[THIN] Re: CSG - Hacking

• From: "Ron Oglesby" <roglesby@xxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 6 Sep 2002 08:28:04 -0500

If they can hack SSL encryption let them give it a shot :-).

The real vulnerability comes from the IIS boxes that host the CSG and
NFuse service. Which if the DMZ is configured right and the security guy
can secure an IIS box should limit the threat.=20

There are things you can do to poll for published apps and what not on
Citrix servers BUT with the CSG those servers are hidden with no public
IP address.  The CSG was built to secure internal apps and servers.

SEVERAL white papers are out about CSG 1.1 and how it works. Send them
to the security guys. I'm not saying it impossible to hack, nothing is.
But we set one up and let a security team bang on it for 2 weeks.
Nothing. The only thing they could really do was a DOS attack which can
happen to any server exposed to the internet.

Ron Oglesby
Senior Technical Architect
=20
RapidApp
Office 312.372.7188
Mobile 312.961.2380
email roglesby@xxxxxxxxxxxx
=20

-----Original Message-----
From: Ray.Albert@xxxxxxxxxxxxxxx [mailto:Ray.Albert@xxxxxxxxxxxxxxx]=20
Sent: Thursday, September 05, 2002 4:16 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] CSG - Hacking



Can anyone let me know if there is a way for a user to Hack a citrix
published session?

What we are looking at is giving some or clients access to a published
application through NFUSE Classic and use CSG.  This will be in the DMZ.
The application will not be in the DMZ.

Our network and security have doubts about giving someone access to an
internal application.

Anyone have any thoughts on this?

Please Help.

Ray Albert
ChoicePoint Inc
ray.albert@xxxxxxxxxxxxxxx



**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm


**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

• Follow-Ups:
  • [THIN] Re: CSG - Hacking
    • From: Chris Lynch

Other related posts:

• » [THIN] CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking
• » [THIN] Re: CSG - Hacking

1. Home
2. thin
3. Archive
4. 09-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---