Security Basics mailing list archives
Re: This time, how secure is Citrix?
From: Matthew Romanek <shandower () gmail com>
Date: Fri, 19 Nov 2004 12:16:13 -0800
On Fri, 19 Nov 2004 11:47:42 -0500, Cesar Diaz <cdiaz00 () gmail com> wrote:
List, I asked a question a few days ago about how secure VPN access is for home users on their own home PCs. I received many helpful answers. Thank you all for that. I also want to ask everyones opinion on how secure remote access through Citrix can be. We use Citrix MetaFrame XP available through Nfuse available thorugh a public IP address. The Nfuse website is secured with 128-bit SSL. Our firewall only allows port 443 to access the server through that IP. The concern now isn't as much the possibility of viruses, worm, etc. spreading since this is not a direct connection to our LAN like a VPN. The concern is that if a hacker has gained access to the users home computer, then they can access the resources on the network that the user accesses. The idea has been floated of running a script when the user connects that deletes their default route to the Internet, then adds a route directly to our network. This should theoretically remove access to their machine from the Internet. We would run an exit script that reverses this so they get their connectivity back. Thanks again for any advice, Cesar Diaz
I'm sorry to say that I can't really give any advice, but here's some more to think about.. First thing that I would ask is, are these privately owned machines, or company owned? If privately owned, you may want to run something like this past your legal department. Modifying someone else's PC can be a touchy subject, especially if the PC is shared at home or if the 14 year old next door that comes in to fix the printer problem thinks this is something underhanded and goes vigilante on you.. Far fetched, yes, but I've heard stranger lawsuits. Sometimes just making them sign a paper that says you can do this won't be enough, if they argue they didn't understand what they were signing. (I know, I know. They can still sue, though). Also, what happens when it breaks? I've had Citrix crash on me a lot of times, and depending on how you handle this route-fixing, you might leave someone unable to connect to the internet, or to you, or whatever. That's a lot of support problems, especially if your end-users can't (or won't) do the fix themselves. Can you afford to send technicians out to someone's home? If so, and they go out and look at the machine and find a bunch of dirty pictures on it, what then? Not only do you have the end user's privacy suit to worry about, but you might also have to deal with a puritanical technician who feels demeaned by having to wade through that during the course of their work. You can forbid this type of thing on your own equipment, but enforcing policy on something you don't even own is not only hard, but a legal minefield in any particularly litigeous area. You might see the privacy issues of treating private equipment as a business asset, too. -- Matthew 'Shandower' Romanek IDS Analyst
Current thread:
- This time, how secure is Citrix? Cesar Diaz (Nov 19)
- Re: This time, how secure is Citrix? Matthew Romanek (Nov 19)
- Re: This time, how secure is Citrix? Tariq Malik (Nov 22)
- Re: This time, how secure is Citrix? richardw (Nov 19)
- RE: This time, how secure is Citrix? Nick Owen (Nov 22)
- <Possible follow-ups>
- RE: This time, how secure is Citrix? Javier Otero De Alba (Nov 19)
- RE: This time, how secure is Citrix? Dante Mercurio (Nov 19)
- Re: This time, how secure is Citrix? Matthew Romanek (Nov 19)