[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1375
  • Last Modified:

The difference between Symantec VPN/MS Terminal Server and Citrix Metaframe

Hi,

I'm doing a risk analyse for mine company. They have recently changed from Symantec VPN (and al other stuff for security from Symantec) in combination with MS Terminal Server to Citrix metaframe (and all other stuff for security from Citrix). The reason that the IT department gave me was that Citrix metaframe is more secure, because users are no part of the network in this.

Question: Can you give me an general overview of the security differences between both technoligies? Furthermore I need to know wether or not the statement of mine IT department is real.

Hope someone can helps me!

John
0
jkruijt
Asked:
jkruijt
  • 6
  • 5
  • 3
  • +1
2 Solutions
 
Rich RumbleSecurity SamuraiCommented:
No, that statement does not sound real... Symantec's VPN "typically" uses windows authentication to well, authenticate a user to your network via the vpn. I can't really say that one way is better than the other,  it sort of depends on the setup, do you have any more details?
-rich
0
 
Rant32Commented:
If the 'other stuff from Citrix' means a Citrix Access Gateway, then by all means this is basically the same solution from another company. The CAG is essentially a Watchguard SSL-VPN box in front of a Citrix MPS. Properly configuring the Symantec VPN restricts access to the Terminal Server enough so that users are not a part of the network, so users can only access the Terminal Servers.

I'd say: if the IT-department is not actually USING the extra features Citrix has to offer (Application publishing, seamless windows, intelligent load balancing, SSL Gateway / Proxy, Intelligent Web Interface, Smart Access and Workspace Control) they've thrown away a good deal of money (at least 15 grand for a small setup) they could've spent on other things.

Don't take my word for it, because I don't know the security features of Symantec VPN - but this is my 'general overview' ;-)
0
 
jkruijtAuthor Commented:
Hi rich,

Glad you could react on such short notice. I really don't have all the details. I'm a advisor for the board of directors. I'm mainly a manager and not a technical IT'r. I have done many years of programming and analysing programs (SQL, Cobol). Now I only manage project's and give advise.

The question is: If all the right parameters and all the tools of both systems (Citrix vs. Symantec) are used, is one of them more secure (in both case we have used a cryptocard)? Futhermore the statement of the IT department (which is for a great deal the reason that the company have made a big investment) is that the big difference between full Symantec use and full Citrix use, is that using Citrix give more security because user PC is no part of the companies network. Therefore they don't need to be worried for virussen and other nasty stuff comming from the user PC.

I'm also interested in the way the authentication of Citrix works. I have found some remarks on internet that the authentication, using metaframe, is in plain ascii and not part of the SSL 128 bit encoding. Is that true? If so, is that a security risk?

I will be back tomorrow morning 8:00 o'clock, CET. Have a nice evening,

John
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
jkruijtAuthor Commented:
Hi rich,

Will you please give a reaction?

John
0
 
Rich RumbleSecurity SamuraiCommented:
With pc's like laptops and home pc's VPN'ing into a network, it's true you do loose a lot of control. There is no easy or cheap way to ensure that a PC/LT is fully updated with M$ patches and it's AV DAT's and settings. So what it sounds to me like they are doing, is allowing you to VPN in into a citrix server and control that server over the VPN connection. This way they can block any ports except the citrix port, so viri can't propigate to the network, because there is no virus that spreas over that type of a connection, and there likely never will be. So technically this can be viewed as a more secure setup. Sorry for the delay. There is no advatage of using a different VPN client over another really, but there may be some ease of use issues.
-rich
0
 
jkruijtAuthor Commented:
Hi rich,

So I understand you are saying that the Citrix solution is a more secure solution than the solution with Symantec VPN and TS because of the possibility that you are able to block all the ports accept for the Citrix port. Do I understand you correctly that this isn't possible with Symantec VPN and TS? Or is it more difficult to do?

Second and last question is: I'm also interested in the way the authentication of Citrix works. I have found some remarks on internet that the authentication, using metaframe, is in plain ascii and not part of the SSL 128 bit encoding. Is that true? If so, is that a security risk?

Thank you for answering,

John
0
 
Rich RumbleSecurity SamuraiCommented:
Correct, you could use the Symantec VPN the same way to connect to the Citrix server via TerminalServices. RDP (remote desktop and terminal services) connections are encrypted by default. If they have eliminated the VPN client and are having users just use TS/RD to the public ip of the Citrix server, there is a possibility of brute-forcing a login, however if usernames are unknown to an attacker, the likelihood of sucess is very low. The ideal situation is to have users VPN into the network, and then connect via TS to the citrix server. M$ ISA servers have VPN capabilities and are very good VPN solutions.

If users are using MetaFrame to connect then it's likely using SSL as it's encryption method. I'm sure you can set it to be less secure, using plain-text, however I've not run into that before. http://en.wikipedia.org/wiki/Citrix_MetaFrame http://en.wikipedia.org/wiki/Secure_Sockets_Layer
http://www.brianmadden.com/content/content.asp?ID=78

Again the "added" or "better" security is an intended by-product of the setup. If you allow users to TS into a server that lowers their account priviliges, so they can't install software, or run certain programs, of make system changes, then your one step ahead. Forcing users to use a server that is "locked-down" in this way definatly increases the security. The portion of the opening statement "metaframe is more secure, because users are not part of the network" is still false, as you have to part of the network or on the network to interact with it... they should of said, "users PC's and LT's are not directly connected to the network" as the users pc's are connecting by proxy. Best practices are just that, best practices, and by controlling/limiting what user can do your effectively increasing security http://xinn.org/win_bestpractices.html
-rich
0
 
carl_legereCommented:
you are saying you are now not using a VPN?  but wide open connections to citrix?

it is apples and oranges- are VPN connection requests coming from employees/subs and you trust them, or is this endevor supposed to be very easy to connect to and for the general public?

It is my opinion that neither is particularly secure.  badly configured VPNs can cause your field workstation with a bug to spread it into the main business network, but usually a VPN is a good foundation for building a solid system, then add layers of security with routers and access controls, and of course you are already using a teminal server, so you are under extreem flexibility there.

I would shy away from something called Symantec VPN however, it can't be all that good compared to Cisco for example.
0
 
jkruijtAuthor Commented:
Hi Carl,

No, we do use VPN. Mine English isn't that good, so it is possible that I have given the wrong impression.

My questions where:

1. We did use Symantec VPN and TS for remote connections. We now use Citrix Metaframe (and all the other stuff, where under VPN) for remote connections. If both are fully implemented with all the patches, is one more secure then the other?
2. The sessions with Citrix Metaframe and VPN are in 128 bit encryption, but the session build up is in plain text. Is that thrue?

John
0
 
Rich RumbleSecurity SamuraiCommented:
The encryption provided by symantec is no better or worse than any other popular VPN client/server. If you access your citrix servers through the VPN, even if citrix has plain-text going on, the packets are not sniffable by someone who is not on your network.
So if you must use the VPN to get to the citrix servers, you can't access citrix without the VPN, your data is being secured over that VPN tunnel. If your able to access citrix with or without the VPN, when you access it without, you may be less secure. Again by-default Terminal Services are encrypted very well using the RC4 Stream chipher. The encryption can vary the typical default is 128-bit (if you have sp2 applied to 2000, in XP regardless of the service pack it is also 128-bit)
http://support.microsoft.com/default.aspx?scid=kb;en-us;275727&FR=1&PA=1&SD=HSCH
http://download.microsoft.com/download/2/8/1/281f4d94-ee89-4b21-9f9e-9accef44a743/TerminalServerOverview.doc
This paper below gives you a very good explainations of the TS RDP protocol
http://www.oxid.it/downloads/rdp-gbu.pdf (using a VPN a man-in-the-middle attack won't work, unless they are VPN'd into your network too)
-rich
0
 
Rant32Commented:
To cut a long story short: when you force the TS or ICA connections through a VPN, the security of the applications being used do not matter. No major security problems have been found in either VPN solution.

Without a VPN (which is not the case), Citrix authentication also uses SSL and TLS and is basically the same as the negotiation taking place between a Microsoft TS using RDP. Citrix ICA is vulnerable to MITM as well but the VPN-box (the CAG) prevents that kind of attack if properly configured. But the Symantec VPN can do that as well.

2) The plaintext part you are referring to is the exchange of the public keys and salt values which are not required to be secret.

This info is from http://support.citrix.com/article/CTX101737

"Customers who wish to protect their Citrix environment from man-in-the-middle attacks should utilize the Citrix SSL Relay or Secure Gateway.

It should be noted that any protocol that is intended to defend against man-in-the-middle attacks requires prior trust configuration to enforce server authentication. (In Citrix SSL Relay this is achieved by configuration selecting the SSL root certificates.) If man-in-the-middle attacks are deemed to be likely than customers should use the Citrix SSL Relay or the Secure Gateway to protect the environment."

Otherwise, please define what you mean by "secure". There are several levels of security that can apply here, to name a few:
- Access to the system by unauthorized people
- Intentional or unintentional problems caused by trusted users, like viruses/worms/trojans
- Installing malware on the citrix server when using webbrowser
0
 
jkruijtAuthor Commented:
Hi Rant,

I think your answer is better than mine question!

So the the last pasrt of the question (about the building-up of the session and the excryption) is clear. If you ask me the lavel of " secure" I ment, then you give the right examples. Those are the kind of threads I'm worried about.
For the access of unauthorized persons we use besides username and password a cryptocard. So I think that handles point 1 well. The other 2 points are more or less unknown by me. Is it possible you give some guide lines what to do, to ensure that those things not happen?

Regards,

John
0
 
Rant32Commented:
Hoi John,

if access to the VPN is controlled by both a username and password, and a security token, then this is considered to be very secure. If the Symantec VPN solution didn't use security tokens then the upgrade may prove worthwhile and maybe even worth the investment (but that's up to you).

Protecting the servers and the rest of the corporate network from worms is the task of the firewall. The VPN firewall should only allow the least amount of traffic required to connect to the Citrix farm - TCP port 1494 in most cases, and maybe DNS.

The third point I mentioned depends on the amount of freedom users have when logged on to Citrix/TS and is really a matter of proper server tuning and configuration, and above all, user training and awareness. This goes for both MS Remote Desktop and Citrix. If you're only using one or a few line-of-business applications with seamless windows then it's near impossible to get any malware on the server. On the other hand, if you allow users to log on to the Citrix/TS desktop, with access to Internet Explorer and an environment that is not locked down, then sooner or later something bad will happen.

You can protect the server with extensive use of Group Policy to restrict user actions, remove all access to local drives. If possible, remove access to IE. If users need a webbrowser, don't allow executable or other file downloads from the web with a good proxy server, disable ActiveX download and unsafe scripting, and disallow WSH if possible. To mention a few things.

Succes/Good luck.
0
 
Rich RumbleSecurity SamuraiCommented:
I also think the changes they've made are an imporvment over the config you previously had, especially if they are locking down the citrix servers and user priv's on them. Again, most VPN's today are as good as anyother, and I think this is the case for your current setup.
-rich
0
 
jkruijtAuthor Commented:
Hi Rich and Rant32,

Thanks for the help!

John
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 6
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now