Security Basics mailing list archives
RE: Is Citrix safe?
From: "Lariviere, Stephen" <Stephen.Lariviere () CITIZENSBANK com>
Date: Wed, 4 Jun 2003 14:47:41 -0400
NFuse is only managing ICA client browse traffice and not the ICA stream. NFuse communicates with MF via an XML service on designated MF servers within the farm. There is concern that NFuse passes a clear text file to the client(web client) that contains certain Citrix related information as well as user logon information (username, NT domain, MF server IP address, hashed password, etc...) In order to encrypt this traffic, you can use CA/root certs from Web server to web browser and SSL-Relay from Nfuse to XML service; however, you are limited to using SSL/TLS encryption for the ICA session traffice. Hope this helps... -----Original Message----- From: MatthewB () CallMeIT com [mailto:MatthewB () CallMeIT com] Sent: Wednesday, June 04, 2003 2:10 PM To: jesper () sobol dk; security-basics () securityfocus com Subject: RE: Is Citrix safe? I have run it in a very security aware environment in the past. Like anything else you need to make sure you are up on your patches. If I remember right in Metaframe XP there is a way to enroll client PCs so you can limit who can connect to it. Another option would be to stick a VPN in front of it. Some hints about deploying secure appications on Citrix: 1. Most products contain a help file. Make sure you disable use of the help file in published applications or else you are giving them access to browse the local files on the server with most applications. 2. Disable the ability to connect with the Citrix Client. Only allow web connects. The client gives them too much power. 3. Only deploy applications and not a desktop. You should create different ICA files for each application rather than providing them with an application browser. 4. Disable any ability for them to browse the local server if it is possible in the application you are serving. Or be ready to make sure you replace default permissions on the 2000 Server. 5. Put the Citrix Server in a DMZ with Access Control Lists for those other servers they may need to talk to. 6. Make sure you use NFuse so that all it needs is port 80 for the Citrix Traffic. To set it up securely you will need some time with the application you are publishing to figure out permissions as well as what other parts of the application the published application is allowed to launch. I would also suggest you take a hard look at http://download2.citrix.com/ctxlibrary/products/pdf/Citrix_Secure_Gateway_Da tasheet.pdf Good Luck, Matthew Bukaty President - Call Me I.T. -----Original Message----- From: Jesper Sobol [mailto:jesper () sobol dk] Sent: Wednesday, June 04, 2003 9:30 AM To: security-basics () securityfocus com Subject: Is Citrix safe? As far as I know, Citrix is based on SSL which is not considered very safe, but unfortunately I dont know enough about Citrix. Could anyone please comment on the security in regards to Citrix? - AAA - SSL encryption - Digital Certificates - Man-in-middle attack What is the generel opinion, and why? I need arguments for and against Citrix, if any? Regards, Jesper Sobol --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- *****This information may be confidential and/or privileged. Use of this information by anyone other than the intended recipient is prohibited. If you received this in error, please inform the sender and remove any record of this message.***** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Is Citrix safe? Jesper Sobol (Jun 04)
- Question about accounting software and security in cybercafe. Pall Ioan (Jun 05)
- Re: Question about accounting software and security in cybercafe. Michael Boman (Jun 05)
- <Possible follow-ups>
- RE: Is Citrix safe? Lariviere, Stephen (Jun 04)
- RE: Is Citrix safe? MatthewB (Jun 04)
- RE: Is Citrix safe? Nina V. Levitin (Jun 04)
- RE: Is Citrix safe? Lariviere, Stephen (Jun 04)
- RE: Is Citrix safe? Tuttle, Jim (Jun 04)
- Re: RE: Is Citrix safe? Paul Pepper (Jun 05)
- RE: Is Citrix safe? bhavani.suresh (Jun 09)
- Question about accounting software and security in cybercafe. Pall Ioan (Jun 05)