 25, 2009 at 9:45 AM, Wilson, Christopher
>> <CMWilson@xxxxxxxxxxxxx
>>> wrote:
>>
>>> The AppSense conversation reminds me of something else I want to
>> bounce
>>> off you guys.
>>>
>>>
>>>
>>> I am working at a company now that places I high priority on
>> security -
>>> perhaps more than I'm used to.  I'm planning a consolidation of
>> several
>>> Citrix farms, one of which resides a DMZ.  A small subset of
>> business apps
>>> are hosted here (Office and files shares really), because it was
>> deemed too
>>> great a risk to provide access to the whole internal Citrix
>> environment.
>>> The security team believes Citrix Secure Gateway with single
>> factor
>>> authentication doesn't provide enough protection from external
>> attack and
>>> thus won't point it at internal farms.  (This is foreign to me
>> since I think
>>> of this as a limited VPN, and they do have VPN access.)
>>>
>>>
>>>
>>> So here's where I'm interested in your input.  Two-factor
>> authentication is
>>> not in the budget, so not an option.   Is CSG that much of a risk
>> to merit
>>> this kind of concern?  Is CAG sufficiently better to mitigate some
>> of this
>>> concern?  How are others doing it? My own experience is that I've
>> seen lots
>>> of CSG, a little CAG, and two factor authentication primarily at
>> larger
>>> companies.
>>>
>>>
>>>
>>> I want to be able to roll this DMZ farm internal, and provide the
>> benefits
>>> of remote access for all apps they've been missing out on.  But
>> I'll have to
>>> get past the security guys first.
>>>
>>
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> Follow ThinList on Twitter
> http://twitter.com/thinlist
> Thin List discussion is now available in blog format at:
> http://thinmaillist.blogspot.com
> Thinlist MOBILE Feed
> http://thinlist.net/mobile
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> Follow ThinList on Twitter
> http://twitter.com/thinlist
> Thin List discussion is now available in blog format at:
> http://thinmaillist.blogspot.com
> Thinlist MOBILE Feed
> http://thinlist.net/mobile
> ************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2009