[THIN] Re: speaking of security nazis

  • From: "Jon Wallace" <jon@xxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 25 Aug 2009 21:14:03 -0400

Hi Andrew,

I may be off topic here and am certainly not trying to vendor pitch but given 
you mention Environment Manager and Application Manager you may have overlooked 
a feature within Application Manager - Advanced Network Access Control.

In AM you can apply executable restriction rules right, like adding a group and 
then going into deny and blocking say CMD.EXE - obviously you can also do the 
reverse, block everything yet allow this and that.

Well, in 8.0 (current release) you can also do the same with network ports, 
shares and URL's.  Just go into either a group rule, user rule or device rule 
and in either the allow or deny list choose to add an item only choose Network 

We (AppSense) introduced this feature for the finance sector where what you 
describe is the norm.  This way you can put a mini-firewall around specific 
users / groups etc and prevent them from going outside of their machine (I.e. 
double-hopping onto another machine).

Again, you can restrict shares and URL if required using the same feature.

Sorry to product pitch but just wanted to let you know that what you're trying 
to do may already be possible with the products your looking at.



From: Andrew Wood 
Sent: Tuesday, August 25, 2009 1:10 PM
To: thin@xxxxxxxxxxxxx 
Subject: [THIN] Re: speaking of security nazis

Two-factor authentication is not in the budget, so not an option . in all 
fairness, if that's a statement that the business is pushing and you've 
external access .. they're only playing at being Security Nazis. 


They'll be some sort of 'oo what if they get admin access' stuff going on here 
as well I bet- in which case shell out on Environment and Application Manager 
from Appsense  - lock out applications and give reporting; lock out application 
access and give reporting. Get an independent assessment of the access by a 3rd 


If you want something *else*. I've seen one product that suggests it does 
protocol inspection on 1494 - but all *that's* going to do is see if you're 
injecting anything naughty into the ICA stream. For the life of me I can't find 
the company now. 


What you're more than likely asking for is a product that will monitor a 
session and then alert when someone opens a command prompt or the CMC.and 
essentially that's locked out with windows & citrix security and policies, and 
more locked down and reported on with Appsense. It's all a bit moot if you've 
not bothered to secure your external access by only using a username/password 
mind - or but your servers raw on to the internet. 


It's amazing how many hits you'll get back looking for raw published citrix 
servers in google, and scary how many you can connect to anonymously and erm.. 
apparently shocking on how many you can launch a command prompt on. so I've 
been told.


You could obviously monitor sessions with session recording and playback - 
there are 3rd party tools available now which means you don't need to be 
running enterprise edition to allow this.


Ask them for a MoSCoW security policy statement and then provide an assessment 
based on the available security with/without the likes of Appsense.


From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of 
Wilson, Christopher
Sent: 25 August 2009 15:45
To: thin@xxxxxxxxxxxxx
Subject: [THIN] speaking of security nazis


The AppSense conversation reminds me of something else I want to bounce off you 


I am working at a company now that places I high priority on security - perhaps 
more than I'm used to.  I'm planning a consolidation of several Citrix farms, 
one of which resides a DMZ.  A small subset of business apps are hosted here 
(Office and files shares really), because it was deemed too great a risk to 
provide access to the whole internal Citrix environment.   The security team 
believes Citrix Secure Gateway with single factor authentication doesn't 
provide enough protection from external attack and thus won't point it at 
internal farms.  (This is foreign to me since I think of this as a limited VPN, 
and they do have VPN access.)


So here's where I'm interested in your input.  Two-factor authentication is not 
in the budget, so not an option.   Is CSG that much of a risk to merit this 
kind of concern?  Is CAG sufficiently better to mitigate some of this concern?  
How are others doing it?  My own experience is that I've seen lots of CSG, a 
little CAG, and two factor authentication primarily at larger companies.   


I want to be able to roll this DMZ farm internal, and provide the benefits of 
remote access for all apps they've been missing out on.  But I'll have to get 
past the security guys first.

Other related posts: