Firewall Wizards mailing list archives
RE: OWA and Risk Assesment
From: Eric L Budke <lists () budke com>
Date: Wed, 04 Dec 2002 11:18:04 -0500
This of course leaves out the little issue that if you have bad accounts on the internal domain and don't restrict as to which has citrix access, and an application that provides some ability to open or "save as" a file generally can result in access to cmd.exe. Since citrix is real nice about mapping drives, you don't even have to upload (or figure out a way to upload) any tools to the citrix server in order to attack the internal domain(s).
For what it is worth (and so it doesn't appear that I'm citrix-only bashing), the same general issues appear in term-server as well. The restricting of sessions works well for the real easy stuff, but I've seen people accidentally figure out ways to get cmd.exe access when the regular tried and true methods weren't working (due to the app lockdowns).
The best part is, you get the right account, you get a nice desktop gui. At 01:08 AM 12/4/2002, Simon Graham wrote:
It is worth noting that Citrix has its own proprietary gateway and ticketing service called Citrix Secure Gateway (CSG) that it uses to authenticate sessions and proxy sessions on port 443 for connection to backend Citrix Metaframe servers listening on TCP 1494 (ICA). In essence: 1) A user connects to a portal server (Citrix Nfuse on port 80 or 443) using user credentials (plus SecureID if required). 2) After login the request is passed to a proprietary ticketing authority and a ticket is generated. If authentication is successful half of the ticket is returned to the client and the other to the CSG server. At the same time the Metaframe farm is queried for apps accessible to the user and using JAVA script a web page is created on the fly and returned to the user. 3) Once the user clicks on an app icon an ICA file containing info about the app and connection is generated to allow connection on 443 to the CSG server. 4) At the CSG server the halves of the tickets are compared and if they match the CSG server proxies the connection to the Metaframe farm via ICA. All connections from the external network(s) can use SSL and thus only 443 needs to be opened to the Nfuse Portal and the CSG servers sitting in a DMZ. Port 80 needs to be open from the portal in the DMZ to Metaframe (ICA) farm on the internal network. ICA (1494) needs to be open from the CSG box in the DMZ to the Metaframe (ICA) farm on the internal network. I am told that the port 80 connections will be replaced with SSL ability in the next release. Not perfect but an interesting approach. The Portal and CSG software is available for WIN2K and Solaris.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OWA and Risk Assesment kronos (Dec 02)
- Re: OWA and Risk Assesment Achim Dreyer (Dec 02)
- Re: OWA and Risk Assesment Volker Tanger (Dec 02)
- Re: OWA and Risk Assesment David Lang (Dec 02)
- Re: OWA and Risk Assesment Volker Tanger (Dec 02)
- <Possible follow-ups>
- RE: OWA and Risk Assesment Simon Graham (Dec 04)
- RE: OWA and Risk Assesment Eric L Budke (Dec 04)
- RE: OWA and Risk Assesment David Lang (Dec 04)
- Re: OWA and Risk Assesment Achim Dreyer (Dec 02)