[THIN] Re: speaking of security nazis

From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
To: <thin@xxxxxxxxxxxxx>
Date: Wed, 26 Aug 2009 15:37:24 +0100

But that in itself can be a problem - if you've got an SSL tunnel coming in
- and potentially encrypted data going all the way from the end device to
the XenApp server security bods can't 'see' into it; and if they can't see
into it then they can't inspect it; and if they can't inspect it - it makes
them really quite sad.

 

When you eventually explain its keyboard and mouse movements and screen
updates it can calm them down a bit, until they realise you've now got
access into the corporate network from a remote device to a windows
application/environment. A windows environment is not renowned for its tight
security so you have to go through it all again explaining how you lock down
the environment that the remote user is working within.

 

You can work with them on that by developing with them a profile of
vulnerabilities, then addressing those vulnerabilities and then getting
independent analysis of the environment that's been built.

 

Security bods are never happy tho' - the best you can hope for is 'less
unhappy grudging acceptance of risk' :?

 

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Foster, Bill
Sent: 26 August 2009 14:57
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

I'm just having trouble seeing what a malicious attack would gain from the
ICA stream if you properly locked it down. 

 

Bill Foster

Sr.  Systems Engineer, IT Infrastructure

WellCare Health Plans, Inc.

8735 Henderson Road

Ren1, 1st Floor

Tampa, Florida 34609

Office: 813-290-6200 ext 1158

bill.foster@xxxxxxxxxxxx

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Berny Stapleton
Sent: Wednesday, August 26, 2009 9:50 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

Debatable. Depends on what you set for the settings on the published app.

2009/8/26 Foster, Bill <Bill.Foster@xxxxxxxxxxxx>

Even if you could see inside the tunnel ICA is compressed and encrypted
right?

 

Bill Foster

Sr.  Systems Engineer, IT Infrastructure

WellCare Health Plans, Inc.

8735 Henderson Road

Ren1, 1st Floor

Tampa, Florida 34609

Office: 813-290-6200 ext 1158

bill.foster@xxxxxxxxxxxx

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Wilson, Christopher
Sent: Tuesday, August 25, 2009 2:13 PM


To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

Yup, that's exactly what they are concerned about.  Can't see inside the
tunnel.

 

I'm looking into the 2 factor options.  I did see SMS Passcode, but SMS is
not a standard feature on company cell phones for, you guessed it, security
reasons.  

 

This is all helpful discussion.  I'm still optimistic that problem can be
resolved with negotiation.  

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Berny Stapleton
Sent: Tuesday, August 25, 2009 11:23 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a
tunneling protocol, so they are worried about what else might get tunneled
over it.

If they are that worried about it, give it to them for them to manage. That
will allay a lot of their fears.

For the price of AppSense, you might be able to do two factor auth, which
apparently is one of their primary concerns. Also, have you looked at
something like SMS passcode or something like that as a cheaper two factor
auth?

Berny

2009/8/25 Greg Reese <gareese@xxxxxxxxx>

and Nazi mutants could over run the walls and raze the whole place to the
ground.

If they are happy with VPN, they should be happy with a CSG/CAG.  Happier,
since with a CSG/CAG, the client device is not an active node on the network
like it is with a VPN.

You can do a double hop DMZ with this if that will help them sleep better at
night.

 

On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher
<CMWilson@xxxxxxxxxxxxx> wrote:

It seems to be more about their perimeter security philosophy than anything.
Multi-hop DMZ, with three rings to get through before you are internal.
They don't like that it hops right by their perimeter rings.  They also
don't like that it runs on Windows, so maybe the CAG would appease that.  

 

I'm not sure the kind of attack, but the argument goes something like this.
If we provide remote access to this Citrix server, someone could potentially
hack it and get administrative access, and then what?  It seems like an
anti-windows bias coming from a unix oriented team.  In this argument, vague
as it is, if the server is the vulnerability I thought I would attack it at
the server level.  (Obviously we already patch and run AV).  So I brought in
AppSense.  I thought they would dig the lock down of processes on the
server, and security policies that filter on client location.  They weren't
impressed. They want something else that sits in the DMZ as a barrier.  

 

This team has apparently been pretty dogmatic about their policies, but I am
hoping to find someone who will reason with me J.   I appreciate you guys
helping me make my case.

 

  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Robert K Coffman Jr. -Info From Data Corp.
Sent: Tuesday, August 25, 2009 10:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis

 

>The security team believes Citrix Secure Gateway with single factor
authentication doesn't provide enough protection from external attack 


What kind of attack are they trying to prevent?  

 

Both CSG and CAG use SSL...  With the CAG you could limit the exposure of
WI to the internet.  I don't know CAG that well (yet), but other than that I
don't know that it is more secure than CSG.

 

- Bob Coffman

 

 

Privacy Notice: This electronic mail message, and any attachments, are
confidential and are intended for 
the exclusive use of the addressee(s) and may contain information that is
proprietary and that may be 
Individually Identifiable or Protected Health Information under HIPAA. If
you are not the intended 
recipient, please immediately contact the sender by telephone, or by email,
and destroy all copies of this
message. If you are a regular recipient of our electronic mail, please
notify us promptly if you change 
your email address.

 

Privacy Notice: This electronic mail message, and any attachments, are
confidential and are intended for 
the exclusive use of the addressee(s) and may contain information that is
proprietary and that may be 
Individually Identifiable or Protected Health Information under HIPAA. If
you are not the intended 
recipient, please immediately contact the sender by telephone, or by email,
and destroy all copies of this
message. If you are a regular recipient of our electronic mail, please
notify us promptly if you change 
your email address.

Follow-Ups:
- [THIN] Re: speaking of security nazis
  - From: Foster, Bill

References:
- [THIN] speaking of security nazis
  - From: Wilson, Christopher
- [THIN] Re: speaking of security nazis
  - From: Robert K Coffman Jr. -Info From Data Corp.
- [THIN] Re: speaking of security nazis
  - From: Wilson, Christopher
- [THIN] Re: speaking of security nazis
  - From: Greg Reese
- [THIN] Re: speaking of security nazis
  - From: Berny Stapleton
- [THIN] Re: speaking of security nazis
  - From: Wilson, Christopher
- [THIN] Re: speaking of security nazis
  - From: Foster, Bill
- [THIN] Re: speaking of security nazis
  - From: Berny Stapleton
- [THIN] Re: speaking of security nazis
  - From: Foster, Bill

[THIN] Re: speaking of security nazis

Other related posts: