RE: Securing Citrix NFuse and IIS 5

From: Henry Sieff (hsieff@orthodon.com)
Date: 10/19/02


From: Henry Sieff <hsieff@orthodon.com>
To: "'auto300258@hushmail.com'" <auto300258@hushmail.com>, focus-ms@securityfocus.com
Date: Fri, 18 Oct 2002 17:27:43 -0500

NFUSE 1.7 doesn't really add a whole lot of vulnerability points to an IIS
server; its really just a bunch of ASP with some citrix specific stuff in
the form of scripts and the like. So:

1) Harden the IIS server, following best practices.
2) Throw down for an SSL certificate and make your authentication page
https.
3) Use SSL for communications between your NFUSE server and Citrix Data
Collector.

Now, Ron is correct in that nfuse uses client side stuff for authentication
to the published apps, but note that these cookies expire pretty quickly.
While you are going to want to make sure your clients are secure (just as
with a VPN of any sort), this is not a particularly easy vector to exploit;
the client will need to be trojaned, and the cyber-criminal will need to act
quick. I want to touch on Ron's points a little further (not to pick on him,
because they are good points):

Ron wrote:

> This code is by-passing your firewall. Where hopefully your firewall
> code has been certified by an independent organization, this software has
no
> such attestation.

Do you mean NFUSE, or citrix itself? If the former, keep in mind that all
NFUSE is is a method of presenting published applications. It is no
different then a web page with a form. It returns nothing but a static HTML
page, with links to server side files with a particular MIME type which your
browser then hands off to a client which then acts on the parameters
contained therein. If the latter, well, it doesn't tunnel on port 80; it
uses a separate port, and there are, in fact, products you can use to proxy
that connection (Secure Gateway, Extranet, which is a pretty decent general
VPN solution).

> Even though you are (hopefully) using SSL/TLS, you are still vulnerable
> potentially to the same IIS bugs that everyone is because all
authentication
> takes place at the http layer.

Goes back to locking down the IIS server itself. NFUSE doesn't add a lot of
risk here, and actually, with SG or Extranet, you can use other tokens for
authentication. The login form isn't the only means.

I agree with most of what Ron says otherwise, depending on your
configuration. Yes, these devices can be attacked at application layer, but
then, just about every remote access solution is vulnerable.

You can use SecureIIS or URLSCAN, since nothing that happens with NFUSE
Classic is out of the ordinary for a web site.

My $.02. I like NFUSE - citrix; there are some extra steps you need to take,
because you are allowing remote access, but they are nothing extraordinary
for that class of services.

--
Henry Sieff

> -----Original Message----- > From: auto300258@hushmail.com [mailto:auto300258@hushmail.com] > Sent: Friday, October 18, 2002 10:22 AM > To: focus-ms@securityfocus.com > Subject: Securing Citrix NFuse and IIS 5 > > > > I'm working on a pilot deployment of Citrix with its NFuse > component on Win2000 to allows remote users to access our LAN > via web browser. NFuse uses IIS 5 installed on the same > machine to deliver all of our applications to the remote user. > > Is there anything special to know about hardening IIS 5 in > conjunction with NFuse that anyone here has any experience > with? What about a good white paper on hardening IIS 5, > besides what Microsoft has on their web site? > > Has anyone used EEye's SecureIIS product with NFuse/IIS5? > I've heard very good things about it and hope it might be useful here. > > Thanks for any information you might be able to provide. > > Regards. > > > > Get your free encrypted email at https://www.hushmail.com >