Does your Citrix or Terminal Server environment have an Achilles heel?

Transcription

1 CRYPTZONE WHITE PAPER Does your Citrix or Terminal Server environment have an Achilles heel? Moving away from IP-centric to role-based access controls to secure Citrix and Terminal Server user access cryptzone.com

2 Table of Contents Executive Summary... 3 The Popularity of Virtual Desktops... 3 The Inherent Security Risks of Multi-User Desktop Environments... 3 More Security is Needed... 4 Moving Away from IP-centric to Role-based Access Controls... 4 Conclusion

3 Executive Summary Citrix and Terminal Servers provide highly valuable functionality for session-based access, but to date have had an Achilles heel when it comes to privileged account management across multiple users. Citrix and Terminal Servers allow multiple virtual desktops to share a single hardware resource. This grants several benefits, but also causes additional security concerns not typically found in traditional distributed desktop environments. Citrix and others have primarily focused on securing user access to the virtual desktop infrastructure, but not enough attention has been paid toward securing access to the datacenter applications these users utilize. The Popularity of Virtual Desktops This white paper will highlight the information security risks inherent in all multiuser virtual desktop solutions, and offer a better way to secure access using a zero trust security methodology. Many enterprises have chosen to virtualize their corporate desktop environments either using Citrix s XenDesktop and XenApp solutions or Terminal Servers. These are Windows-based multiuser systems, which are used to present corporate applications to employees in a secure and controlled environment. The technology is a real business asset, great for presenting applications or a desktop to any user from almost any device and any location. There are multiple use cases for these systems including remote access, as jump servers connected to secure networks, or as access to privileged applications and resources. They also allow an organization to greatly reduce its need to manage employee devices, and are designed to increase application response without data leaving the corporate network. Many of these benefits are derived from being able to place the virtual desktops on hardware that is within the datacenter. The Inherent Security Risks of Multi-User Desktop Environments Citrix Users Virtual Desktop Infrastructure Internal External 192.###.### ###.###.100 SSL NETSCALER FIREWALL This virtual placement of client desktops inside the datacenter also results in many security concerns. Citrix has published a white paper 1 detailing many of the risks inherent in environments with multi-user desktops and virtual desktop infrastructure (VDI). These include remote access to the virtualized desktop environment, the proliferation of unmanaged personal devices used to connect to that environment, the access that virtual desktop users have to downstream network resources, and the concentration of corporate resources onto a few virtual hosts rather than being distributed among multiple user workstations. To counteract these vulnerabilities, Citrix recommends utilizing their NetScaler appliance as shown in Figure 1. Figure 1 2 Data Centers SERVERS WAN SERVERS Cryptzone representation of NetScaler use 3

4 The threat of a Citrix server being compromised either by malware or a malicious user exploiting vulnerabilities in the system is too dangerous to be ignored. A single successful attack now has the potential to impact a substantial number of critical applications. Most security solutions, such as Citrix s NetScaler, focus on securing access to the multiuser desktop itself. With this product or using similar solutions, an organization can address several important concerns in this area including: External Network Firewall - Blocks external users or attackers from accessing datacenter resources, including the virtual desktop infrastructure and multi-user desktop systems. Intrusion Detection/Prevention - Monitors application data entering and leaving the datacenter. When malicious traffic is identified by comparing it to known attack signatures, the intrusion prevention system (IPS) drops the connection and/or logs the event. Secure Remote Access - An SSL-VPN server provides access control and a secure encrypted tunnel for connections. This allows only authenticated users on authorized, compliant devices to connect to desktop resources. An often less addressed area is securing access from the multi-user desktop to datacenter applications and resources. The challenge is that all traffic using the Citrix/Terminal Server is seen on the network as coming from a single IP address, sometimes representing dozens of users. Using VDI to give each individual a complete virtual desktop system rather than publishing multiple user spaces on a single OS Kernel space is a costly alternative that only addresses a small portion of the issue. Networklayer IP-centric access controls do not take the actual user into account. For a traditional firewall, this means that an access rule is needed to allow the server to access every resource that any user on that server could need. In the case of VDI desktop pools it means preassigning each individual user s IP address in a predictable way. In practice, these access rules can often become a permit all for the Citrix/Terminal Server multiuser desktop or VDI environment IP address pools. More Security is Needed The new threat landscape we now live in requires us to consider the security implications of compromised accounts and machines far more than in the past. The threat of a Citrix server being compromised either by malware or a malicious user exploiting vulnerabilities in the system is too dangerous to be ignored. A single successful attack now has the potential to impact a substantial number of critical applications. For example, there have been a number of reported break-ins where compromised credentials allowed access to a terminal server that was acting as a jump box. This terminal server access provided the opening that attackers required to establish unimpeded access to retail POS systems. This single compromised account led to countless credit card details and customer records being stolen. In today s evolving threat landscape new vulnerabilities are constantly being discovered in operating systems, and Citrix and Microsoft both stress the need to always install their latest security updates. However this process of enumerating bad behavior is limited to a reactive approach to security. New malware and attack vectors are always being developed, and a compromised Citrix server with access to secure network areas can be used as a launching point for a serious attack. The reason that attacks like this are successful is because controlling a user s access to their desktop and/or applications is just one side of the equation. In order to truly protect corporate data and resources there also needs to be tight user-based controls around network access from virtual desktops. Moving Away from IP-centric to Role-based Access Controls To solve this problem, enterprises need to move away from IP-centric architectures to a role-based security model that maintains the distinction between individual users connecting through a Citrix or Windows Terminal, then provisions access on the network and application level depending on those users roles and attributes. Cryptzone s AppGate can deliver this functionality, by replacing Discretionary Access Control (DAC) devices like traditional and next generation firewall systems with a fully context aware user and session specific dynamic application firewall. 4

5 By placing the AppGate Security Server between the VDI and multiuser desktop environment and the rest of the corporate datacenter this access can be securely controlled (see Figure 2). Unlike traditional firewalls, AppGate is able to dynamically enforce access on a per user basis, even when those users share the same physical host. It accomplishes this using Cryptzone s patented methodology that uniquely identifies each virtual desktop s traffic on the network on a per user session basis. TM Cluster Internal External Encryption- Always assume that unauthorized users are able to intercept communication, regardless of whether services are accessed internally or remotely. All communication between the AppGate client running on the virtual desktop and the AppGate server is strongly encrypted using one of several configurable methods. Authentication - Strong user authentication is the first step in gaining authorized access to applications, services and data essential for information security and risk mitigation. The user is prompted for authentication credentials including one or multiple chained authentication methods such as Active Directory, Radius, RSA, or builtin options like Cryptzone s OTP. 192.###.### ###.###.100 Citrix Users & Virtual Desktop Infrastructure User A Cryptzone AppGate Cryptzone AppGate SSL NETSCALER User B Session Authorization - In an environment where users can access information from different types of devices in a wide array of locations, advanced authorization methods must include the ability to capture the posture and context of each session. Once credentials are authenticated, the AppGate server examines contextual data such as client posture information (anti-virus (AV) version, corporate watermarks, etc.), time of day, geographic location, and more. AppGate TM WALLED-GARDEN User Account groups attributes Device Attributes posture context POLICY ENGINE ACL USER A TUNNELING DRIVER User Traffic Isolated For Individualized Policy Treatment WALLED-GARDEN User Account groups attributes Device Attributes posture context POLICY ENGINE ACL USER B Policy Enforcement - Each transaction must be evaluated against security policies to determine which resources should be made available to a specific user, on a specific device, in a specific environment. Account information gathered from the authentication source and contextual data gathered during the authorization phase are used to determine what services, applications and resources are presented to the user. Access rules are then dynamically created when the user accesses a resource, and are torn down once the user disconnects from that resource. In this way there are never any permanent permit all style access rules to be exploited by attackers. This also prevents any potential attacker from scanning the datacenter to determine what IP addresses and ports are available to exploit. Data Centers SECURE MICRO-SEGMENT SECURE MICRO-SEGMENT Global Audit and Logging - All session activity is recorded in an enforceable manner to assist with both investigations and compliance reporting. All user access must be systematically logged and accurately tracked to support on-demand security reporting and auditing for compliance. Figure 2 In figure 2 above the AppGate cluster (appliance or VM) is placed between the Citrix/Terminal Server farm and any area of the network that needs a higher degree of security. Two users are connected to the same virtual desktop server: User A from an internal network and User B through an external SSL VPN. The AppGate server provides an individual user-specific policy for controlling access to the network connected resources in the data center. When either needs to access a secured datacenter resource, they launch the AppGate client and connect to the AppGate server using a five layer security model: Conclusion Multi-user and virtual desktop infrastructures like Citrix s XenDesktop and XenApp solutions or Terminal Server offer too many tangible benefits to be ignored, but they also come with several security concerns. Securing Citrix user access requires more than just authenticating a user before they access their desktop. With AppGate, an organization is in a much better position to defend against cyber attacks than if its Citrix and Terminal Server users were represented by a single IP address. It can provision access to network resources and applications based on what an individual needs to do their job, rather than everybody who uses the same server. AppGate can also produce better security alerts - and meet compliance objectives - via the ability to trace activity back to a single user. 5

6 About Cryptzone Cryptzone secures the enterprise with dynamic, identity-driven security solutions that protect critical services, applications and content from internal and external threats. For over a decade, enterprises have turned to Cryptzone to galvanize their Cloud and network security with responsive protection and access intelligence. More than 750 public sector and enterprise customers, including some of the leading names in technology, manufacturing and consumer products trust Cryptzone to keep their data and applications secure. For more information go to or follow Americas: Europe, Middle East, Africa: (UK, SE, DACH ) sales@cryptzone.com Copyright 2015 Cryptzone North America Inc. All rights reserved. Cryptzone, The Cryptzone Logo and AppGate are trademarks of Cryptzone North America Inc., or its affiliates. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other product names mentioned herein are trademarks of their respective owners. 6