Subset of information which is replicated, read only is a possibility too... Doesn't really stop data loss as such, but certianly slows it down and stops things which are destructive. 2009/8/25 Hutchinson, Alan <Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> > I'm still a little puzzled by the orifinal post which says that 'Office > and some business applications as well as file shares' are sitting on Citrix > servers in the DMZ. If these are 'true' business applications then there > must be 'holes' to access back-end systems. Either way I don't particularly > like the idea of Citrix and file servers in a DMZ - or am (as usual) missing > something? > > Regards, > > Alan. > > ------------------------------ > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Berny Stapleton > *Sent:* 25 August 2009 17:36 > > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: speaking of security nazis > > The only problem is that they are wondering what you are tunneling through > ICA, virtual channels can carry a lot of stuff... > > 2009/8/25 Greg Reese <gareese@xxxxxxxxx> > >> that's kind of the cool thing about CAGS/CSG. It only tunnels the ICA >> protocol. if the client pc is infected with something, it's not going to >> jump from there to your servers. If the client is infected with a keystroke >> logger, then you have a different problem but not different that you would >> have if they were infected with on and using a traditional vpn. >> >> >> On Tue, Aug 25, 2009 at 11:22 AM, Berny Stapleton < >> berny@xxxxxxxxxxxxxxxxx> wrote: >> >>> CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a >>> tunneling protocol, so they are worried about what else might get tunneled >>> over it. >>> >>> If they are that worried about it, give it to them for them to manage. >>> That will allay a lot of their fears. >>> >>> For the price of AppSense, you might be able to do two factor auth, which >>> apparently is one of their primary concerns. Also, have you looked at >>> something like SMS passcode or something like that as a cheaper two factor >>> auth? >>> >>> Berny >>> >>> 2009/8/25 Greg Reese <gareese@xxxxxxxxx> >>> >>> and Nazi mutants could over run the walls and raze the whole place to the >>>> ground. >>>> >>>> If they are happy with VPN, they should be happy with a CSG/CAG. >>>> Happier, since with a CSG/CAG, the client device is not an active node on >>>> the network like it is with a VPN. >>>> >>>> You can do a double hop DMZ with this if that will help them sleep >>>> better at night. >>>> >>>> >>>> On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher < >>>> CMWilson@xxxxxxxxxxxxx> wrote: >>>> >>>>> It seems to be more about their perimeter security philosophy than >>>>> anything. Multi-hop DMZ, with three rings to get through before you are >>>>> internal. They don’t like that it hops right by their perimeter rings. >>>>> They also don’t like that it runs on Windows, so maybe the CAG would >>>>> appease >>>>> that. >>>>> >>>>> >>>>> >>>>> I’m not sure the kind of attack, but the argument goes something like >>>>> this. If we provide remote access to this Citrix server, someone could >>>>> potentially hack it and get administrative access, and then what? It >>>>> seems >>>>> like an anti-windows bias coming from a unix oriented team. In this >>>>> argument, vague as it is, if the server is the vulnerability I thought I >>>>> would attack it at the server level. (Obviously we already patch and run >>>>> AV). So I brought in AppSense. I thought they would dig the lock down of >>>>> processes on the server, and security policies that filter on client >>>>> location. They weren’t impressed. They want something else that sits in >>>>> the >>>>> DMZ as a barrier. >>>>> >>>>> >>>>> >>>>> This team has apparently been pretty dogmatic about their policies, but >>>>> I am hoping to find someone who will reason with me J. I appreciate >>>>> you guys helping me make my case. >>>>> >>>>> >>>>> ------------------------------ >>>>> >>>>> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On >>>>> Behalf Of *Robert K Coffman Jr. -Info From Data Corp. >>>>> *Sent:* Tuesday, August 25, 2009 10:04 AM >>>>> *To:* thin@xxxxxxxxxxxxx >>>>> *Subject:* [THIN] Re: speaking of security nazis >>>>> >>>>> >>>>> >>>>> >The security team believes Citrix Secure Gateway with single factor >>>>> authentication doesn’t provide enough protection from external attack >>>>> >>>>> >>>>> What kind of attack are they trying to prevent? >>>>> >>>>> >>>>> >>>>> Both CSG and CAG use SSL... With the CAG you could limit the exposure >>>>> of WI to the internet. I don't know CAG that well (yet), but other than >>>>> that I don't know that it is more secure than CSG. >>>>> >>>>> >>>>> >>>>> - Bob Coffman >>>>> >>>> >>>> >>> >> >