Can you be more specific on why you recommend token authentication? What
are the specific risks that make Citrix a HIGH risk?
-Dennis Gnatowski
dennis_gnatowski @
usfg .
com
USF&G
From: IBMMAIL(I1106407)@IBMMAIL(I1106407) on 09/05/97 09:28 AM
To: Dennis Gnatowski/USFG @
USFG
cc:
Subject: RE: CITRIX WINFRAME
From: "Aaron Everingham" <aaron @
citadel .
com .
au>
To: <firewalls @
GreatCircle .
COM>, <dharris @
kcp .
com>
Subject: Re: Citrix WinFrame
Date: Fri, 5 Sep 1997 15:09:23 +1000
>I have been "requested" to create a tiny hole through our firewall to
allow
>internal users to access an application on an external system. The hole
would
>allow communication between the user's Win95 or NT client and a Citrix
system
>running a database application.
ha ha ha... a small hole in a firewall to let winframe run? Did this
request come from Dilbert's boss?
Seriously though... I believe some firewalls have a winframe proxy (not
100% sure this is correct - maybe someone else can shed more light on the
subject?).
However, given that you will 'have' to do this on your existing firewall,
you should make sure you implement a token based authentication server and
distribute some sort of token to users.
In terms of risk, I believe you are right... Winframe is bidirectional and
it does create you as a virtual workstation.... risk is HIGH!!!!!!
However, will the winframe protocol allow you to restrict access to only
specific applications? Can that application or database enforce it's own
security rules?
I would be VERY WARY of doing this without extensive testing. EG: can
anyone given a security rating to the winframe protocol? Has it been
indepedantly tested? Is it hijackable (is that a real word?) etc
---- End of mail text
Additional SMTP headers from original mail item follow:
Received: from relay6.UU.NET by E-MAIL.COM (IBM VM SMTP V2R3) with TCP;
Fri, 05 Sep 97 09:28:12 EDT
Received: from honor.greatcircle.com by relay6.UU.NET with ESMTP
(peer crosschecked as: honor.greatcircle.com [198.102.244.44])
id `Qdfrp29900; Fri, 5 Sep 1997 09:22:11 -0400 (EDT)
Received: (majordom @
localhost) by honor.greatcircle.com (8.
8.5/Honor-Lists-9703
08-1) id WAA03674 for firewalls-outgoing; Thu, 4 Sep 1997 22:04:59 -0700
(PDT)
Received: from pluto (pluto.citadel.com.au [203.14.230.9]) by
honor.greatcircle
.com (8.8.5/Honor-970824-1) with ESMTP id WAA03628 for
<firewalls @
GreatCircle .
C
OM>; Thu, 4 Sep 1997 22:04:44 -0700 (PDT)
Received: from Aaron.citadel.com.au ([203.23.80.13]) by pluto (8.7.6/8.7.3)
wit
h SMTP id PAA28657; Fri, 5 Sep 1997 15:10:43 +1000
Message-Id: <199709050510 .
PAA28657 @
pluto>
Reply-To: "Aaron Everingham" <aaron @
citadel .
com .
au>
X-Mailer: Microsoft Outlook Express 4.71.0544.0
X-Priority: 3
X-MSMail-Priority: Normal
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0
Sender: firewalls-owner @
GreatCircle .
COM
Precedence: bulk
|
|
