At 05:20 PM 4/3/00 -0700, dave kaas wrote:
>We have had a request to allow Citrix clients on our LAN to pass through
>our firewall-1 to access a Citrix server on the Internet. The access
>lists are straight forward. I seem to remember that at one time there
>were security concerns about Citrix. That there was some way for the
>server to pass commands back to the client?
>
The new SANS Windows Security Digest had an absolutely astonishing
report about how Citrix's ICA handles passwords that you might want to consider:
/quote/
#3.12.
Citrix ICA easily crackable passwords
Dug Song reported this month that the ICA protocol (Independent
Computing Architecture) available with Citrix terminal server products
uses very poorly encrypted passwords. The encryption algorithm is a
variant on XOR encryption, and is easily reversible. Weld Pond and Chris
Knight suggested work arounds for various clients. For Windows and DOS
clients you can use Secure ICA, which uses better encryption. For
Macintosh, Unix, and Java clients, Secure ICA is not available. However,
with certain limitations, you may use an SSH tunnel for those clients
by forwarding port 1494 to the ICA server. However, this will not work
with the browser service, so the clients are somewhat limited in
functionality. A VPN solution may work better.
/unquote/
Dug Song's initial report (and I presume most of the followups
mentioned above) were posted on SecurityFocus' BugTraq mailing list.
Suerte,
_Vin
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
