Security Basics mailing list archives
RE: Teleworking
From: "Gunn, Jeff" <Jeff.Gunn () FMR COM>
Date: Wed, 12 Nov 2003 11:04:13 -0500
I'm not an expert in it, I helped with the config and I did the verification testing from the point of view of the Citrix servers (which I support) and the end user. So I can't really give a lecture on the technical details. I also don't have any experience with using it for access to any other number of apps it supports. That being said... Basically, the Neoteris device sits on the firewall and proxies all requests to the internal resources, and only the resources that you explicitly allow. You make a session request to that box with a web browser and authenticate. It then acts as a proxy for the web connection to the Nfuse server in your extranet (or intranet). When you request an application on your Metaframe farm, it intercepts the connection file (the .ica file) and inserts its own tags on the fly. It uses a java based "session manager" to then handle the traffic that would normally run direct from the client to the Citrix box, but is now being routed through the Neoteris device. Advantages over traditional VPN? For the good and accurate spiel you'd have to talk to them, or someone who has had more hands-on exposure than me.
From the security standpoint I'd say the fact that all traffic is funneled
through a single point with centralized access control is an advantage over the traditional VPN. In my experience, a VPN connection is something you give to someone you trust completely because it allows access to a range of resources on your network. This is more like an "access nothing except what I allow" scenario than a traditional VPN, which I thought of as a "access everything except what I lock down". It also does all the usual VPN stuff that you'd expect, like high encryption, two-factor authentication, etc. More user-oriented advantages are that you don't need to install anything - the session manager is popped up in a java window, no client install required (although you still need the Citrix ICA client if you're not using the Java one). It also integrates very well, so your users aren't launching their VPN, authenticating, going to a website, authenticating, then getting to their remote apps...etc. It streamlines the process a bit. I don't work for Neoteris, I just used their stuff and thought it worked well. -Jeff
-----Original Message----- From: Charles Mitchell [mailto:charles () research datalocate net] Sent: Wednesday, November 12, 2003 3:42 AM To: Gunn, Jeff Cc: 'security-basics () securityfocus com' Subject: RE: Teleworking On Mon, 10 Nov 2003, Gunn, Jeff wrote:but I know our telecom guys were happier with it for external access than a traditional VPN because it's really more of areverse proxy than areal VPN solution, so it can be more secure.Will you explain in more detail what you mean by 'reverse proxy' in this situation & the advantages/disadvantages in security over traditional VPN technologies ? -- Thanks in advance Charles Mitchell datalocate.net
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Teleworking David Lanagan (Nov 10)
- Re: Teleworking Steve (Nov 10)
- Re: Teleworking JGrimshaw (Nov 11)
- Re: Teleworking Ramsy (Nov 13)
- Re: Teleworking JGrimshaw (Nov 14)
- Re: Teleworking Ramsy (Nov 13)
- Re: Teleworking teemu schaabl (Nov 17)
- <Possible follow-ups>
- RE: Teleworking Joshua Vince (Nov 10)
- RE: Teleworking Gunn, Jeff (Nov 10)
- RE: Teleworking Charles Mitchell (Nov 13)
- RE: Teleworking Gunn, Jeff (Nov 13)
- Re: Teleworking Carl_Foote (Nov 16)
- Re: Teleworking David Lanagan (Nov 17)