You know, that hadn't really occurred to me; I don't know how it does it.
Obviously the client has to send information about what application it wants
to connect to. Perhaps this happens before encryption is established. The
reason I'm stubbornly holding on to this concept is that I actually read the
Packeteer docs about doing this very thing.
This is just a little blurb from their documentation about classifying
traffic:
******START QUOTE*********
Citrix-ICA (Independent Computer Architecture) can be further classified in
two ways: by
published application or by client name.
When Citrix-ICA is specified as a service, the criterion drop-down menu is
available for
you to select either "published application" or "client name." In addition,
you must also
supply a specific name (up to 99 characters). This name for the published
application must
exactly match the Citrix published application name for the service
Citrix-ICA. Check the
Citrix configuration for valid published application names.
For example, you could create a class for Citrix-ICA traffic that carries
the published
application PeopleSoft. In this example, as a child of the Citrix class that
was created by
traffic discovery, create a PeopleSoft class with the following attributes:
*Name: PeopleSoft
*Protocol: IP
*Service: Citrix-ICA
*Location: any
*Criterion: Published Application
*Criterion (second field): PeopleSoft
Note: The entry in this second Criterion field must match the name defined
within
the Citrix Program Neighborhood.
******END QUOTE*********
I don't think there is an option for no encryption, and I can't imagine that
it is relying on you using basic encryption and breaking it on the fly. Any
ideas?
About Extranet, my impression from info I have read was that it is basically
a VPN product that can use various types of authentication like PKE, radius,
etc. I would love it if you can use it just as a proxy, particularly if you
can use it transparently with the ActiveX/Java client and Nfuse.
-----Original Message-----
From: Henry Sieff [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 4:31 PM
To: 'Clayton Knorr'; '[EMAIL PROTECTED]'
Subject: RE: Citrix ICA and Application Layer Awareness
Its an interesting notion; however, how would Packeteer "know" what
legitimate traffic looked like? Moreover, how would it handle
encrypted traffic (Citrix now uses varying levels of RC5 encryption)?
BTW, there is Extranet, Citrix's own proprietary system for proxying
ICA connections.
> -----Original Message-----
> From: Clayton Knorr [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 01, 2001 3:13 PM
> To: '[EMAIL PROTECTED]'
> Subject: Citrix ICA and Application Layer Awareness
>
>
> There were some posts back in January about proxying Citrix
> ICA, which are a
> topic of particular concern for me lately.
>
> The previous posts indicated that there aren't any real
> proxies or ALGs for
> ICA, which I'm basically in agreement with. However what
> about a product
> like Packeteer Packetshaper that can actually differentiate between
> different protocols regardless of what port the run on. It can also
> actually differentiate between published apps by inspecting
> the packets as
> they are forwarded. If you can block/control traffic based
> on application
> information isn't that an ALG?
>
> I'm thinking about utilizing a Packeteer or similar solution
> as a security
> measure to ensure not only that connections are only made
> over port 1494 (or
> whatever port we end up using...)but that the connections are
> actually ICA
> traffic. Anyone have any thoughts about using this kind of a
> solution as a
> security measure?
>
> Thanks...
> Clayton
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
