CAG vuln assessment/audit

Our management are keen to engage a 3rd party to assess our citrix access gateway for security flaws/misconfigurations/best practice from the outside (the internet). My understanding is citrix access gateway uses 2-factor in this instance, SSL and is a very hardened linux appliance and server. Therefore, the question remains, from the outside, what kind of issues are there that could be tested for? Could you provide a top 5 areas youd review on a citrix access gateway (not secure access gateway) if you were tasked with such an audit. I dont want to go back to management and say "theres nothing to check with CAG from the outside" unless I know thats true.
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
SSL is no security protecten for your server, it just protects the traffic on transit from client to server, nothing more, nothing less
said this, your (citrix) web server is subject to all web application threats, vulnerabilities and exploits
if you're unsure what this might be, start reading OWASP Top 10:
  https://www.owasp.org/index.php/Top_10_2010
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Isnt the citrix access gateway though that locked down (different from secure access gateway) that if theres a flaw in the citrix login page its citrix responsibility to release a patch not the company who bought the solution? So if its fully patched thats as far as you can go. We basically get: http://cdn.ws.citrix.com/wp-content/uploads/2008/09/1.jpg And the rest of the appliance is locked down afaik.http://www.citrix.com/English/ps2/products/product.asp?contentID=15005
0
ahoffmannCommented:
> ... if theres a flaw in the citrix login page its citrix responsibility  ..
I'd expect it that way in a trustworthy world, but check your contracts ...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.