Whoa,
This is way overkill. The solution provided earlier was a very simple and
elegant solution using existing and proven technology that is freely
available and does not require more than a couple of weeks of
interoperability testing.
This is really the said part of Security products, even providing a simple
two factor authentication security architecture becomes an overly designed
and vendor finger pointing issue.
You look back at stuff that has been around and free for a while and wonder
why people don't get it. It is because they want the "no Muss, no Fuss"
solution.
I would rather put my own solution together which would be done in a week
versus waiting for some vendor to say to me 'Oh Yeah, we'll fix in the next
version"
forget it..
/slip, fumble.. Sorry I fell of my soap box :)
/cheer
At 07:43 PM 7/13/00 -0500, Frank Knobbe wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
> > -----Original Message-----
> > From: David Lang [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 13, 2000 5:10 PM
> >
> > how do you setup Citrix to use two factor authentication?
> >
> > I am working on this now and after having both microsoft (terminal
> > server) and Citrix reps in they have said that if you really need
> > that sort of security run citrix through a VPN and do the
> > authentication on the VPN.
>
>As of today (at least as far as I know) this your options. Either use
>a VPN or, if you are using/planning to use SecureICA, just open a
>port on the firewall after successful authentication. I think the
>SecureICA (128 bit encryption on the ICA protocol itself) and a port
>opened after token authentication against the firewall is the
>preferred method. A VPN would add overhead on the traffic. Running
>ICA through IPSec performs pretty good, but don't use PPTP. Besides
>the known vulnerabilities, the performance ... well... just plain
>sucks...
>
>I almost had Vasco rewrite their GINA (graphical logon interface on
>NT) to be compatible with Terminal Server. That GINA is loaded to use
>their tokens, especially the challenge/response based one (with the
>flashing bar code on the screen). Works great on NT WS/S/SEE, however
>under Terminal Server it behaved strangely. If you logged off, the
>prompt wouldn't come back. You actually had to disconnect and perform
>another step. This issue was due to the multi-user additions in the
>GINA under Terminal Server.
>
>I have not seen another token GINA that worked properly with Terminal
>Server. If someone knows of a token vendor who supports TS, please
>let me know, because that would be the holy grail. In that case you
>could allow ICA connection to the Terminal Server without having to
>authenticate on the firewall first. Without a token, you wouldn't get
>in. This comes especially handy if you serve Terminal Server session
>through a web page. Just open your browser, connect to your server,
>authenticate with token to Citrix and you're in.... This remains a
>dream of mine... sigh.
>
> > the next best thing they have been able to say is to use the
> > browser-based
> > version of the client that authenticates to the weeb server
> > (HTTP or HTTPS
> > are supported) and implement strong authentication on the web
> > server before access is allowed to the citrix URL.
>
>Nope. As far as I remember, the client is loaded through the page
>(Active X Control), but still established an ICA protocol session to
>the Terminal Server. In other words, anyone with a client could hit
>the port directly.
>
> > 1. you are forced to use the browser based client, porrer
> > performance then
> > the full client from what I have been told.
>
>Yeah, it's slightly better using the client instead of the web page.
>
> > 2. I am nervous about letting port 1494 through becouse I don't
> > fully understand how the authentication works between the web
> > server and the citrix serve. The 'correct' way for things to happen
> > is for the client to connect to the web server, authenticate, then
> > connect to 1494, but what's to stop a hacker from hitting 1494
> > directly and pretend that he has already authenticated?
>
>Yup. Though the problem is not that hacker could spoof an active
>session (SecureICA uses keys that are exchanged during setup), but
>rather anyone could get to the Logon Dialog and try
>username/passwords combos. This could result in a DOS is user
>accounts are locked out after failed attempts. Furthermore, someone
>might flood the ICA port, but then again, which port can not be
>flooded...
>
> > This is assuming that we use the strong encryption option for
> > citrix or
> > that would also be a problem.
>
>Highly recommended.
>
>
>What firewall do you have in front of the Terminal Server?
>
>Regards,
>Frank
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP Personal Privacy 6.5.1
>Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
>iQA/AwUBOW5iLERKym0LjhFcEQJlbQCfUNZnFfi8g71E81+Vl3mFie93RQsAniV5
>IZ0ADi50ruYDrx3Mv1G51suE
>=8HnY
>-----END PGP SIGNATURE-----
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
