I installed the Axent ThinDefender client on citrix today. It does appear
to work.
what happens is that when you connect to the citrix server you first get a
window propmting you for your NT username/password/domain, and then are
presented with a window giveing the challange for your token. when you
enter the correct response you then are connected.
I am running the secureICA client but have not yet investigated to make
sure that all the data on the sign-in is encrypted. If it is not your
users usernames and hashed passwords may be vunerable, they will not be
enough for the attacker to get in, but may be useful for other methods of
attack.
This works both for the full citrix client and also the IE based client.
David Lang
On Tue, 18 Jul 2000, Ben Nagy wrote:
> Date: Tue, 18 Jul 2000 11:35:42 +0930
> From: Ben Nagy <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>,
> "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]>
> Subject: RE: Citrx Metaframe/NT4-TSE
>
> (Sorry about the busted indenting - I'm at a customer site)
>
> I'm really sorry to insult your obviously vast intelligence and try your
> obviously short patience, but I don't think I've actually "missed the point"
> at all.
>
> You, on the other hand, seem to be labouring under several misapprehensions:
>
> 1. That a "kerberized" session is somehow much more secure than a
> non-kerberized one. Kerberos allows for endpoint/service/user
> authentication. However, Kerberos is still reliant on users picking strong
> passwords.
>
> Kerberos does NOT offer any session level encryption or any other security
> mechanism - it's an _authentication_ protocol. Go read the spec - I refer
> you to RFC 1510 for the nitty-gritty, although there are probabaly much more
> digestable descriptions. Maybe you're confusing Kerberos with something
> else?
>
> 2. That I'm talking about a utility issue. I'm not - I couldn't care less if
> the solution was transparent, slightly cumbersome or requires an incantation
> and a pint of the user's blood. I was merely mentioning that your
> "kerberized" solution could not be stronger than user passwords.
>
> In other words, if one were to pick "password" as their password, no amount
> of Kerberos or fancy filters can stop someone guessing the password and
> accessing the protected application.
>
> Contrast - the two-factor auth guys get to use _real_ authentication. This
> does NOT give them protection against direct attacks on the boxes or the
> service that don't rely on authentication, and you had some good ideas with
> regards to securing this area.
>
> 3. That you're talking to a bunch of clueless morons on this list. How about
> you try to give us a little more credit, huh?
>
> Cheers,
>
> --
> Ben Nagy
> Lounging Around a Customer's Network
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> To: Frank Knobbe; Ben Nagy; [EMAIL PROTECTED]
> Sent: 18/07/00 7:10
> Subject: RE: Citrx Metaframe/NT4-TSE
>
> The mechanism that allows the user to log is transparent.. The user has
> no
> clue that they are being authenticated by RADIUS or TACACS, and that
> their
> session is kerberized.
>
> The users do not login to Citrix via telnet.
>
> The end or external user will have a Citrix client installed, and the
> connections are defined in their Citrix profile.
>
> If you offer to pay for travel and expensese I would be more than happy
> to
> sketch this out on a clean whiteboard.
>
> Geez
>
> /m
> At 01:49 PM 7/17/00 -0500, Frank Knobbe wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, July 17, 2000 11:58 AM
> > >
> > > Actually you missed the point, with Kerberos, RADIUS or
> > > TACACS in place,
> > > the whole mechanism is transparent to the user. That is why
> > > it works.. :)
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
