Security Basics mailing list archives

RE: This time, how secure is Citrix?

From: "Dante Mercurio" <Dante () webcti com>
Date: Fri, 19 Nov 2004 17:27:17 -0500

Anyone who gains access to a home PC should not have any greater access
to your Citrix system than from any PC on the Internet. It should be
protected by a username and password that is not cached and hopefully
not written anywhere on the home user's PC. The problem though, is that
it is only a username and password.

For added protection, add a token based authentication system to your
NFUSE. Secure Computing has a very price competitive product made
especially for Citrix. RSA SecureID also integrates with NFUSE. Then
someone would not only need the username and password, but also the
hardware token you issued to the end user.

Good Luck,
M. Dante Mercurio, CISSP, CWNA, Security+

-----Original Message-----
From: Cesar Diaz [mailto:cdiaz00 () gmail com] 
Sent: Friday, November 19, 2004 11:48 AM
To: sec-basic list
Subject: This time, how secure is Citrix?


List,

I asked a question a few days ago about how secure VPN access is for
home users on their own home PCs.  I received many helpful answers. 
Thank you all for that.

I also want to ask everyones opinion on how secure remote access through
Citrix can be.

We use Citrix MetaFrame XP available through Nfuse available thorugh a
public IP address.  The Nfuse website is secured with 128-bit SSL. 
Our firewall only allows port 443 to access the server through that IP.

The concern now isn't as much the possibility of viruses, worm, etc.
spreading since this is not a direct connection to our LAN like a VPN.
The concern is that if a hacker has gained access to the users home
computer, then they can access the resources on the network that the
user accesses.

The idea has been floated of running a script when the user connects
that deletes their default route to the Internet, then adds a route
directly to our network.  This should theoretically remove access to
their machine from the Internet.  We would run an exit script that
reverses this so they get their connectivity back.

Thanks again for any advice,

Cesar Diaz

Current thread:

This time, how secure is Citrix? Cesar Diaz (Nov 19)
- Re: This time, how secure is Citrix? Matthew Romanek (Nov 19)
  - Re: This time, how secure is Citrix? Tariq Malik (Nov 22)
- Re: This time, how secure is Citrix? richardw (Nov 19)
- RE: This time, how secure is Citrix? Nick Owen (Nov 22)
- <Possible follow-ups>
- RE: This time, how secure is Citrix? Javier Otero De Alba (Nov 19)
- RE: This time, how secure is Citrix? Dante Mercurio (Nov 19)