[THIN] Re: speaking of security nazis

  • From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Wed, 26 Aug 2009 09:49:19 +0100

Although if you’re going to use client side certs you need to be sure that the 
client side component hasn’t been compromised 

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of 
Magnus Hjorleifsson
Sent: 26 August 2009 00:17
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

You can always use a client certificate as the second factor auth. And if they 
want to see Inside the tunnel you can give them the public and privat keys and 
have them run a packet trce to see what is going on   

Sent from my iPhone


On Aug 25, 2009, at 14:13, "Wilson, Christopher" <CMWilson@xxxxxxxxxxxxx> wrote:

Yup, that’s exactly what they are concerned about.  Can’t see inside the tunnel.

 

I’m looking into the 2 factor options.  I did see SMS Passcode, but SMS is not 
a standard feature on company cell phones for, you guessed it, security 
reasons.  

 

This is all helpful discussion.  I’m still optimistic that problem can be 
resolved with negotiation.  

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of 
Berny Stapleton
Sent: Tuesday, August 25, 2009 11:23 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a tunneling 
protocol, so they are worried about what else might get tunneled over it.

If they are that worried about it, give it to them for them to manage. That 
will allay a lot of their fears.

For the price of AppSense, you might be able to do two factor auth, which 
apparently is one of their primary concerns. Also, have you looked at something 
like SMS passcode or something like that as a cheaper two factor auth?

Berny

2009/8/25 Greg Reese <gareese@xxxxxxxxx>

and Nazi mutants could over run the walls and raze the whole place to the 
ground.

If they are happy with VPN, they should be happy with a CSG/CAG.  Happier, 
since with a CSG/CAG, the client device is not an active node on the network 
like it is with a VPN.

You can do a double hop DMZ with this if that will help them sleep better at 
night.

 

On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher <CMWilson@xxxxxxxxxxxxx> 
wrote:

It seems to be more about their perimeter security philosophy than anything.  
Multi-hop DMZ, with three rings to get through before you are internal.  They 
don’t like that it hops right by their perimeter rings.  They also don’t like 
that it runs on Windows, so maybe the CAG would appease that.  

 

I’m not sure the kind of attack, but the argument goes something like this.  If 
we provide remote access to this Citrix server, someone could potentially hack 
it and get administrative access, and then what?  It seems like an anti-windows 
bias coming from a unix oriented team.  In this argument, vague as it is, if 
the server is the vulnerability I thought I would attack it at the server 
level.  (Obviously we already patch and run AV).  So I brought in AppSense.  I 
thought they would dig the lock down of processes on the server, and security 
policies that filter on client location.  They weren’t impressed. They want 
something else that sits in the DMZ as a barrier.  

 

This team has apparently been pretty dogmatic about their policies, but I am 
hoping to find someone who will reason with me J.   I appreciate you guys 
helping me make my case.

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of 
Robert K Coffman Jr. -Info From Data Corp.
Sent: Tuesday, August 25, 2009 10:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

>The security team believes Citrix Secure Gateway with single factor 
>authentication doesn’t provide enough protection from external attack 


What kind of attack are they trying to prevent?  

 

Both CSG and CAG use SSL...  With the CAG you could limit the exposure of  WI 
to the internet.  I don't know CAG that well (yet), but other than that I don't 
know that it is more secure than CSG.

 

- Bob Coffman

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2009