Security Basics mailing list archives
RE: Is Citrix safe?
From: "Nina V. Levitin" <Nina.Levitin () integtech com>
Date: Wed, 4 Jun 2003 11:40:33 -0700
First off Citrix is not SSL based. Citrix is a third party product that sits on top of Windows 2000 or Windows 2003 server. It can uses SSL. It provides additional functionality over and above Terminal Services. Citrix Metaframe is capable of using SSL and TLS for security. This can be done in one of two ways. The first is called SSL relay where each Metaframe server is equipped with a certificate and can take direct SSL connections. This is not a preferred method. The second is called Secure Gateway for Metaframe. This is a reverses SSL/TLS proxy for the ICA protocol. It uses both SSL/TLS encryption of the data stream as well as ticketing and can further be secured with third party two-factor authentication. According to one of its creators this is Man-in-the middle proof because of the way it handles certificates. In this situation the certificate resides on the Secure Gateway server which resides in the DMZ and then talks to the Metaframe servers on the internal network preventing any direct access from the outside. Additionally Metaframe allows for native encryption of the data stream via RC5. This may not be exportable at its full 128bit capabilities. Is Citrix safe? That all depends on your definition of safe. It does sit on top of Microsoft. So if you are comfortable with the way you secure Microsoft then yes it can be safe. Secure gateway can sit on either IIS or on Apache on Solaris. Again the security of the web server depends on how you secure it. Citrix is not inherently safe of unsafe. -Kit P.S. In the name of full disclosure, I work for a professional consulting company that is a Citrix Platinum reseller. I do A LOT of Metaframe implementations. I am a CCEA as well. So you should probably take everything I say with a grain of salt. -----Original Message----- From: Jesper Sobol [mailto:jesper () sobol dk] Sent: Wednesday, June 04, 2003 6:30 AM To: security-basics () securityfocus com Subject: Is Citrix safe? As far as I know, Citrix is based on SSL which is not considered very safe, but unfortunately I dont know enough about Citrix. Could anyone please comment on the security in regards to Citrix? - AAA - SSL encryption - Digital Certificates - Man-in-middle attack What is the generel opinion, and why? I need arguments for and against Citrix, if any? Regards, Jesper Sobol ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Is Citrix safe? Jesper Sobol (Jun 04)
- Question about accounting software and security in cybercafe. Pall Ioan (Jun 05)
- Re: Question about accounting software and security in cybercafe. Michael Boman (Jun 05)
- <Possible follow-ups>
- RE: Is Citrix safe? Lariviere, Stephen (Jun 04)
- RE: Is Citrix safe? MatthewB (Jun 04)
- RE: Is Citrix safe? Nina V. Levitin (Jun 04)
- RE: Is Citrix safe? Lariviere, Stephen (Jun 04)
- RE: Is Citrix safe? Tuttle, Jim (Jun 04)
- Re: RE: Is Citrix safe? Paul Pepper (Jun 05)
- RE: Is Citrix safe? bhavani.suresh (Jun 09)
- Question about accounting software and security in cybercafe. Pall Ioan (Jun 05)