[THIN] Re: speaking of security nazis

  • From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Wed, 26 Aug 2009 09:48:21 +0100

Ctx lose money per cag device was a story I heard .. so VMs make sense to
the vendor; I doubt there'll be a massive pass on in savings to the user. 

..and 'stick you xenserver vm image in the DMZ' means (potentially) you've
got to put a physical device in the DMZ to host the VM... so you've not
really "saved" on a device and now you've got a virtual host(s) OS & HW to
update and maintain not just the CAG

Of course, moot if you've already got the kit there  

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Warren Simondson
Sent: 25 August 2009 23:57
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

One thing to note on the pricing and pluses of a CAG - very shortly the
CAG's will be available 
and supported as a Virtual device, meaning that the price 'apparently' will
be more affordable 
becasue you won't be buying the hardware device anymore, just the Xenserver
VM image and 
the Licenses. So you can stick your Xenserver in the DMZ and have the CAG
available. CAG EE 
like the 7000 series also have the benefit of HA. There not that hard to set
up butthey can take 
a little while to get right, especially with all the new firmwares being
release over the past 6 
months.
-- 
Warren Simondson

Ctrl-Alt-Del IT Consultancy Pty Ltd

Website: http://www.ctrl-alt-del.com.au








On Wed, Aug 26th, 2009 at 1:04 AM, Greg Reese <gareese@xxxxxxxxx> wrote:

> SSL encryption is SSL encryption regardless of whether it comes from
> the CSG
> or the CAG.  The CAG is a hardware appliance and has some other
> goodies and
> toys in it.  But for proxying incoming connections to your protected
> Citrix
> farm, the engine is the same.
> 
> The CAG will give you some endpoinit policies that CSG does not. 
> Things
> like no mapped drives if AV defs aren't current.  You could (and
> should)
> craft a Citrix policy to deny mapped drives to external clients
> anyway.
> Encrypt XML.  that sort of thing.
> 
> On Tue, Aug 25, 2009 at 9:45 AM, Wilson, Christopher
> <CMWilson@xxxxxxxxxxxxx
> > wrote:
> 
> >  The AppSense conversation reminds me of something else I want to
> bounce
> > off you guys.
> >
> >
> >
> > I am working at a company now that places I high priority on
> security -
> > perhaps more than I'm used to.  I'm planning a consolidation of
> several
> > Citrix farms, one of which resides a DMZ.  A small subset of
> business apps
> > are hosted here (Office and files shares really), because it was
> deemed too
> > great a risk to provide access to the whole internal Citrix
> environment.
> >  The security team believes Citrix Secure Gateway with single
> factor
> > authentication doesn't provide enough protection from external
> attack and
> > thus won't point it at internal farms.  (This is foreign to me
> since I think
> > of this as a limited VPN, and they do have VPN access.)
> >
> >
> >
> > So here's where I'm interested in your input.  Two-factor
> authentication is
> > not in the budget, so not an option.   Is CSG that much of a risk
> to merit
> > this kind of concern?  Is CAG sufficiently better to mitigate some
> of this
> > concern?  How are others doing it?  My own experience is that I've
> seen lots
> > of CSG, a little CAG, and two factor authentication primarily at
> larger
> > companies.
> >
> >
> >
> > I want to be able to roll this DMZ farm internal, and provide the
> benefits
> > of remote access for all apps they've been missing out on.  But
> I'll have to
> > get past the security guys first.
> >
> 

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************

Other related posts: