The only problem is that they are wondering what you are tunneling through ICA, virtual channels can carry a lot of stuff... 2009/8/25 Greg Reese <gareese@xxxxxxxxx> > that's kind of the cool thing about CAGS/CSG. It only tunnels the ICA > protocol. if the client pc is infected with something, it's not going to > jump from there to your servers. If the client is infected with a keystroke > logger, then you have a different problem but not different that you would > have if they were infected with on and using a traditional vpn. > > > On Tue, Aug 25, 2009 at 11:22 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx > > wrote: > >> CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a >> tunneling protocol, so they are worried about what else might get tunneled >> over it. >> >> If they are that worried about it, give it to them for them to manage. >> That will allay a lot of their fears. >> >> For the price of AppSense, you might be able to do two factor auth, which >> apparently is one of their primary concerns. Also, have you looked at >> something like SMS passcode or something like that as a cheaper two factor >> auth? >> >> Berny >> >> 2009/8/25 Greg Reese <gareese@xxxxxxxxx> >> >> and Nazi mutants could over run the walls and raze the whole place to the >>> ground. >>> >>> If they are happy with VPN, they should be happy with a CSG/CAG. >>> Happier, since with a CSG/CAG, the client device is not an active node on >>> the network like it is with a VPN. >>> >>> You can do a double hop DMZ with this if that will help them sleep better >>> at night. >>> >>> >>> On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher < >>> CMWilson@xxxxxxxxxxxxx> wrote: >>> >>>> It seems to be more about their perimeter security philosophy than >>>> anything. Multi-hop DMZ, with three rings to get through before you are >>>> internal. They don’t like that it hops right by their perimeter rings. >>>> They also don’t like that it runs on Windows, so maybe the CAG would >>>> appease >>>> that. >>>> >>>> >>>> >>>> I’m not sure the kind of attack, but the argument goes something like >>>> this. If we provide remote access to this Citrix server, someone could >>>> potentially hack it and get administrative access, and then what? It seems >>>> like an anti-windows bias coming from a unix oriented team. In this >>>> argument, vague as it is, if the server is the vulnerability I thought I >>>> would attack it at the server level. (Obviously we already patch and run >>>> AV). So I brought in AppSense. I thought they would dig the lock down of >>>> processes on the server, and security policies that filter on client >>>> location. They weren’t impressed. They want something else that sits in >>>> the >>>> DMZ as a barrier. >>>> >>>> >>>> >>>> This team has apparently been pretty dogmatic about their policies, but >>>> I am hoping to find someone who will reason with me J. I appreciate >>>> you guys helping me make my case. >>>> >>>> >>>> ------------------------------ >>>> >>>> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On >>>> Behalf Of *Robert K Coffman Jr. -Info From Data Corp. >>>> *Sent:* Tuesday, August 25, 2009 10:04 AM >>>> *To:* thin@xxxxxxxxxxxxx >>>> *Subject:* [THIN] Re: speaking of security nazis >>>> >>>> >>>> >>>> >The security team believes Citrix Secure Gateway with single factor >>>> authentication doesn’t provide enough protection from external attack >>>> >>>> >>>> What kind of attack are they trying to prevent? >>>> >>>> >>>> >>>> Both CSG and CAG use SSL... With the CAG you could limit the exposure >>>> of WI to the internet. I don't know CAG that well (yet), but other than >>>> that I don't know that it is more secure than CSG. >>>> >>>> >>>> >>>> - Bob Coffman >>>> >>> >>> >> >