Security

[patrick118]

We have citrix and and secure gateway and that is working fine but now the following.

Users are able to logon with a token and the webclient to work it our place. Now people intend to take the token home and work from there. This is not really the idea. I only want them to logon from a company location. Because people at home intend to forget to patch or install ant-virus and who knows what else.

We had the idea of putting only those ip adresses in the firewall of the other companies. This way they can log in from company area and not from home. Perfect idea you think but..... Management want to be able to work from home. They all have DHCP addresses. The only thing a get to hear i want complete security but i also wanna work from home or any other place i happen to be.

That gives a sort of a problem. How to create a good security from home pc's if you don't have any control over it.

Can you share how you did it or perhaps share some ideas on how to resolve this problem

Thank you for your help

Patrick Netherlands

 

[patrick118]

Is this really happening?

Isn't there anyone working with this topic? Haven't you ever thought about this possibility?

Hope to see some tips in the future

Patrick

 

[ascotta]

Hi Patrick, I read your post yesterday, I thought at the time that you were being somewhat ambitious. What you are saying is that you want management and yourself to be able to get to it from anywhere, but everyone else from the LAN/WAN. I didn't think what you were trying to achieve was possible "out of the box". Hwever I am sure there could be a VPN solution that would do you.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[patrick118]

Ok let me simplify my question and lower my ambition.

How do you secure the home working? You don't have control over a users home computer but you still want security with your citrix server

1. install anti-virus on your server with day to day updates
2. Make sure you patch everything you can
3. Make the best policy you can to secure the users desktop
4. Make sure your firewall between server and home user is the best you have.
5. ???????????

That's it? what if for example. User doesn't patch his computer because let's face why should i? Everything works and never had problems. Well this time someone is able to do it and controls his computer. Home user logs in at our place and well well the hacker is seeing the exact same thing. I have a lot of confidential data here and he takes control and the home user isn't smart enough to hit the power button. Hacker is in.

I know not likely but i have to do something to cover my own ass. At least have something on paper? User should have a software firewall like zonealarm and latast anti-virus updates.

How do you do it with your home users. You give them the codes and say good look?

think about this.
patrick

 

[ascotta]

Well OK lets discuss this then Patrick.

You could set a certificates server uo for yourself. No one gets in unless they have your certificate. That you can handle. Next. You ask your users to prove once a week that they are up to date etc and revoke the certificate of those who do not.

However your scenario above is still not catered for. At the end of the day Patrick. If Mr hacker wants to get in he probably could. Remember 90% of hacking is done by internal people. Your password security is probably going to get you into more trouble than web-attack.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[patrick118]

Scott.

I know you are right and i also know there isn't much more i can do but i pushed a little in the forum to get an answer out of someone.

I'm not working at central bank or something so they don't spend as much money on the topic as i would but even then if a hacker wants to get in he can. He applies for a job gets hired and then goes sitting at a desk.

Thank you for answering. I close the topic and which you a good weeekend.

Patrick

 

[ascotta]

Hey Patrick, don't be so down on yourself. I am not neccessarily right you know, that is just my opinion, I am sure there are better security experts out there than me! Just trying to deleop the debate. Good weekend to yourself good friend.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[mjbrown]

I will update this as to what we did for a solution to this...it seems intricate, but I will try to be precise:

Users can work from home after a VPN connection to our office. In order to work from home, we give them a CD that has 3 installs that MUST be installed and current on their home PC's (with the statement that if it breaks something, too bad). They need to install the pre-configured Cisco VPN Client, Symantec Anti-Virus and the Integrity Flex Firewall. Upon first connection to the VPN, a Current configuration file is copied to their PC and a seperate FW Policy that (a.) Looks to make sure the FW is running with a current correct Policy, and (B.) Checks that the SAV signature files are not more than 30 days old. If either of these are false, connection to the VPN is denied until the files are brought current (procedure on the VPN CD). Once authenticated to the VPN (using Token ID) to a Cisco Concentrator, connection is made and all IP resources are available (Citrix, RDP, Mapped Drives, etc...).

I did not design the implementation, but am just a user that gets access to Citrix with this method. There are ways to do what you are lookign to accomplish, but none of them are easy and out of the box.

Mike Brown