Security Basics mailing list archives

RE: Is Citrix safe?

From: "Nina V. Levitin" <Nina.Levitin () integtech com>
Date: Wed, 4 Jun 2003 11:40:33 -0700

First off Citrix is not SSL based.  Citrix is a third party product that
sits on top of Windows 2000 or Windows 2003 server.  It can uses SSL.
It provides additional functionality over and above Terminal Services.

Citrix Metaframe is capable of using SSL and TLS for security.  This can
be done in one of two ways.  The first is called SSL relay where each
Metaframe server is equipped with a certificate and can take direct SSL
connections.  This is not a preferred method.

The second is called Secure Gateway for Metaframe.  This is a reverses
SSL/TLS proxy for the ICA protocol.  It uses both SSL/TLS encryption of
the data stream as well as ticketing and can further be secured with
third party two-factor authentication.  According to one of its creators
this is Man-in-the middle proof because of the way it handles
certificates.  In this situation the certificate resides on the Secure
Gateway server which resides in the DMZ and then talks to the Metaframe
servers on the internal network preventing any direct access from the
outside.

Additionally Metaframe allows for native encryption of the data stream
via RC5.  This may not be exportable at its full 128bit capabilities.

Is Citrix safe?  That all depends on your definition of safe.  It does
sit on top of Microsoft.  So if you are comfortable with the way you
secure Microsoft then yes it can be safe.  Secure gateway can sit on
either IIS or on Apache on Solaris.  Again the security of the web
server depends on how you secure it.

Citrix is not inherently safe of unsafe.

-Kit

P.S.  In the name of full disclosure, I work for a professional
consulting company that is a Citrix Platinum reseller.  I do A LOT of
Metaframe implementations.  I am a CCEA as well.  So you should probably
take everything I say with a grain of salt.

-----Original Message-----
From: Jesper Sobol [mailto:jesper () sobol dk] 
Sent: Wednesday, June 04, 2003 6:30 AM
To: security-basics () securityfocus com
Subject: Is Citrix safe?


As far as I know, Citrix is based on SSL which is not considered very
safe, but unfortunately I dont know enough about Citrix. Could anyone
please comment on the security in regards to Citrix?

- AAA
- SSL encryption
- Digital Certificates
- Man-in-middle attack

What is the generel opinion, and why? I need arguments for and against
Citrix, if any?

Regards,
Jesper Sobol



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Is Citrix safe? Jesper Sobol (Jun 04)
- Question about accounting software and security in cybercafe. Pall Ioan (Jun 05)
  - Re: Question about accounting software and security in cybercafe. Michael Boman (Jun 05)
- <Possible follow-ups>
- RE: Is Citrix safe? Lariviere, Stephen (Jun 04)
- RE: Is Citrix safe? MatthewB (Jun 04)
- RE: Is Citrix safe? Nina V. Levitin (Jun 04)
- RE: Is Citrix safe? Lariviere, Stephen (Jun 04)
- RE: Is Citrix safe? Tuttle, Jim (Jun 04)
- Re: RE: Is Citrix safe? Paul Pepper (Jun 05)
- RE: Is Citrix safe? bhavani.suresh (Jun 09)