RE: OWA and Risk Assesment

["Simon Graham" <Simon.Graham () lvs1 com>]

It is worth noting that Citrix has its own proprietary gateway and
ticketing service called Citrix Secure Gateway (CSG) that it uses to
authenticate sessions and proxy sessions on port 443 for connection to
backend Citrix Metaframe servers listening on TCP 1494 (ICA).  In
essence:
1)      A user connects to a portal server (Citrix Nfuse on port 80 or
443) using user credentials (plus SecureID if required).
2)      After login the request is passed to a proprietary ticketing
authority and a ticket is generated.  If authentication is successful
half of the ticket is returned to the client and the other to the CSG
server.  At the same time the Metaframe farm is queried for apps
accessible to the user and using JAVA script a web page is created on
the fly and returned to the user.
3)      Once the user clicks on an app icon an ICA file containing info
about the app and connection is generated to allow connection on 443 to
the CSG server.
4)      At the CSG server the halves of the tickets are compared and if
they match the CSG server proxies the connection to the Metaframe farm
via ICA.

All connections from the external network(s) can use SSL and thus only
443 needs to be opened to the Nfuse Portal and the CSG servers sitting
in a DMZ.  Port 80 needs to be open from the portal in the DMZ to
Metaframe (ICA) farm on the internal network.  ICA (1494) needs to be
open from the CSG box in the DMZ to the Metaframe (ICA) farm on the
internal network.  I am told that the port 80 connections will be
replaced with SSL ability in the next release.

Not perfect but an interesting approach.  The Portal and CSG software is
available for WIN2K and Solaris.

-----Original Message-----
From: David Lang [mailto:david.lang () digitalinsight com] 
Sent: Monday, December 02, 2002 11:23 AM
To: Volker Tanger
Cc: adreyer () math uni-paderborn de; kronos () datastreamcowboys net;
firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] OWA and Risk Assesment


no it doesn't (you can proxy it with a circuit proxy, but it's not an
application specific proxy)

ICA is easier to administer then OWA specific ports and is therefor less
likly to be misconfigured, in addition you only have the citrix
vunerabilities to worry about, not IIS vunerabilities (many fewer bugs
discovered, if only becouse it's a smaller target)

all of this makes ICA seem more secure to let through a firewall then
all the OWA ports.

David Lang


On Mon, 2 Dec 2002, Volker Tanger wrote:

> Date: Mon, 02 Dec 2002 14:37:53 +0100
> From: Volker Tanger <volker.tanger () discon de>
> To: adreyer () math uni-paderborn de
> Cc: kronos () datastreamcowboys net, firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] OWA and Risk Assesment
>
> Greetings!
>
> Achim Dreyer wrote:
>
> > btw: Does anybody know of any ICA ord RDP proxy application ?
>
>
> If I remember correctly (haven't worked with it for a while) Symantec 
> Enterprise Firewall (=Axent Raptor) has a ICA proxy.
>
> Bye
>
> Volker Tanger
> IT-Security Consulting
>
> --
> discon gmbh
> Wrangelstraße 100
> D-10997 Berlin
>
> fon    +49 30 6104-3307
> fax    +49 30 6104-3461
>
> volker.tanger () discon de
> http://www.discon.de/
>
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards