[THIN] Re: speaking of security nazis

  • From: Warren Simondson <caditc@xxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Wed, 26 Aug 2009 08:56:31 +1000

One thing to note on the pricing and pluses of a CAG - very shortly the CAG's 
will be available 
and supported as a Virtual device, meaning that the price 'apparently' will be 
more affordable 
becasue you won't be buying the hardware device anymore, just the Xenserver VM 
image and 
the Licenses. So you can stick your Xenserver in the DMZ and have the CAG 
available. CAG EE 
like the 7000 series also have the benefit of HA. There not that hard to set up 
butthey can take 
a little while to get right, especially with all the new firmwares being 
release over the past 6 
months.
-- 
Warren Simondson

Ctrl-Alt-Del IT Consultancy Pty Ltd

Website: http://www.ctrl-alt-del.com.au








On Wed, Aug 26th, 2009 at 1:04 AM, Greg Reese <gareese@xxxxxxxxx> wrote:

> SSL encryption is SSL encryption regardless of whether it comes from
> the CSG
> or the CAG.  The CAG is a hardware appliance and has some other
> goodies and
> toys in it.  But for proxying incoming connections to your protected
> Citrix
> farm, the engine is the same.
> 
> The CAG will give you some endpoinit policies that CSG does not. 
> Things
> like no mapped drives if AV defs aren't current.  You could (and
> should)
> craft a Citrix policy to deny mapped drives to external clients
> anyway.
> Encrypt XML.  that sort of thing.
> 
> On Tue, Aug 25, 2009 at 9:45 AM, Wilson, Christopher
> <CMWilson@xxxxxxxxxxxxx
> > wrote:
> 
> >  The AppSense conversation reminds me of something else I want to
> bounce
> > off you guys.
> >
> >
> >
> > I am working at a company now that places I high priority on
> security ?
> > perhaps more than I?m used to.  I?m planning a consolidation of
> several
> > Citrix farms, one of which resides a DMZ.  A small subset of
> business apps
> > are hosted here (Office and files shares really), because it was
> deemed too
> > great a risk to provide access to the whole internal Citrix
> environment.
> >  The security team believes Citrix Secure Gateway with single
> factor
> > authentication doesn?t provide enough protection from external
> attack and
> > thus won?t point it at internal farms.  (This is foreign to me
> since I think
> > of this as a limited VPN, and they do have VPN access.)
> >
> >
> >
> > So here?s where I?m interested in your input.  Two-factor
> authentication is
> > not in the budget, so not an option.   Is CSG that much of a risk
> to merit
> > this kind of concern?  Is CAG sufficiently better to mitigate some
> of this
> > concern?  How are others doing it?  My own experience is that I?ve
> seen lots
> > of CSG, a little CAG, and two factor authentication primarily at
> larger
> > companies.
> >
> >
> >
> > I want to be able to roll this DMZ farm internal, and provide the
> benefits
> > of remote access for all apps they?ve been missing out on.  But
> I?ll have to
> > get past the security guys first.
> >
> 

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2009