RE: This time, how secure is Citrix?

["Nick Owen" <nickowen () mindspring com>]

Perhaps you can solve both your issues with an SSL-based VPN.  Netilla
has a paper on securing Citrix with their SSL-based VPN here:
http://www.netilla.com/downloads/WP_netilla_Citrix_Vn.pdf. I mention it
only because I have seen it, not that I have even used their product.  I
assume that many of the SSL-vpn vendors would have similar capabilities.
This should limit the exposure you have in the Citrix platform.  They
claim to re-write the Citrix download-able applet into a browser app,
which would certainly be easier on the end-user.  Perhaps their paper
will give you some other ideas.  If so, I'd like to hear them.

As with all 'client-less' VPN systems, strong authentication is
warranted.  There are too many keyloggers and too much client-side
caching to allow this kind of access with just static passwords.  All
those little PIA configuration requirements for Ipsec VPNs and dialers
at least created hassles for attackers.  People are starting to realize
that just a username and password between your network and the Internet
is an increasingly risky prospect. 

Nick Owen

--
Nick Owen
CEO
WiKID Systems, Inc.
http://www.wikidsystems.com
Two Factor Authentication, without the expense factor.
-- 



> -----Original Message-----
> From: Cesar Diaz [mailto:cdiaz00 () gmail com] 
> Sent: Friday, November 19, 2004 11:48 AM
> To: sec-basic list
> Subject: This time, how secure is Citrix?
>
>
> List,
>
> I asked a question a few days ago about how secure VPN access 
> is for home users on their own home PCs.  I received many 
> helpful answers. 
> Thank you all for that.
>
> I also want to ask everyones opinion on how secure remote 
> access through Citrix can be.
>
> We use Citrix MetaFrame XP available through Nfuse available 
> thorugh a public IP address.  The Nfuse website is secured 
> with 128-bit SSL. 
> Our firewall only allows port 443 to access the server 
> through that IP.
>
> The concern now isn't as much the possibility of viruses, 
> worm, etc. spreading since this is not a direct connection to 
> our LAN like a VPN.  The concern is that if a hacker has 
> gained access to the users home computer, then they can 
> access the resources on the network that the user accesses.
>
> The idea has been floated of running a script when the user 
> connects that deletes their default route to the Internet, 
> then adds a route directly to our network.  This should 
> theoretically remove access to their machine from the 
> Internet.  We would run an exit script that reverses this so 
> they get their connectivity back.
>
> Thanks again for any advice,
>
> Cesar Diaz