Re: This time, how secure is Citrix?

From: Matthew Romanek (shandower_at_gmail.com)
Date: 11/19/04

  • Next message: W W: "Changing IP address as standard user"
    Date: Fri, 19 Nov 2004 12:16:13 -0800
    To: cdiaz00@gmail.com, security-basics@securityfocus.com
    
    

    On Fri, 19 Nov 2004 11:47:42 -0500, Cesar Diaz <cdiaz00@gmail.com> wrote:
    > List,
    >
    > I asked a question a few days ago about how secure VPN access is for
    > home users on their own home PCs. I received many helpful answers.
    > Thank you all for that.
    >
    > I also want to ask everyones opinion on how secure remote access
    > through Citrix can be.
    >
    > We use Citrix MetaFrame XP available through Nfuse available thorugh a
    > public IP address. The Nfuse website is secured with 128-bit SSL.
    > Our firewall only allows port 443 to access the server through that
    > IP.
    >
    > The concern now isn't as much the possibility of viruses, worm, etc.
    > spreading since this is not a direct connection to our LAN like a VPN.
    > The concern is that if a hacker has gained access to the users home
    > computer, then they can access the resources on the network that the
    > user accesses.
    >
    > The idea has been floated of running a script when the user connects
    > that deletes their default route to the Internet, then adds a route
    > directly to our network. This should theoretically remove access to
    > their machine from the Internet. We would run an exit script that
    > reverses this so they get their connectivity back.
    >
    > Thanks again for any advice,
    >
    > Cesar Diaz
    >

    I'm sorry to say that I can't really give any advice, but here's some
    more to think about..

    First thing that I would ask is, are these privately owned machines,
    or company owned?

    If privately owned, you may want to run something like this past your
    legal department. Modifying someone else's PC can be a touchy subject,
    especially if the PC is shared at home or if the 14 year old next door
    that comes in to fix the printer problem thinks this is something
    underhanded and goes vigilante on you.. Far fetched, yes, but I've
    heard stranger lawsuits. Sometimes just making them sign a paper that
    says you can do this won't be enough, if they argue they didn't
    understand what they were signing. (I know, I know. They can still
    sue, though).

    Also, what happens when it breaks? I've had Citrix crash on me a lot
    of times, and depending on how you handle this route-fixing, you might
    leave someone unable to connect to the internet, or to you, or
    whatever. That's a lot of support problems, especially if your
    end-users can't (or won't) do the fix themselves. Can you afford to
    send technicians out to someone's home? If so, and they go out and
    look at the machine and find a bunch of dirty pictures on it, what
    then? Not only do you have the end user's privacy suit to worry about,
    but you might also have to deal with a puritanical technician who
    feels demeaned by having to wade through that during the course of
    their work. You can forbid this type of thing on your own equipment,
    but enforcing policy on something you don't even own is not only hard,
    but a legal minefield in any particularly litigeous area. You might
    see the privacy issues of treating private equipment as a business
    asset, too.

    -- 
    Matthew 'Shandower' Romanek
    IDS Analyst
    

  • Next message: W W: "Changing IP address as standard user"

    Relevant Pages

    • This time, how secure is Citrix?
      ... I asked a question a few days ago about how secure VPN access is for ... I also want to ask everyones opinion on how secure remote access ... that deletes their default route to the Internet, ... their machine from the Internet. ...
      (Security-Basics)
    • [Full-disclosure] Stealthier Internet access
      ... Stealthier Internet access ... Nevertheless anonymous and secure communication in the world today is ... (Here are few basic bookmarks to improve Stealthier internet access for windows) ...
      (Full-Disclosure)
    • Re: [Full-disclosure] AntiSec <3s nginx
      ... It really seems like the first attribute of your "secure internet" ... It's a bit of an ideal to eliminate anonymity on the internet. ... Wyatt Earp would be the government. ... Hosted and sponsored by Secunia - http://secunia.com/ ...
      (Full-Disclosure)
    • Re: Big security problem
      ... Welcome to the Internet. ... > well and always use strong passwords. ... That's one facet of a secure PC, ... > SPAM EMAIL/JUNK MAIL ...
      (microsoft.public.security)
    • RE: One computer two different networks
      ... Internet connection and one an internal secure connection tempts one ... You have a private network with no Internet for the reason that you ... in Information Security. ...
      (Security-Basics)