Re: This time, how secure is Citrix?

[Matthew Romanek <shandower () gmail com>]

On Fri, 19 Nov 2004 11:47:42 -0500, Cesar Diaz <cdiaz00 () gmail com> wrote:
> List,
>
> I asked a question a few days ago about how secure VPN access is for
> home users on their own home PCs.  I received many helpful answers.
> Thank you all for that.
>
> I also want to ask everyones opinion on how secure remote access
> through Citrix can be.
>
> We use Citrix MetaFrame XP available through Nfuse available thorugh a
> public IP address.  The Nfuse website is secured with 128-bit SSL.
> Our firewall only allows port 443 to access the server through that
> IP.
>
> The concern now isn't as much the possibility of viruses, worm, etc.
> spreading since this is not a direct connection to our LAN like a VPN.
>  The concern is that if a hacker has gained access to the users home
> computer, then they can access the resources on the network that the
> user accesses.
>
> The idea has been floated of running a script when the user connects
> that deletes their default route to the Internet, then adds a route
> directly to our network.  This should theoretically remove access to
> their machine from the Internet.  We would run an exit script that
> reverses this so they get their connectivity back.
>
> Thanks again for any advice,
>
> Cesar Diaz

I'm sorry to say that I can't really give any advice, but here's some
more to think about..

First thing that I would ask is, are these privately owned machines,
or company owned?

If privately owned, you may want to run something like this past your
legal department. Modifying someone else's PC can be a touchy subject,
especially if the PC is shared at home or if the 14 year old next door
that comes in to fix the printer problem thinks this is something
underhanded and goes vigilante on you.. Far fetched, yes, but I've
heard stranger lawsuits. Sometimes just making them sign a paper that
says you can do this won't be enough, if they argue they didn't
understand what they were signing. (I know, I know. They can still
sue, though).

Also, what happens when it breaks? I've had Citrix crash on me a lot
of times, and depending on how you handle this route-fixing, you might
leave someone unable to connect to the internet, or to you, or
whatever. That's a lot of support problems, especially if your
end-users can't (or won't) do the fix themselves. Can you afford to
send technicians out to someone's home? If so, and they go out and
look at the machine and find a bunch of dirty pictures on it, what
then? Not only do you have the end user's privacy suit to worry about,
but you might also have to deal with a puritanical technician who
feels demeaned by having to wade through that during the course of
their work. You can forbid this type of thing on your own equipment,
but enforcing policy on something you don't even own is not only hard,
but a legal minefield in any particularly litigeous area. You might
see the privacy issues of treating private equipment as a business
asset, too.

-- 
Matthew 'Shandower' Romanek
IDS Analyst