RE: [fw-wiz] OWA and Risk Assesment

From: David Lang (david.lang@digitalinsight.com)
Date: 12/04/02


From: David Lang <david.lang@digitalinsight.com>
To: Eric L Budke <lists@budke.com>
Date: Wed Dec  4 14:34:02 2002

A large question to ask is who are the people you are allowing to use
citrix.

if it's people you would allow to use a VPN, but a VPN is not available
(untrusted remote machine, VPN problems, etc) then the citrix
vunerabilities are less of an issue (especially if you do strong
authentication before allowing the citrix session to start), but if you
are planning to allow completely untrusted people access to OWA then I
would seriously suggest that you plan on useing a different webmail
service that will allow you to isolate it from your NT servers more
completly.

remember that exchange does support IMAP and POP connections so if you
just need webmail with an exchange back-end you have lots of options, if
you need access to the other outlook functions things get more difficult.

David Lang

On Wed, 4 Dec 2002, Eric L Budke wrote:

> Date: Wed, 04 Dec 2002 11:18:04 -0500
> From: Eric L Budke <lists@budke.com>
> To: Simon Graham <Simon.Graham@lvs1.com>,
> David Lang <david.lang@digitalinsight.com>,
> Volker Tanger <volker.tanger@discon.de>
> Cc: adreyer@math.uni-paderborn.de, kronos@datastreamcowboys.net,
> firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] OWA and Risk Assesment
>
> This of course leaves out the little issue that if you have bad accounts on
> the internal domain and don't restrict as to which has citrix access, and
> an application that provides some ability to open or "save as" a file
> generally can result in access to cmd.exe. Since citrix is real nice about
> mapping drives, you don't even have to upload (or figure out a way to
> upload) any tools to the citrix server in order to attack the internal
> domain(s).
>
> For what it is worth (and so it doesn't appear that I'm citrix-only
> bashing), the same general issues appear in term-server as well. The
> restricting of sessions works well for the real easy stuff, but I've seen
> people accidentally figure out ways to get cmd.exe access when the regular
> tried and true methods weren't working (due to the app lockdowns).
>
> The best part is, you get the right account, you get a nice desktop gui.
>
> At 01:08 AM 12/4/2002, Simon Graham wrote:
> >It is worth noting that Citrix has its own proprietary gateway and
> >ticketing service called Citrix Secure Gateway (CSG) that it uses to
> >authenticate sessions and proxy sessions on port 443 for connection to
> >backend Citrix Metaframe servers listening on TCP 1494 (ICA). In
> >essence:
> >1) A user connects to a portal server (Citrix Nfuse on port 80 or
> >443) using user credentials (plus SecureID if required).
> >2) After login the request is passed to a proprietary ticketing
> >authority and a ticket is generated. If authentication is successful
> >half of the ticket is returned to the client and the other to the CSG
> >server. At the same time the Metaframe farm is queried for apps
> >accessible to the user and using JAVA script a web page is created on
> >the fly and returned to the user.
> >3) Once the user clicks on an app icon an ICA file containing info
> >about the app and connection is generated to allow connection on 443 to
> >the CSG server.
> >4) At the CSG server the halves of the tickets are compared and if
> >they match the CSG server proxies the connection to the Metaframe farm
> >via ICA.
> >
> >All connections from the external network(s) can use SSL and thus only
> >443 needs to be opened to the Nfuse Portal and the CSG servers sitting
> >in a DMZ. Port 80 needs to be open from the portal in the DMZ to
> >Metaframe (ICA) farm on the internal network. ICA (1494) needs to be
> >open from the CSG box in the DMZ to the Metaframe (ICA) farm on the
> >internal network. I am told that the port 80 connections will be
> >replaced with SSL ability in the next release.
> >
> >Not perfect but an interesting approach. The Portal and CSG software is
> >available for WIN2K and Solaris.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>



Relevant Pages

  • RE: [fw-wiz] OWA and Risk Assesment
    ... Since citrix is real nice about ... >backend Citrix Metaframe servers listening on TCP 1494 (ICA). ... >about the app and connection is generated to allow connection on 443 to ... >the CSG server. ...
    (Firewall-Wizards)
  • Dekart Logon for Citrix ICA Client 2.03
    ... Stop memorizing logins, passwords, Citrix servers and manually ... the USB drive and pass convenient identification. ... Users simply insert a smart card (or connect a USB flash to the ... Simplified connection procedure: ...
    (comp.software.shareware.announce)
  • RE: 0x8004011D when connecting to Exchange by SSL VPN
    ... I have access to two different logon identities for the Citrix ... The Citrix SSL VPN connection is general, in that Outlook, Windows Explorer, ... As far as I know no server has been ... We are running Exchange 2003 on Windows Server 2003. ...
    (microsoft.public.outlook.installation)
  • RE: Remote Administration on W2K
    ... > Why would you run VNC through Citrix? ... > can monitor/control any connection that is logged into the server ... Not to mention that the Citrix client connection alone is more secure than ... You can restrict vendors the same way, say POSvendor is restricted to POS ...
    (Security-Basics)
  • Re: Local Copy: Will It Solve Read Only Problem?
    ... why someone would design a DB where you couldn't modify the data. ... the FE and the BE both on the server. ... Citrix got into the mix because Citrix is a tool that allows you to work ... NO internet connection comes even close to ...
    (microsoft.public.access.tablesdbdesign)