[THIN] Re: speaking of security nazis
- From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 26 Aug 2009 09:58:19 +0100
I like SMS Passcode but I'd agree there's been a couple of times when the
fact it's based around SMS has been a pain; which, sadly is their main
pitch.
I've found Entrust's Identityguard very useful - with the units themselves
pretty reliable and cheap and Safeword although thats now with Aladdin -
obviously there's Citrix's 'Citrix ready' list with other vendors -
http://www.citrix.com/ready/list/products
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Wilson, Christopher
Sent: 25 August 2009 19:13
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis
Yup, that's exactly what they are concerned about. Can't see inside the
tunnel.
I'm looking into the 2 factor options. I did see SMS Passcode, but SMS is
not a standard feature on company cell phones for, you guessed it, security
reasons.
This is all helpful discussion. I'm still optimistic that problem can be
resolved with negotiation.
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Berny Stapleton
Sent: Tuesday, August 25, 2009 11:23 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis
CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a
tunneling protocol, so they are worried about what else might get tunneled
over it.
If they are that worried about it, give it to them for them to manage. That
will allay a lot of their fears.
For the price of AppSense, you might be able to do two factor auth, which
apparently is one of their primary concerns. Also, have you looked at
something like SMS passcode or something like that as a cheaper two factor
auth?
Berny
2009/8/25 Greg Reese <gareese@xxxxxxxxx>
and Nazi mutants could over run the walls and raze the whole place to the
ground.
If they are happy with VPN, they should be happy with a CSG/CAG. Happier,
since with a CSG/CAG, the client device is not an active node on the network
like it is with a VPN.
You can do a double hop DMZ with this if that will help them sleep better at
night.
On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher
<CMWilson@xxxxxxxxxxxxx> wrote:
It seems to be more about their perimeter security philosophy than anything.
Multi-hop DMZ, with three rings to get through before you are internal.
They don't like that it hops right by their perimeter rings. They also
don't like that it runs on Windows, so maybe the CAG would appease that.
I'm not sure the kind of attack, but the argument goes something like this.
If we provide remote access to this Citrix server, someone could potentially
hack it and get administrative access, and then what? It seems like an
anti-windows bias coming from a unix oriented team. In this argument, vague
as it is, if the server is the vulnerability I thought I would attack it at
the server level. (Obviously we already patch and run AV). So I brought in
AppSense. I thought they would dig the lock down of processes on the
server, and security policies that filter on client location. They weren't
impressed. They want something else that sits in the DMZ as a barrier.
This team has apparently been pretty dogmatic about their policies, but I am
hoping to find someone who will reason with me J. I appreciate you guys
helping me make my case.
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Robert K Coffman Jr. -Info From Data Corp.
Sent: Tuesday, August 25, 2009 10:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis
>The security team believes Citrix Secure Gateway with single factor
authentication doesn't provide enough protection from external attack
What kind of attack are they trying to prevent?
Both CSG and CAG use SSL... With the CAG you could limit the exposure of
WI to the internet. I don't know CAG that well (yet), but other than that I
don't know that it is more secure than CSG.
- Bob Coffman
Other related posts:
- » [THIN] speaking of security nazis- Wilson, Christopher
- » [THIN] Re: speaking of security nazis- Robert K Coffman Jr. -Info From Data Corp.
- » [THIN] Re: speaking of security nazis- Greg Reese
- » [THIN] Re: speaking of security nazis- Wilson, Christopher
- » [THIN] Re: speaking of security nazis- Wilson, Christopher
- » [THIN] Re: speaking of security nazis- Greg Reese
- » [THIN] Re: speaking of security nazis- Berny Stapleton
- » [THIN] Re: speaking of security nazis- Greg Reese
- » [THIN] Re: speaking of security nazis- Berny Stapleton
- » [THIN] Re: speaking of security nazis- Greg Reese
- » [THIN] Re: speaking of security nazis- Hutchinson, Alan
- » [THIN] Re: speaking of security nazis- Berny Stapleton
- » [THIN] Re: speaking of security nazis- Jeff Pitsch
- » [THIN] Re: speaking of security nazis- Andrew Wood
- » [THIN] Re: speaking of security nazis- Kevin Stewart
- » [THIN] Re: speaking of security nazis- Wilson, Christopher
- » [THIN] Re: speaking of security nazis- Wilson, Christopher
- » [THIN] Re: speaking of security nazis- Kevin Stewart
- » [THIN] Re: speaking of security nazis- Wilson, Christopher
- » [THIN] Re: speaking of security nazis- Warren Simondson
- » [THIN] Re: speaking of security nazis- Magnus Hjorleifsson
- » [THIN] Re: speaking of security nazis- Magnus Hjorleifsson
- » [THIN] Re: speaking of security nazis- Jon Wallace
- » [THIN] Re: speaking of security nazis- Andrew Wood
- » [THIN] Re: speaking of security nazis- Andrew Wood
- » [THIN] Re: speaking of security nazis- Andrew Wood
- » [THIN] Re: speaking of security nazis - Andrew Wood
- » [THIN] Re: speaking of security nazis- Magnus Hjorleifsson
- » [THIN] Re: speaking of security nazis- Magnus Hjorleifsson
- » [THIN] Re: speaking of security nazis- Andrew Wood
- » [THIN] Re: speaking of security nazis- Foster, Bill
- » [THIN] Re: speaking of security nazis- Berny Stapleton
- » [THIN] Re: speaking of security nazis- Foster, Bill
- » [THIN] Re: speaking of security nazis- Andrew Wood
- » [THIN] Re: speaking of security nazis- Foster, Bill
- » [THIN] Re: speaking of security nazis- Adam Thompson
