Can you be more specific on why you recommend token authentication? What
are the specific risks that make Citrix a HIGH risk?
From: IBMMAIL(I1106407)@IBMMAIL(I1106407) on 09/05/97 09:28 AM
To: Dennis Gnatowski/USFG @
Subject: RE: CITRIX WINFRAME
From: "Aaron Everingham" <aaron @
To: <firewalls @
COM>, <dharris @
Subject: Re: Citrix WinFrame
Date: Fri, 5 Sep 1997 15:09:23 +1000
>I have been "requested" to create a tiny hole through our firewall to
>internal users to access an application on an external system. The hole
>allow communication between the user's Win95 or NT client and a Citrix
>running a database application.
ha ha ha... a small hole in a firewall to let winframe run? Did this
request come from Dilbert's boss?
Seriously though... I believe some firewalls have a winframe proxy (not
100% sure this is correct - maybe someone else can shed more light on the
However, given that you will 'have' to do this on your existing firewall,
you should make sure you implement a token based authentication server and
distribute some sort of token to users.
In terms of risk, I believe you are right... Winframe is bidirectional and
it does create you as a virtual workstation.... risk is HIGH!!!!!!
However, will the winframe protocol allow you to restrict access to only
specific applications? Can that application or database enforce it's own
I would be VERY WARY of doing this without extensive testing. EG: can
anyone given a security rating to the winframe protocol? Has it been
indepedantly tested? Is it hijackable (is that a real word?) etc
---- End of mail text
Additional SMTP headers from original mail item follow:
Received: from relay6.UU.NET by E-MAIL.COM (IBM VM SMTP V2R3) with TCP;
Fri, 05 Sep 97 09:28:12 EDT
Received: from honor.greatcircle.com by relay6.UU.NET with ESMTP
(peer crosschecked as: honor.greatcircle.com [126.96.36.199])
id `Qdfrp29900; Fri, 5 Sep 1997 09:22:11 -0400 (EDT)
Received: (majordom @
localhost) by honor.greatcircle.com (8.
08-1) id WAA03674 for firewalls-outgoing; Thu, 4 Sep 1997 22:04:59 -0700
Received: from pluto (pluto.citadel.com.au [188.8.131.52]) by
.com (8.8.5/Honor-970824-1) with ESMTP id WAA03628 for
OM>; Thu, 4 Sep 1997 22:04:44 -0700 (PDT)
Received: from Aaron.citadel.com.au ([184.108.40.206]) by pluto (8.7.6/8.7.3)
h SMTP id PAA28657; Fri, 5 Sep 1997 15:10:43 +1000
Message-Id: <199709050510 .
Reply-To: "Aaron Everingham" <aaron @
X-Mailer: Microsoft Outlook Express 4.71.0544.0
X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0
Sender: firewalls-owner @