Firewall Wizards mailing list archives

RE: OWA and Risk Assesment

From: Eric L Budke <lists () budke com>
Date: Wed, 04 Dec 2002 11:18:04 -0500

This of course leaves out the little issue that if you have bad accounts onthe internal domain and don't restrict as to which has citrix access, andan application that provides some ability to open or "save as" a filegenerally can result in access to cmd.exe. Since citrix is real nice aboutmapping drives, you don't even have to upload (or figure out a way toupload) any tools to the citrix server in order to attack the internaldomain(s).

For what it is worth (and so it doesn't appear that I'm citrix-onlybashing), the same general issues appear in term-server as well. Therestricting of sessions works well for the real easy stuff, but I've seenpeople accidentally figure out ways to get cmd.exe access when the regulartried and true methods weren't working (due to the app lockdowns).


The best part is, you get the right account, you get a nice desktop gui.

At 01:08 AM 12/4/2002, Simon Graham wrote:

It is worth noting that Citrix has its own proprietary gateway and
ticketing service called Citrix Secure Gateway (CSG) that it uses to
authenticate sessions and proxy sessions on port 443 for connection to
backend Citrix Metaframe servers listening on TCP 1494 (ICA).  In
essence:
1)      A user connects to a portal server (Citrix Nfuse on port 80 or
443) using user credentials (plus SecureID if required).
2)      After login the request is passed to a proprietary ticketing
authority and a ticket is generated.  If authentication is successful
half of the ticket is returned to the client and the other to the CSG
server.  At the same time the Metaframe farm is queried for apps
accessible to the user and using JAVA script a web page is created on
the fly and returned to the user.
3)      Once the user clicks on an app icon an ICA file containing info
about the app and connection is generated to allow connection on 443 to
the CSG server.
4)      At the CSG server the halves of the tickets are compared and if
they match the CSG server proxies the connection to the Metaframe farm
via ICA.

All connections from the external network(s) can use SSL and thus only
443 needs to be opened to the Nfuse Portal and the CSG servers sitting
in a DMZ.  Port 80 needs to be open from the portal in the DMZ to
Metaframe (ICA) farm on the internal network.  ICA (1494) needs to be
open from the CSG box in the DMZ to the Metaframe (ICA) farm on the
internal network.  I am told that the port 80 connections will be
replaced with SSL ability in the next release.

Not perfect but an interesting approach.  The Portal and CSG software is
available for WIN2K and Solaris.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

OWA and Risk Assesment kronos (Dec 02)
- Re: OWA and Risk Assesment Achim Dreyer (Dec 02)
  - Re: OWA and Risk Assesment Volker Tanger (Dec 02)
    - Re: OWA and Risk Assesment David Lang (Dec 02)
- <Possible follow-ups>
- RE: OWA and Risk Assesment Simon Graham (Dec 04)
- RE: OWA and Risk Assesment Eric L Budke (Dec 04)
  - RE: OWA and Risk Assesment David Lang (Dec 04)