RE: Is Citrix safe?

["Lariviere, Stephen" <Stephen.Lariviere () CITIZENSBANK com>]

NFuse is only managing ICA client browse traffice and not the ICA stream.
NFuse communicates with MF via an XML service on designated MF servers
within the farm. There is concern that NFuse passes a clear text file to the
client(web client) that contains certain Citrix related information as well
as user logon information (username, NT domain, MF server IP address, hashed
password, etc...) In order to encrypt this traffic, you can use CA/root
certs from Web server to web browser and SSL-Relay from Nfuse to XML
service; however, you are limited to using SSL/TLS encryption for the ICA
session traffice.


Hope this helps...






-----Original Message-----
From: MatthewB () CallMeIT com [mailto:MatthewB () CallMeIT com] 
Sent: Wednesday, June 04, 2003 2:10 PM
To: jesper () sobol dk; security-basics () securityfocus com
Subject: RE: Is Citrix safe?

I have run it in a very security aware environment in the past. Like
anything else you need to make sure you are up on your patches. If I
remember right in Metaframe XP there is a way to enroll client PCs so you
can limit who can connect to it. Another option would be to stick a VPN in
front of it.

Some hints about deploying secure appications on Citrix:

1. Most products contain a help file. Make sure you disable use of the help
file in published applications or else you are giving them access to browse
the local files on the server with most applications.
2. Disable the ability to connect with the Citrix Client. Only allow web
connects. The client gives them too much power.
3. Only deploy applications and not a desktop. You should create different
ICA files for each application rather than providing them with an
application browser.
4. Disable any ability for them to browse the local server if it is possible
in the application you are serving. Or be ready to make sure you replace
default permissions on the 2000 Server.
5. Put the Citrix Server in a DMZ with Access Control Lists for those other
servers they may need to talk to.
6. Make sure you use NFuse so that all it needs is port 80 for the Citrix
Traffic.


To set it up securely you will need some time with the application you are
publishing to figure out permissions as well as what other parts of the
application the published application is allowed to launch. I would also
suggest you take a hard look at
http://download2.citrix.com/ctxlibrary/products/pdf/Citrix_Secure_Gateway_Da
tasheet.pdf


Good Luck,

Matthew Bukaty
President - Call Me I.T.

-----Original Message-----
From: Jesper Sobol [mailto:jesper () sobol dk]
Sent: Wednesday, June 04, 2003 9:30 AM
To: security-basics () securityfocus com
Subject: Is Citrix safe?


As far as I know, Citrix is based on SSL which is not considered very safe,
but unfortunately I dont know enough about Citrix. Could anyone please
comment on the security in regards to Citrix?

- AAA
- SSL encryption
- Digital Certificates
- Man-in-middle attack

What is the generel opinion, and why? I need arguments for and against
Citrix, if any?

Regards,
Jesper Sobol



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------
*****This information may be confidential and/or privileged. Use of this
information by anyone other than the intended recipient is prohibited.  If
you received this in error, please inform the sender and remove any record
of this message.*****

---------------------------------------------------------------------------
----------------------------------------------------------------------------