[THIN] Re: speaking of security nazis

  • From: "Hutchinson, Alan" <Alan.Hutchinson@xxxxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 25 Aug 2009 17:49:05 +0100

I'm still a little puzzled by the orifinal post which says that 'Office
and some business applications as well as file shares' are sitting on
Citrix servers in the DMZ. If these are 'true' business applications
then there must be 'holes' to access back-end systems. Either way I
don't particularly like the idea of Citrix and file servers in a DMZ -
or am (as usual) missing something?
 
Regards,
 
Alan.

________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Berny Stapleton
Sent: 25 August 2009 17:36
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis


The only problem is that they are wondering what you are tunneling
through ICA, virtual channels can carry a lot of stuff...


2009/8/25 Greg Reese <gareese@xxxxxxxxx>


        that's kind of the cool thing about CAGS/CSG.  It only tunnels
the ICA protocol.  if the client pc is infected with something, it's not
going to jump from there to your servers.  If the client is infected
with a keystroke logger, then you have a different problem but not
different that you would have if they were infected with on and using a
traditional vpn. 


        On Tue, Aug 25, 2009 at 11:22 AM, Berny Stapleton
<berny@xxxxxxxxxxxxxxxxx> wrote:
        

                CSG / CAG is SSL, they can't see in it with a packet
sniffer, it is a tunneling protocol, so they are worried about what else
might get tunneled over it.
                
                If they are that worried about it, give it to them for
them to manage. That will allay a lot of their fears.
                
                For the price of AppSense, you might be able to do two
factor auth, which apparently is one of their primary concerns. Also,
have you looked at something like SMS passcode or something like that as
a cheaper two factor auth?
                
                Berny
                
                
                2009/8/25 Greg Reese <gareese@xxxxxxxxx> 


                        and Nazi mutants could over run the walls and
raze the whole place to the ground.
                        
                        If they are happy with VPN, they should be happy
with a CSG/CAG.  Happier, since with a CSG/CAG, the client device is not
an active node on the network like it is with a VPN.
                        
                        You can do a double hop DMZ with this if that
will help them sleep better at night. 


                        On Tue, Aug 25, 2009 at 10:22 AM, Wilson,
Christopher <CMWilson@xxxxxxxxxxxxx> wrote:
                        

                                It seems to be more about their
perimeter security philosophy than anything.  Multi-hop DMZ, with three
rings to get through before you are internal.  They don't like that it
hops right by their perimeter rings.  They also don't like that it runs
on Windows, so maybe the CAG would appease that.  

                                 

                                I'm not sure the kind of attack, but the
argument goes something like this.  If we provide remote access to this
Citrix server, someone could potentially hack it and get administrative
access, and then what?  It seems like an anti-windows bias coming from a
unix oriented team.  In this argument, vague as it is, if the server is
the vulnerability I thought I would attack it at the server level.
(Obviously we already patch and run AV).  So I brought in AppSense.  I
thought they would dig the lock down of processes on the server, and
security policies that filter on client location.  They weren't
impressed. They want something else that sits in the DMZ as a barrier.  

                                 

                                This team has apparently been pretty
dogmatic about their policies, but I am hoping to find someone who will
reason with me :-).   I appreciate you guys helping me make my case.

                                 

                                
________________________________


                                From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K Coffman Jr.
-Info From Data Corp.
                                Sent: Tuesday, August 25, 2009 10:04 AM
                                To: thin@xxxxxxxxxxxxx
                                Subject: [THIN] Re: speaking of security
nazis

                                 

                                >The security team believes Citrix
Secure Gateway with single factor authentication doesn't provide enough
protection from external attack 

                                
                                What kind of attack are they trying to
prevent?  

                                 

                                Both CSG and CAG use SSL...  With the
CAG you could limit the exposure of  WI to the internet.  I don't know
CAG that well (yet), but other than that I don't know that it is more
secure than CSG.

                                 

                                - Bob Coffman

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2009