Re: [fw-wiz] Citrix vs OWA

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 06/18/05

  • Next message: Victor Williams: "Re: [fw-wiz] Citrix vs OWA" 
    To: Brian Gardner <gardnerb@ci.lake-havasu-city.az.us>
Date: Sat, 18 Jun 2005 10:59:42 -0400 (EDT)

    On Fri, 17 Jun 2005, Brian Gardner wrote:

    > Greetings everyone.
    >
    > As the network administrator (and security minded person) for our small
    > local government network (300 users), I've been asked to make our
    > internal email (Exchange 2003) and other applications (not web based
    > apps, just internal) and files available from the internet through our
    > Checkpoint firewall. I've done much reading on Outlook Web Access and

    The first thing you should do is to get authority to do a real risk
    assessment- since you'll be potentially opening up all the goodies to any
    potential attacker on the planet, and since that means that it's more
    likely that folks will use compromised home computers to conduct business.
    It may be "ok" for some applications and not others, which would mean
    having to build out more security infrastructure to limit the potential
    damage.

    I'll add at this point that the worst breach I've ever seen was at a
    municipality where someone had (a) broken into the court system, (b)
    trojaned hundreds of systems and (c) broken into the interactive voice
    response (IVR) system. There was lots more going on there, but those were
    three rather large issues I had to deal with.

    > it's security implications as well as followed the many topics here
    > regarding remote access. What I haven't seen mentioned here as an
    > alternative to OWA is Citrix via the Presentation Server and Secure
    > Gateway.
    >
    > Assuming you deploy the Citrix solution properly, apply patches, etc,
    > what is the general consensus regarding Citrix? Good idea? Bad idea?

    Anytime you extend your trust boundary, it's bad for security- the
    question is if it's necessary to extend it or if it's just convenient-
    that's the point of doing an up-front assessment.

    > At this point I haven't deployed or setup anything, and I'm not looking
    > for specific instructions or how-to's, rather a feel for which I'm going
    > to have the least amount of trouble with, and an answer to the statement
    > my supervisor(s) make that "everybody else does it, why can't we?"

    Do the assessment, or have someone do it for you- then provide them with
    the "if we do this, there's a risk of that" stuff in writing- then they
    get to choose if they want to take the same risk as "everybody else."

    FWIW, I'd do one-time tokens for OWA *or* Citrix just to make sure that
    the user's responsibility is upheld.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Victor Williams: "Re: [fw-wiz] Citrix vs OWA"