Re: Citrix vs OWA

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 17 Jun 2005, Brian Gardner wrote:

> Greetings everyone.
>
> As the network administrator (and security minded person) for our small
> local government network (300 users), I've been asked to make our
> internal email (Exchange 2003) and other applications (not web based
> apps, just internal) and files available from the internet through our
> Checkpoint firewall.  I've done much reading on Outlook Web Access and

The first thing you should do is to get authority to do a real risk
assessment- since you'll be potentially opening up all the goodies to any
potential attacker on the planet, and since that means that it's more
likely that folks will use compromised home computers to conduct business.
It may be "ok" for some applications and not others, which would mean
having to build out more security infrastructure to limit the potential
damage.

I'll add at this point that the worst breach I've ever seen was at a
municipality where someone had (a) broken into the court system, (b)
trojaned hundreds of systems and (c) broken into the interactive voice
response (IVR) system.  There was lots more going on there, but those were
three rather large issues I had to deal with.

> it's security implications as well as followed the many topics here
> regarding remote access.  What I haven't seen mentioned here as an
> alternative to OWA is Citrix via the Presentation Server and Secure
> Gateway.
>
> Assuming you deploy the Citrix solution properly, apply patches, etc,
> what is the general consensus regarding Citrix?  Good idea?  Bad idea?

Anytime you extend your trust boundary, it's bad for security- the
question is if it's necessary to extend it or if it's just convenient-
that's the point of doing an up-front assessment.

> At this point I haven't deployed or setup anything, and I'm not looking
> for specific instructions or how-to's, rather a feel for which I'm going
> to have the least amount of trouble with, and an answer to the statement
> my supervisor(s) make that "everybody else does it, why can't we?"

Do the assessment, or have someone do it for you- then provide them with
the "if we do this, there's a risk of that" stuff in writing- then they
get to choose if they want to take the same risk as "everybody else."

FWIW, I'd do one-time tokens for OWA *or* Citrix just to make sure that
the user's responsibility is upheld.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards