Citrix Security Question 1

[jkmusic]

I am weighing security issues with Citrix. We have Citrix Neighborhood Clients and may use web clients soon. Our FWalls will do point to point VPN but we are not utilizing it.

Please correct me...

Standard Citrix (Neighborhoood Client)over the web sends clear text login info..with very basic data encryption.

Using the web client will start the connection first and use Microsoft encryption, therefore encrypted login and data.

Secure Gateway guarantees secure connection with more secure data and encrypted logins.

I know I am wrong, but you get the picture of what I need to know. You will be settling this issue for a ton of people by answering authoritively.

Thanks!
Kevin

 

[DDILL]

You are correct about Citrix secure Gateway. CSG will allow you to utilize SSL for all communication and is therfore the most secure method of setting up Internet Based application publishing.
If you are using a VPN however and are sending the information internally then encryption may not be as big of an issue for you.
ICA traffic in general is not clear text but it is the authentication you would be most concerned with. If you are using VPN you may want to look at web interface without CSG. You can use SSL in the web interface and allow port 1494 to pass to your clients. This is one major benifit CSG brings. If you use CSG UDP does not need to be open.

 

[jkmusic]

What about using the raw Web Client over using the Neighborhood Client, is there any security increase without using the CSG or VPN?

 

[DDILL]

Wow. I missed that piece. I meant to mention that the web interface by itself can use SSL to encrypt the login and then you can send the connection over 1494. This would be suffiecent for VPN connection.
Sorry I missed this the first time.

 

[jkmusic]

Ok, now it's probably my bad. You said, "This would be sufficient for VPN connection". But, I am asking about the differences in the two Without VPN connection or CSG. Are you saying this would be LIKE having a VPN connection??
Kevin

 

[DDILL]

Got ya. You threw me off with the firewalls can do VPN. Thought you where looking at using the VPN for this.
The use of Web interface without CSG is used by some to publish applications over the web. Using ssl on the server will secure your authentication. What it will not do is provide full encryption. Once the application is launched by the user "embedded or not" the IC connection is made directly to the Citrix server and not through Web interface. This is where you are not 100% secure. This requires a hole to be punched through your firewall for the UDP port 1494 and the ICA will be sent directly to the client. If you are asking it I would recommend that the answer is no. Citrix will tell you the same thing. To be honest it is a little of a CYA. If you are not concerned about security to the highest level please at least secure your web interface with SSL. The only big difference to you for cost to use CSG is a low end server. I think CSG would be well worth the few thousand to setup. You can run CSG and WI on the same server and you would need a secure ticket authority to hand out tickets to the party :>).