Mark,
Your right, if you do all those things you'll be in good shape. The MAJOR concern I'm talking about is that all the things that you have mentioned are not trival things to do. They have a fair amount of complexity to them. I have a copy of Citrix Consulting Services hardening guide. It's 57 pages long, two thirds of which deal with registry settings alone. The associated Win2K hardening guide is another 50 pages.
If we move into the second scenerio then we can add the complexity of a three interface firewall configuration, router configs, and the complexities of adding Kerberos. These may be common place for some of us but it's enough to most security administrator serious heartburn!
Bill Stackpole, CISSP
| [EMAIL PROTECTED]
07/13/00 11:09 AM
|
To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: Citrx Metaframe/NT4-TSE |
If the Windows TSE box is configured and secured properly after the Citrix
MetaFrame Server is successfully installed, it is not as vulnerable as one
would suspect.
If you were to take a security position where the concern was people
outside the organization logging into the designated Metaframe server, one
can implement a external Citrix MetaFrame server on the DMZ with two NIC
cards, disable the routing between the two, stick a designated router
between the two, add one permit rule with logging, enable the kerberos
auth scheme on the router in order to talk to a Kerberos for TSE on the
internal Citrix Metaframe server..
So therefore each session from a external user to the External Citrix box
would initiate a kerberized session to the internal Citrix Metaframe box,
all transparent to the user. Whether or not the initial login function is
weak or not, the additional layers of both Citrix protocol and Kerberos
would provide the defense in depth type architecture that is transparent to
the user and easy to implement and maintain.. Actually no maintenance
except typical admin (add, change, delete) stuff
So I am very confused about the MAJOR concerns..
/hope this helps
/m
At 01:19 PM 7/13/00 -0400, [EMAIL PROTECTED] wrote:
>Never had any trouble getting the protocol to function through a
>firewall but there are some MAJOR concerns with letting people login on
>to a Citrix server located inside your security boundary, starting with a
>weak encryption scheme for the login function, followed by, once your are
>logged into the box you can exploit all kinds of NT vulnerabilities and/or
>attack other systems on the network.
>
>Locking down a Citrix box and the underlying OS are no trivial matter.
>
>Bill Stackpole, CISSP
>
>
>
>[EMAIL PROTECTED]
>Sent by: [EMAIL PROTECTED]
>
>07/13/00 05:27 AM
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: Citrx Metaframe/NT4-TSE
>
> Has anyone had experiences good or bad with passing Metaframe thru a
> firewall?
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
