October 2nd, 2003, 03:06 AM
possible citrix nightmare
I work for a Canadian company, I just started, I am an IT specialist. The company has just outsource to a firm that provides a Citrix environment on top of our windows 2k network. Do not ask me why the company I work for has done this, it pisses me off, the firm provides email and some apps like the office suite. I am concerned because they allow access into the citrix network to our 100+ users from home. Home users can now access there email and files via the web. My problem here is what if a "not so nice person" breaks into a users home system and installs a trojan\keystroke logger and grabs there user/password for the citrix environment??? There goes my network security! I need to get as much research on this as possible to present it to the company I work for. I know the company that provides the cirtix tracks the ips of the remote users, but how easy would it be for the malicous person to hide there ident??? Please advise!!!
October 2nd, 2003, 03:10 AM
It would be easy to spoof your IP. These days there are many ways to remain anonomyous. I would also want that removed from my network. That is a large secuirty risk.
[gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]
October 2nd, 2003, 04:20 AM
Limpster, thanks for the response.
I am wondering if a proxy server or a chain of, could communicate with the citrix server, or cant a proxy server do that?
October 2nd, 2003, 04:57 AM
Or maybe a home firewall to block all access?
Doesn't sound like you really need to access home files from your office...I may be wrong.
Just block all incoming traffic from the citrex server and properly configure a VPN, should save you the hassle.
Isn't what your company did kinda intrusive?
It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.
October 2nd, 2003, 08:37 AM
I have no problems with Citrix per se. It allows a thin client deployment that is very easy to install, manage and maintain. As such, it is cost effective, and has saved my @$$ on several projects.
I do wonder about its deployment for "100+" users. I would have thought that was far too few to make it worthwhile? My experiences have been 900-6,000 seats.
Anyway, the real problem is not Citrix, it is the access from home. I would insist on a VPN (I think we used RSA?) then a keylogger is useless, as you only get the bit that the User knows, not the bit he "has" (the code number he gets from the key fob device that changes every 60 seconds).
In this area I would insist that users are restricted to one logon, so that if someone gets into his machine and gets the code he entered from the token, they will not be able to use it. By the time he logs out, it will have expired.
IMHO if you allow remote access over the open internet you are going to be vulnerable no matter what you use? The keylogger will report any and ALL passwords.
I think showtime8000 has it right with VPN
As for outsourcing...... ...............IMHO
October 2nd, 2003, 12:08 PM
Before you start looking at technology take a step back.
What does your company security policy say about protecting access to corporate assets? Has the Citrix environment been classified as an asset worth protecting?
What does your security policy say about using home machines to connect to the corporate network?
What does your security policy say about the required configuration of all machines accessing the network?
WHat I am saying here is that unless their is a top level consensus on the importance of these things you are going to have a difficult job getting anyone to agree spending any money on a problem that they don't even accept exists. You may need to spend some time creating a case for doing this. There are plenty resources out there that will assist you with this.
Once you have a security policy in place you can start looking at ways to enfore the policy. There are many tools out there that can do this for you, but if you are note even sure what you are enforcing, you can not realisticlly going to make a wise decision selection. Start by classifying the data you are trying to protect. Is it worth protecting any more than the usual procedures.
What are the real dangers, and how likley are they to happen. Will this cost the business, if so how much. Now you have either have a case for implementing a safeguard or accepting the risk.
If you rush into selecting a tool, and the threat changes over time, you may be forced into a selecting another tool. Whereas, if you had a policy that set direction, a good selection may well protect you in more than a single way, if implemented correctly and aligned with the right processes.
October 2nd, 2003, 01:22 PM
You raise some interesting points there gatedee
It would seem that there isn't a formal "security policy" as such?
The question is really the vulnerability of the remote (home) machines. If one of those machines becomes infected with malware that is "network aware" then the whole system is compromised, as it will appear as "mapped drives" to the infected machine. Neither VPN or passwords will help here?
This is no different from one of the onsite desktops becoming infected.
I cannot imagine any organisation with "100+" employees that is not holding data that are legally required to be protected?
I have worked in high security environments where the "secure network" was totally divorced from the general network, and could not be accessed from any machine that also has access to the general network. The problem with this is that you double up on hardware costs for those who need to get into the secure network. I would suspect that that approach is not cost justifiable here?
I do not think that Citrix is central to this situation. It requires client software to be installed on the desktop. It requires a password. It maps to the applications that have been set up on that desktop client. It would be very simple to set up a rule that you can only use e-mail remotely or whatever.
Another consideration is that the applications themselves are usually password protected, which creates a second line of defence. True, the keylogger would record these which is why it is commonplace to use a VPN system. The password is effectively dynamic, so the hacker cannot get in.
I think that the main risk here is that the system could be flooded with worms?
Some comfort can be taken from the fact that Citrix is relatively exotic so that skiddies would not know what to do with it. Also it frequently takes you to servers that are running *nix, and malware that work on both windows and *nix are still relatively rare (thank God!!!).
I think that the major threat is that the mothership will be flooded with worms?
As a "way forwards" I would suggest talking to other sites that use Citrix and remote access (ask Citrix themselves for contacts) and find out what they have done. Then write a formal paper to senior management explaining the concerns, and what the other guys have done. At least that should cover your @$$, which is the first and most important consideration
BTW...I like this thread, it has made my brane a couple of times!
October 2nd, 2003, 04:17 PM
The funniest part is that the companies end users, except for about 5, really dont need access to there files from home. Also I know that transmissions from the citrix client are encrypted pretty heavily, but a keystoke logger could still grab the users credentials right?? Also as far as masking the intruders identity, would a proxy server work or would they use some other method?? I am very thankful for all the great responses Ive gotten here.
October 2nd, 2003, 04:52 PM
MidNyte: I have about 650 users that _could_ access internal work stuff from home.
For Email I set up and exchange server and allow them access through Outlook Web Access, (OWA)..... That way I don't have to worry so much about their machines being compromised. They don't have access to the internal system from outside anyway. It runs on SSL so it is encrypted too.
For those people who have VPN access our policy is that they must purchase a hardware firewall, (linksys or whatever), if they are on high-speed connections and bring it to me for configuration. The bringing it to me for configuration bit is to force them to go and buy the damn thing not try to lie to me that they did...... While I "configure it for them" I sell the benefits to them personally in the hope that they do not simply return it afterwards. The big part though s the fact that by accepting the VPN access they are authorizing me to make random scans of their machine to ensure that the firewall is there and has not been tampered with. Do I actually do them.... rarely.... It's a time issue, but it helps to force them to put it in place. Then, the VPN allows most of them access to only a terminal services server that has profiles on for them. In that way an infected machine is less likely to detrimentally affect other machines on the network through the VPN. Finally, everything that comes through the VPN is logged and an IDS looks for VPN traffic attemting to go to machines other than the terminal services server. The few dial-up users are encouraged to get zonealarm but we do not make such a big deal and they suffer the speed problems a VPN/term server/dial-up connection deals them and are encouraged to go high speed with a hardware firewall.
Finally, and the thing that will probably steer your company in the right direction is the legal ramifications of allowing everyone in the company access to their work from home. There have been several instances where, (to the companies involved), it seemed to be a good idea to let employees do some additional work from home if they want. However, there have been several cases in the courts where non-exempt, (hourly), employees have got pissy with the company, quit and then billed the company for x thousand hours of uncompensated labor. In each case I believe the company has lost and it has cost them very large sums of money. Consequently, my organization allows only:-
1. Exempt employees authorized by their administrator
2. Employees who, by the nature of their job, work from their homes.
In order to become one of the priviledge members of the second group there theyare required to sign a document stating that they are paid 40 hours per week regardless of the time it takes them to complete their tasks in exchange for the priviledge of being able to work from home and set their own hours - kind of an hourly exempt worker.
Hope this helps....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
October 2nd, 2003, 04:54 PM
As you have probably gathered, I am quite positive regarding Citrix. You are quite correct, once the remote (or even an internal) machine is compromised you are owned! The encryption of Citrix or the VPN will not defend you against a reasonably well-crafted net worm.
You need to go back a pace to the security of the remote device!
Perhaps the company should provide Users who need external communications with dumb terminal type devices...no floppy, no CD no USB etc................this will mean that no one in the family can compromise it...OK there are a lot of other security measures required, but I think that you get the picture
I wish you luck my friend, and keep it going until you get a result!