Does your Citrix or Terminal Server environment have an Achilles heel?

Similar documents
Deployment Guide for Citrix XenDesktop

Critical Security Controls

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

Cisco Advanced Services for Network Security

Achieving PCI-Compliance through Cyberoam

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Proven LANDesk Solutions

Building A Secure Microsoft Exchange Continuity Appliance

Whitepaper. Securing Visitor Access through Network Access Control Technology

Network Access Control in Virtual Environments. Technical Note

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Securing Remote Vendor Access with Privileged Account Security

How To Secure Your System From Cyber Attacks

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Achieving PCI Compliance Using F5 Products

Remote Vendor Monitoring

How To Secure An Rsa Authentication Agent

How To Protect A Virtual Desktop From Attack

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Industrial Security Solutions

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Meeting the Challenges of Virtualization Security

Beyond the Hype: Advanced Persistent Threats

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

How To Protect Your Data From Being Hacked

Enterprise Security Platform for Government

SANS Top 20 Critical Controls for Effective Cyber Defense

Protecting systems and patient privacy

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Sophistication of attacks will keep improving, especially APT and zero-day exploits

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Best Practices for DanPac Express Cyber Security

SSL VPN A look at UCD through the tunnel

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Effective End-to-End Cloud Security

Ovation Security Center Data Sheet

How To Buy Nitro Security

How To Protect Your Cloud From Attack

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

Deploying Firewalls Throughout Your Organization

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Inspection of Encrypted HTTPS Traffic

How Reflection Software Facilitates PCI DSS Compliance

IBM Managed Security Services Vulnerability Scanning:

Ovation Security Center Data Sheet

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

FISMA / NIST REVISION 3 COMPLIANCE

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

How To Achieve Pca Compliance With Redhat Enterprise Linux

Trend Micro Cloud Security for Citrix CloudPlatform

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Microsoft and Citrix: Joint Virtual Desktop Infrastructure (VDI) Offering

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Addressing BYOD Challenges with ForeScout and Motorola Solutions

When enterprise mobility strategies are discussed, security is usually one of the first topics

Introduction to Endpoint Security

Windows Remote Access

A HELPING HAND TO PROTECT YOUR REPUTATION

The Education Fellowship Finance Centralisation IT Security Strategy

White paper. Microsoft and Citrix VDI: Virtual desktop implementation scenarios

The Business Case for Security Information Management

Endpoint protection for physical and virtual desktops

Payment Card Industry Data Security Standard

#ITtrends #ITTRENDS SYMANTEC VISION

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Enterprise Desktop Solutions: VMware View 4.5

Introduction to Cyber Security / Information Security

White Paper. BD Assurity Linc Software Security. Overview

Protecting Your Organisation from Targeted Cyber Intrusion

74% 96 Action Items. Compliance

High Availability for Citrix XenApp

Seven Things To Consider When Evaluating Privileged Account Security Solutions

ESET Security Solutions for Your Business

Defending Against Cyber Attacks with SessionLevel Network Security

Franchise Data Compromise Trends and Cardholder. December, 2010

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Transcription:

CRYPTZONE WHITE PAPER Does your Citrix or Terminal Server environment have an Achilles heel? Moving away from IP-centric to role-based access controls to secure Citrix and Terminal Server user access cryptzone.com

Table of Contents Executive Summary... 3 The Popularity of Virtual Desktops... 3 The Inherent Security Risks of Multi-User Desktop Environments... 3 More Security is Needed... 4 Moving Away from IP-centric to Role-based Access Controls... 4 Conclusion... 5 2

Executive Summary Citrix and Terminal Servers provide highly valuable functionality for session-based access, but to date have had an Achilles heel when it comes to privileged account management across multiple users. Citrix and Terminal Servers allow multiple virtual desktops to share a single hardware resource. This grants several benefits, but also causes additional security concerns not typically found in traditional distributed desktop environments. Citrix and others have primarily focused on securing user access to the virtual desktop infrastructure, but not enough attention has been paid toward securing access to the datacenter applications these users utilize. The Popularity of Virtual Desktops This white paper will highlight the information security risks inherent in all multiuser virtual desktop solutions, and offer a better way to secure access using a zero trust security methodology. Many enterprises have chosen to virtualize their corporate desktop environments either using Citrix s XenDesktop and XenApp solutions or Terminal Servers. These are Windows-based multiuser systems, which are used to present corporate applications to employees in a secure and controlled environment. The technology is a real business asset, great for presenting applications or a desktop to any user from almost any device and any location. There are multiple use cases for these systems including remote access, as jump servers connected to secure networks, or as access to privileged applications and resources. They also allow an organization to greatly reduce its need to manage employee devices, and are designed to increase application response without data leaving the corporate network. Many of these benefits are derived from being able to place the virtual desktops on hardware that is within the datacenter. The Inherent Security Risks of Multi-User Desktop Environments Citrix Users Virtual Desktop Infrastructure Internal External 192.###.###.100 185.###.###.100 SSL NETSCALER FIREWALL This virtual placement of client desktops inside the datacenter also results in many security concerns. Citrix has published a white paper 1 detailing many of the risks inherent in environments with multi-user desktops and virtual desktop infrastructure (VDI). These include remote access to the virtualized desktop environment, the proliferation of unmanaged personal devices used to connect to that environment, the access that virtual desktop users have to downstream network resources, and the concentration of corporate resources onto a few virtual hosts rather than being distributed among multiple user workstations. To counteract these vulnerabilities, Citrix recommends utilizing their NetScaler appliance as shown in Figure 1. Figure 1 2 Data Centers SERVERS WAN SERVERS 1 http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/securing-virtual-desktops-infrastructure-withcitrix-netscaler.pdf?accessmode=direct 2 Cryptzone representation of NetScaler use 3

The threat of a Citrix server being compromised either by malware or a malicious user exploiting vulnerabilities in the system is too dangerous to be ignored. A single successful attack now has the potential to impact a substantial number of critical applications. Most security solutions, such as Citrix s NetScaler, focus on securing access to the multiuser desktop itself. With this product or using similar solutions, an organization can address several important concerns in this area including: External Network Firewall - Blocks external users or attackers from accessing datacenter resources, including the virtual desktop infrastructure and multi-user desktop systems. Intrusion Detection/Prevention - Monitors application data entering and leaving the datacenter. When malicious traffic is identified by comparing it to known attack signatures, the intrusion prevention system (IPS) drops the connection and/or logs the event. Secure Remote Access - An SSL-VPN server provides access control and a secure encrypted tunnel for connections. This allows only authenticated users on authorized, compliant devices to connect to desktop resources. An often less addressed area is securing access from the multi-user desktop to datacenter applications and resources. The challenge is that all traffic using the Citrix/Terminal Server is seen on the network as coming from a single IP address, sometimes representing dozens of users. Using VDI to give each individual a complete virtual desktop system rather than publishing multiple user spaces on a single OS Kernel space is a costly alternative that only addresses a small portion of the issue. Networklayer IP-centric access controls do not take the actual user into account. For a traditional firewall, this means that an access rule is needed to allow the server to access every resource that any user on that server could need. In the case of VDI desktop pools it means preassigning each individual user s IP address in a predictable way. In practice, these access rules can often become a permit all for the Citrix/Terminal Server multiuser desktop or VDI environment IP address pools. More Security is Needed The new threat landscape we now live in requires us to consider the security implications of compromised accounts and machines far more than in the past. The threat of a Citrix server being compromised either by malware or a malicious user exploiting vulnerabilities in the system is too dangerous to be ignored. A single successful attack now has the potential to impact a substantial number of critical applications. For example, there have been a number of reported break-ins where compromised credentials allowed access to a terminal server that was acting as a jump box. This terminal server access provided the opening that attackers required to establish unimpeded access to retail POS systems. This single compromised account led to countless credit card details and customer records being stolen. In today s evolving threat landscape new vulnerabilities are constantly being discovered in operating systems, and Citrix and Microsoft both stress the need to always install their latest security updates. However this process of enumerating bad behavior is limited to a reactive approach to security. New malware and attack vectors are always being developed, and a compromised Citrix server with access to secure network areas can be used as a launching point for a serious attack. The reason that attacks like this are successful is because controlling a user s access to their desktop and/or applications is just one side of the equation. In order to truly protect corporate data and resources there also needs to be tight user-based controls around network access from virtual desktops. Moving Away from IP-centric to Role-based Access Controls To solve this problem, enterprises need to move away from IP-centric architectures to a role-based security model that maintains the distinction between individual users connecting through a Citrix or Windows Terminal, then provisions access on the network and application level depending on those users roles and attributes. Cryptzone s AppGate can deliver this functionality, by replacing Discretionary Access Control (DAC) devices like traditional and next generation firewall systems with a fully context aware user and session specific dynamic application firewall. 4

By placing the AppGate Security Server between the VDI and multiuser desktop environment and the rest of the corporate datacenter this access can be securely controlled (see Figure 2). Unlike traditional firewalls, AppGate is able to dynamically enforce access on a per user basis, even when those users share the same physical host. It accomplishes this using Cryptzone s patented methodology that uniquely identifies each virtual desktop s traffic on the network on a per user session basis. TM Cluster Internal External Encryption- Always assume that unauthorized users are able to intercept communication, regardless of whether services are accessed internally or remotely. All communication between the AppGate client running on the virtual desktop and the AppGate server is strongly encrypted using one of several configurable methods. Authentication - Strong user authentication is the first step in gaining authorized access to applications, services and data essential for information security and risk mitigation. The user is prompted for authentication credentials including one or multiple chained authentication methods such as Active Directory, Radius, RSA, or builtin options like Cryptzone s OTP. 192.###.###.100 185.###.###.100 Citrix Users & Virtual Desktop Infrastructure User A Cryptzone AppGate Cryptzone AppGate SSL NETSCALER User B Session Authorization - In an environment where users can access information from different types of devices in a wide array of locations, advanced authorization methods must include the ability to capture the posture and context of each session. Once credentials are authenticated, the AppGate server examines contextual data such as client posture information (anti-virus (AV) version, corporate watermarks, etc.), time of day, geographic location, and more. AppGate TM WALLED-GARDEN User Account groups attributes Device Attributes posture context POLICY ENGINE ACL USER A TUNNELING DRIVER User Traffic Isolated For Individualized Policy Treatment WALLED-GARDEN User Account groups attributes Device Attributes posture context POLICY ENGINE ACL USER B Policy Enforcement - Each transaction must be evaluated against security policies to determine which resources should be made available to a specific user, on a specific device, in a specific environment. Account information gathered from the authentication source and contextual data gathered during the authorization phase are used to determine what services, applications and resources are presented to the user. Access rules are then dynamically created when the user accesses a resource, and are torn down once the user disconnects from that resource. In this way there are never any permanent permit all style access rules to be exploited by attackers. This also prevents any potential attacker from scanning the datacenter to determine what IP addresses and ports are available to exploit. Data Centers SECURE MICRO-SEGMENT SECURE MICRO-SEGMENT Global Audit and Logging - All session activity is recorded in an enforceable manner to assist with both investigations and compliance reporting. All user access must be systematically logged and accurately tracked to support on-demand security reporting and auditing for compliance. Figure 2 In figure 2 above the AppGate cluster (appliance or VM) is placed between the Citrix/Terminal Server farm and any area of the network that needs a higher degree of security. Two users are connected to the same virtual desktop server: User A from an internal network and User B through an external SSL VPN. The AppGate server provides an individual user-specific policy for controlling access to the network connected resources in the data center. When either needs to access a secured datacenter resource, they launch the AppGate client and connect to the AppGate server using a five layer security model: Conclusion Multi-user and virtual desktop infrastructures like Citrix s XenDesktop and XenApp solutions or Terminal Server offer too many tangible benefits to be ignored, but they also come with several security concerns. Securing Citrix user access requires more than just authenticating a user before they access their desktop. With AppGate, an organization is in a much better position to defend against cyber attacks than if its Citrix and Terminal Server users were represented by a single IP address. It can provision access to network resources and applications based on what an individual needs to do their job, rather than everybody who uses the same server. AppGate can also produce better security alerts - and meet compliance objectives - via the ability to trace activity back to a single user. 5

About Cryptzone Cryptzone secures the enterprise with dynamic, identity-driven security solutions that protect critical services, applications and content from internal and external threats. For over a decade, enterprises have turned to Cryptzone to galvanize their Cloud and network security with responsive protection and access intelligence. More than 750 public sector and enterprise customers, including some of the leading names in technology, manufacturing and consumer products trust Cryptzone to keep their data and applications secure. For more information go to www.cryptzone.com or follow us @Cryptzone. Americas: +1.855.427.9789 Europe, Middle East, Africa: +44 208 899 6189 00 800 9111 3358 (UK, SE, DACH ) www.cryptzone.com sales@cryptzone.com Twitter: @cryptzone Copyright 2015 Cryptzone North America Inc. All rights reserved. Cryptzone, The Cryptzone Logo and AppGate are trademarks of Cryptzone North America Inc., or its affiliates. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other product names mentioned herein are trademarks of their respective owners. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information