RE: [fw-wiz] OWA and Risk Assesment

From: Eric L Budke (lists@budke.com)
Date: 12/04/02


To: "Simon Graham" <Simon.Graham@lvs1.com>, "David Lang" <david.lang@digitalinsight.com>, "Volker Tanger" <volker.tanger@discon.de>
From: Eric L Budke <lists@budke.com>
Date: Wed Dec  4 12:39:42 2002

This of course leaves out the little issue that if you have bad accounts on
the internal domain and don't restrict as to which has citrix access, and
an application that provides some ability to open or "save as" a file
generally can result in access to cmd.exe. Since citrix is real nice about
mapping drives, you don't even have to upload (or figure out a way to
upload) any tools to the citrix server in order to attack the internal
domain(s).

For what it is worth (and so it doesn't appear that I'm citrix-only
bashing), the same general issues appear in term-server as well. The
restricting of sessions works well for the real easy stuff, but I've seen
people accidentally figure out ways to get cmd.exe access when the regular
tried and true methods weren't working (due to the app lockdowns).

The best part is, you get the right account, you get a nice desktop gui.

At 01:08 AM 12/4/2002, Simon Graham wrote:
>It is worth noting that Citrix has its own proprietary gateway and
>ticketing service called Citrix Secure Gateway (CSG) that it uses to
>authenticate sessions and proxy sessions on port 443 for connection to
>backend Citrix Metaframe servers listening on TCP 1494 (ICA). In
>essence:
>1) A user connects to a portal server (Citrix Nfuse on port 80 or
>443) using user credentials (plus SecureID if required).
>2) After login the request is passed to a proprietary ticketing
>authority and a ticket is generated. If authentication is successful
>half of the ticket is returned to the client and the other to the CSG
>server. At the same time the Metaframe farm is queried for apps
>accessible to the user and using JAVA script a web page is created on
>the fly and returned to the user.
>3) Once the user clicks on an app icon an ICA file containing info
>about the app and connection is generated to allow connection on 443 to
>the CSG server.
>4) At the CSG server the halves of the tickets are compared and if
>they match the CSG server proxies the connection to the Metaframe farm
>via ICA.
>
>All connections from the external network(s) can use SSL and thus only
>443 needs to be opened to the Nfuse Portal and the CSG servers sitting
>in a DMZ. Port 80 needs to be open from the portal in the DMZ to
>Metaframe (ICA) farm on the internal network. ICA (1494) needs to be
>open from the CSG box in the DMZ to the Metaframe (ICA) farm on the
>internal network. I am told that the port 80 connections will be
>replaced with SSL ability in the next release.
>
>Not perfect but an interesting approach. The Portal and CSG software is
>available for WIN2K and Solaris.



Relevant Pages

  • RE: [fw-wiz] OWA and Risk Assesment
    ... then the citrix ... >>ticketing service called Citrix Secure Gateway that it uses to ... >>about the app and connection is generated to allow connection on 443 to ... >>the CSG server. ...
    (Firewall-Wizards)
  • Dekart Logon for Citrix ICA Client 2.03
    ... Stop memorizing logins, passwords, Citrix servers and manually ... the USB drive and pass convenient identification. ... Users simply insert a smart card (or connect a USB flash to the ... Simplified connection procedure: ...
    (comp.software.shareware.announce)
  • RE: 0x8004011D when connecting to Exchange by SSL VPN
    ... I have access to two different logon identities for the Citrix ... The Citrix SSL VPN connection is general, in that Outlook, Windows Explorer, ... As far as I know no server has been ... We are running Exchange 2003 on Windows Server 2003. ...
    (microsoft.public.outlook.installation)
  • RE: Remote Administration on W2K
    ... > Why would you run VNC through Citrix? ... > can monitor/control any connection that is logged into the server ... Not to mention that the Citrix client connection alone is more secure than ... You can restrict vendors the same way, say POSvendor is restricted to POS ...
    (Security-Basics)
  • Re: Local Copy: Will It Solve Read Only Problem?
    ... why someone would design a DB where you couldn't modify the data. ... the FE and the BE both on the server. ... Citrix got into the mix because Citrix is a tool that allows you to work ... NO internet connection comes even close to ...
    (microsoft.public.access.tablesdbdesign)