?
Solved

Remote access only via approved machines

Posted on 2012-03-14
15
Medium Priority
?
568 Views
Last Modified: 2012-03-21
Is it seen as overkill for you to provide company hardened devices that users can use from home to access remote access facilities like citrix? Or wheres the risk in not providing them corporate kit and letting them use whatever they want?

Say someone access a citrix gateway from their personal computer manifested with poor secrity, i.e. out of date software, loads of malware, no firewall etc etc - if they use this to access your citrix gateway (2-factor) does the internal citrix infrastructure become at risk, or not really? I.e. can they access citrix from any damn machine they want be that company provided or home, or cafe shop etc etc.

Whats your policy on this? Can citrix enforce any kind of "your machine isnt secure enough you arent logging in"?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +4
15 Comments
 
LVL 24

Accepted Solution

by:
Dirk Kotte earned 336 total points
ID: 37719361
we and the most of our customers let use the users every device.
at the moment are no known security risks for the server from this sessions.
0
 
LVL 8

Assisted Solution

by:Elmar-H
Elmar-H earned 336 total points
ID: 37719367
I`m shure. if you dont publish local disks from client, then theres no security risk.
0
 
LVL 37

Assisted Solution

by:Carl Webster
Carl Webster earned 332 total points
ID: 37719369
I believe Citrix Access Gateway Enterprise Edition and NetScaler can provide this leel of functionality.  Citrix XenApp and XenDesktop are designed to be accessed by any user from anywhere using any device.  How are you going to make sure their BlackBerry, iPhone, iPod Touch, iPad, Droid, Mac, Linux, Unix, Windows, etc devices meet all your conditions?
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37719376
at some customers we use a second boot environment because the not managed devices sometimes not run without problems.

For example a secure USB-Boot stick
http://www.ecos.de/home-en.html
0
 
LVL 3

Author Comment

by:pma111
ID: 37719430
>I believe Citrix Access Gateway Enterprise Edition and NetScaler can provide this leel of functionality.  Citrix XenApp and XenDesktop are designed to be accessed by any user from anywhere using any device.  How are you going to make sure their BlackBerry, iPhone, iPod Touch, iPad, Droid, Mac, Linux, Unix, Windows, etc devices meet all your conditions?


Well that was the question, as to whether you let them use them in the first place. I guess a keylogger would still glean passwords via the citrix authentication.  

Or whether you say "you can use any device you like with any or no security on that device to access our remote access facility"
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37719434
we use (nearly ever) 2 Factor authentication from the Internet for Citrix, OWA, Sharepoint, VPN, ... to reduce the keylogger risk.
mostly Safeword , sometimes RSA
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 37719443
You can also use the free Citrix SSLRelay to encrypt traffic between the Web Interface servers and the XenApp servers.  You could also use IPSec everywhere on your network.

I have been given access to customer Citrix networks where their netwrok security device(s) didn't like my AV on my laptop.  I had to uninstall my AV and install one of their approved packages before the security scan would complete and let me logon to their network.
0
 
LVL 3

Author Comment

by:pma111
ID: 37719466
But surely its good practice to have some form of user education policy saying the risks of remote working and that connections should be made from managed/trusted machines and networks?
0
 
LVL 3

Author Comment

by:pma111
ID: 37719485
Do citrix offer any sort of "best practice analyser" tools to help audit their products to identify security or misconfiguration gaps? M-S have quite a few now for security, AD, DNS, Exchange etc
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37719488
no bad idea, but you should not irritate the user more than necessary.
How secure is it t work from th Hotel-WLAN?
Citrix (with SecureGateway or AccessGateay) are designet for this.
0
 
LVL 3

Author Comment

by:pma111
ID: 37719499
Is 2-factor authentication then a complete solution to passwords being compromised. I.e. could you post a list of passwords for your citrix gateway yet without a 2-factor dongle theres nothing at all that could be done about it or used for malicious intent?
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 332 total points
ID: 37719536
Hi,

It really depends on the system to which the user is connecting? Irrespective of that, accessing an enterprise system from a user's own PC over which you have no control (in terms of anti-virus, malware, lockdown etc.) could potentially result in some form of compromise.

If the end-system is highly sensitive and of interest to organisations (for example if it were a Government or Government contractor) then the risk of key logging, screen capturing etc. malware becomes more significant as the user could be targetted.

Even in the commercial space, very big organisations could use this as a means of corporate espionage.

Bootable USB Pen-drive solutions such as BeCrypt's Trusted Client or Spyrus Secure Pocket Drive completely isolate the running environment from what's on the computers hard disk so any malware present, isn't able to run and compromise the secure environment/your system. The only potential attack would be from a modified BIOS which is not that likely in most day to day scenarios unless the system of interest to a particulary  determined attacker.

The Spyrus solution, runs Windows Embedded so can run the same A/V, applications and VPN as you do internally and be managed using WSUS or SCCM to ensure it's up to date with OS patches.

The BeCrypt client runs a secure Linux distribution.

Both solutions are approved for Government use - this provides a level of confidence in their robustness etc.

http://www.spyrus.com/products/secure_pocket_drive.asp

http://www.becrypt.com/products/trusted-client

Others include:

http://www.mxisecurity.com/en/products/stealth-zone-secure-desktop-environment

Whilst some may consider the above overkill, organisations wanting to permit secure remote access to corporate systems are implementing them.

Regards,


RobMobility.
0
 
LVL 23

Assisted Solution

by:Ayman Bakr
Ayman Bakr earned 332 total points
ID: 37719555
In our corporate environment we use a software called host checker. Our users can use any device they wish but before they can connect to the facilities they have to have the 'host checker' program installed on their client device.

The host checker will determine whether the client device have the minimum security requirements set on their device. If not set then will reject connectivity. The minimum requirements can be configured from the Juniper VPN we have before going through to the Access Gateway; e.g.:
1.Firewall should be turned on
2.Antivirus should be installed and confined to the list of Antivirus approved by the corporate
3.Last update to the antivirus should not exceed a certain period of time

But, I have to say we take extreme measures and hence this added configuration. However, I still believe that with a proper setup of your CAG in the DMZ and proper firewall setups you should be able to secure your facility to a very satisfactory level.
0
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 37719738
while demonstarte the solution at citrix events i have written username and password to the whiteboard.
without the 2 Factor device there are no possibility to use this credentials from the internet.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 332 total points
ID: 37726956
You can also implement an Access Gateway and use end-point scanning to determine who & what devices are allowed.  

2-factor authentication is about the best security you can get, however, it doesn't protect you from an end-user who is logging in remotely and is using the various redirections available in Citrix.

If you want to secure it as much as possible, put in your Access Gateway, and use Citrix policies to turn off all redirections for connections through the AG.

Coralon
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question