[THIN] Re: speaking of security nazis

  • From: Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Tue, 25 Aug 2009 17:22:57 +0100

CSG / CAG is SSL, they can't see in it with a packet sniffer, it is a
tunneling protocol, so they are worried about what else might get tunneled
over it.

If they are that worried about it, give it to them for them to manage. That
will allay a lot of their fears.

For the price of AppSense, you might be able to do two factor auth, which
apparently is one of their primary concerns. Also, have you looked at
something like SMS passcode or something like that as a cheaper two factor
auth?

Berny

2009/8/25 Greg Reese <gareese@xxxxxxxxx>

> and Nazi mutants could over run the walls and raze the whole place to the
> ground.
>
> If they are happy with VPN, they should be happy with a CSG/CAG.  Happier,
> since with a CSG/CAG, the client device is not an active node on the network
> like it is with a VPN.
>
> You can do a double hop DMZ with this if that will help them sleep better
> at night.
>
>
> On Tue, Aug 25, 2009 at 10:22 AM, Wilson, Christopher <
> CMWilson@xxxxxxxxxxxxx> wrote:
>
>>  It seems to be more about their perimeter security philosophy than
>> anything.  Multi-hop DMZ, with three rings to get through before you are
>> internal.  They don’t like that it hops right by their perimeter rings.
>> They also don’t like that it runs on Windows, so maybe the CAG would appease
>> that.
>>
>>
>>
>> I’m not sure the kind of attack, but the argument goes something like
>> this.  If we provide remote access to this Citrix server, someone could
>> potentially hack it and get administrative access, and then what?  It seems
>> like an anti-windows bias coming from a unix oriented team.  In this
>> argument, vague as it is, if the server is the vulnerability I thought I
>> would attack it at the server level.  (Obviously we already patch and run
>> AV).  So I brought in AppSense.  I thought they would dig the lock down of
>> processes on the server, and security policies that filter on client
>> location.  They weren’t impressed. They want something else that sits in the
>> DMZ as a barrier.
>>
>>
>>
>> This team has apparently been pretty dogmatic about their policies, but I
>> am hoping to find someone who will reason with me J.   I appreciate you
>> guys helping me make my case.
>>
>>
>>  ------------------------------
>>
>> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
>> Behalf Of *Robert K Coffman Jr. -Info From Data Corp.
>> *Sent:* Tuesday, August 25, 2009 10:04 AM
>> *To:* thin@xxxxxxxxxxxxx
>> *Subject:* [THIN] Re: speaking of security nazis
>>
>>
>>
>> >The security team believes Citrix Secure Gateway with single factor
>> authentication doesn’t provide enough protection from external attack
>>
>>
>> What kind of attack are they trying to prevent?
>>
>>
>>
>> Both CSG and CAG use SSL...  With the CAG you could limit the exposure of
>> WI to the internet.  I don't know CAG that well (yet), but other than that I
>> don't know that it is more secure than CSG.
>>
>>
>>
>> - Bob Coffman
>>
>
>

Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 08-2009