[THIN] Re: speaking of security nazis

  • From: "Wilson, Christopher" <CMWilson@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 25 Aug 2009 10:26:52 -0500

Good point on the Citrix policy, that's not in use presently.



From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Reese
Sent: Tuesday, August 25, 2009 10:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: speaking of security nazis


SSL encryption is SSL encryption regardless of whether it comes from the
CSG or the CAG.  The CAG is a hardware appliance and has some other
goodies and toys in it.  But for proxying incoming connections to your
protected Citrix farm, the engine is the same.

The CAG will give you some endpoinit policies that CSG does not.  Things
like no mapped drives if AV defs aren't current.  You could (and should)
craft a Citrix policy to deny mapped drives to external clients anyway.
Encrypt XML.  that sort of thing.

On Tue, Aug 25, 2009 at 9:45 AM, Wilson, Christopher
<CMWilson@xxxxxxxxxxxxx> wrote:

The AppSense conversation reminds me of something else I want to bounce
off you guys.


I am working at a company now that places I high priority on security -
perhaps more than I'm used to.  I'm planning a consolidation of several
Citrix farms, one of which resides a DMZ.  A small subset of business
apps are hosted here (Office and files shares really), because it was
deemed too great a risk to provide access to the whole internal Citrix
environment.   The security team believes Citrix Secure Gateway with
single factor authentication doesn't provide enough protection from
external attack and thus won't point it at internal farms.  (This is
foreign to me since I think of this as a limited VPN, and they do have
VPN access.)


So here's where I'm interested in your input.  Two-factor authentication
is not in the budget, so not an option.   Is CSG that much of a risk to
merit this kind of concern?  Is CAG sufficiently better to mitigate some
of this concern?  How are others doing it?  My own experience is that
I've seen lots of CSG, a little CAG, and two factor authentication
primarily at larger companies.   


I want to be able to roll this DMZ farm internal, and provide the
benefits of remote access for all apps they've been missing out on.  But
I'll have to get past the security guys first.


Other related posts: