Solutions in Security Securing Remote Access to the Virtual Workplace

(1)

Solutions in Security

Securing Remote Access to the

(2)

Secure Centralized Business Solutions

Following September 11 attacks as reported by reuters:

“This tragedy and others have brought home that the

security of systems, applications, and data is a very

serious issue.”

“The need before this tragedy was cost. Now, the issue

is security, which will lead to an architecture that has far

more concentration of data, processing, and applications

in secure servers, and much more lightweight, protected

access devices.”

Louis Gerstner

(3)

Agenda

•Elements of a Secure Access Solution

•The Secure Citrix Virtual Workplace

•Securing Remote Access using a Citrix Extranet VPN

•Securing Remote Access using CSG 1.0

(4)

(5)

Elements of Secure Remote Access

Secure Remote Access consists of:

•

Encryption

•

Authentication

•

Access Control

•

Traffic Management

(6)

Elements of Secure Remote Access

Encryption

•

Scrambles data so that only those who have the key to read

the information are able to decode the message

•

Keys are protected through a key management system

•

Public Key Infrastructures (PKIs)



Essential to solutions utilizing digital certificates



As solution grows in complexity and size, number of keys to

(7)

Authentication

•

Process of verifying that the sender is actually who he/she

says they are

•

Various authentication methods are available



Traditional username/password authentication



RADIUS or TACACS/TACACS+ servers, LDAP-compliant

directory servers



X.509 digital certificates



two-factor schemes ( hardware tokens and smart cards)

(8)

Access Control and Management

• A VPN without access control only protects communications — not your network

• Dictates the amount of freedom a VPN user has

• Protects the components of the network

 Intellectual property

 Information Services

 _Applications

• Ensure that users have full access to what they need, but nothing more

(9)

Traffic Control

• Network congestion can adversely affect performance

• Solution benefits will not be fully realized if users suffer from:

 poor response times

 gateway crashes

 _{other network delays or failures}

• Guarantee reliability and Quality of Service

• Enable managers to define policies that actively allocate bandwidth traffic based on relative merit or importance

• Ensure performance of mission-critical applications without “starving” lower priority applications

(10)

Enterprise Management

•

Ability to manage increasing complexity is crucial.

•

Imperative that the remote access can be managed from the

same integrated console as the rest of the organization's

security elements.

•

“Extended Enterprise” has increased the number of

applications, users, and IP addresses in use across many

organizations.

•

A true enterprise secure remote access solution must be

able work across multiple platforms in order to be effective.

(11)

Secure Access Solution

(12)

Citrix Systems…

Who are we?

• We are the application access and deployment company

• We provide application deployment solutions for today’s web and

wireless world

• We provide security solutions for your Citrix Extranet and internet

access

• We provide centralized application and information access solutions

to help make your business more productive

(13)

What is the Virtual Workplace?

The Virtual Workplace is…

• Having access to all of the information you want and need in order to do your job

• Getting that information to come to you, rather than having to go out and find it

• Having access to any applications and tools necessary to manipulate that information

• Having secure access to corporate resources from any computer, anywhere, regardless of your bandwidth, hardware, network

connection, or operating system

(14)

Citrix Product Overview

Citrix MetaFrame™ XP

• Server-based computing solution that delivers an application interface over any network to any device.

Citrix Extranet™

• Two-factor authentication and access control VPN for Secure Internet application access.

Citrix NFuse™ Technology

• Application portal technology. Seamlessly

integrate any application within any standard web browser.

Citrix Secure Gateway

(15)

Components of the Secure Virtual Workplace

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Citrix

Extranet 2.5

Web Server w/ Citrix NFuse 1.6 Technology Encrypted

VPN Tunnel

Secure Connectivity Authentication Access Mgmt.

Other Network Resources such as Databases, Messaging Services, File Shares, Data Warehouse

(16)

Components of the Secure Virtual Workplace

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1 Citrix Secure

Gateway

Citrix NFuse 1.6 Technology ICA and SSL

Other Network Resources such as Databases, Messaging Services, File Shares, Data Warehouse

(17)

Securing the Virtual Workplace Using

Citrix Extranet 2.5 VPN

(18)

Security with Citrix Extranet 2.5

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Citrix

Extranet 2.5

Web Server w/ Citrix NFuse 1.6 Technology Encrypted

VPN Tunnel

Other Network Resources such as Databases, Messaging Services, File Shares, Data Warehouse Mobile Users Remote Offices, Partners, Suppliers, etc. Branch Offices, Partners, Suppliers, Customers Citrix Extranet 2.5 Encrypted VPN Tunnel

F

ir

ew

al

l

Branch Users

Replicated Network Resources such as

MetaFrame Server Farms, Replicated Databases, Messaging Services, File Shares, Data Warehouse

(19)

Encryption

•

Provides the highest level of Encryption

 3DES (168 bit) using IPSEC Connection method

 DES (128 bit) when used in SSL Proxy mode

•

Keys are protected through a key management system

 _{On-Line Registration distributes Keys}

 Keys are managed using Admin Console

•

Support for PKI Certificates

 PKI Certificates can be managed using Citrix Extranet Admin Tools

(20)

Authentication

•

Various authentication methods are supported

 Traditional UID Server included with Citrix Extranet

 Entrust and PKI

 RADIUS/ACE and LDAP

 _{Secure Computing} _{SafeWord PremiereAccess}_{Tokens, RSA and} other hardware tokens and smart cards

•

Can reside on Citrix Extranet Server or Dedicated Server

•

Provides for configuration of a backup authentication

server

(21)

Access Control and Management

• Assign User and Group based controls

 Support for nested groups

• IP Access Control

 Control resource access by IP Address and service port number

• Web Access Control

 Control web access by URL and directory name

Security with Citrix Extranet 2.5

F

ir

ew

al

l

Citrix

Extranet 2.5

UID Service Encrypted

VPN Tunnel

(22)

Traffic Control

• Cisco QoS Device Manager 2.01

 Software service component that is installed on Cisco Routers

 _{Traffic Classification, Low Latency Thresholds,} Real-Time Monitoring, Manage Simple Access Control Lists  QoS preclassification, allows admins to apply QoS on

VPN connections

• Packeteer Packet Shaper

 Application traffic and bandwidth management system

 Automatic traffic discovery

 Classify, Analyze, Monitor, and Control critical traffic

 Provides bandwidth utilization Reports and Real-Time

Monitoring

(23)

Enterprise Management

•

Console tool can be installed on any NT/Win2K machine



Web and Desktop Admin Consoles



Intuitive interfaces

(24)

Enterprise Management (cont’d)

•

Clients available for Windows 9x/M

e

/NT/Win2K/CE, Pocket

PC, Palm, Mac, Sun and Linux

•

Zero footprint Java applet client

 Runs in background, executes from browser

 Token and Pin number type authentication is supported

(25)

ICA Solutions

(26)

Security with Citrix Secure Gateway

Remote and Mobile Users, Branch Offices, Partners, Suppliers, etc.

https://vwp.mycompany.com (Internet based DNS Load Balancing)

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Citrix Secure Gateway

Back-end Network Resources Secure Ticket Authority Local Users

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Secure Connectivity Authentication Access Mgmt.

(27)

Encryption and Connectivity

• Secures ICA Traffic only

• SSL v3.0 with 128-bit encryption

• Support for Public Key Infrastructure (PKIs)

• Single IP address is exposed to internet

• Ease of firewall traversal (uses port 443 only)

Security with Citrix Secure Gateway

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Back-end Network Resources

(28)

Authentication

• Single sign-on through a browser-based solution

• Authentication provided by NFuse Web portal

 Microsoft NT Domain and Active Directory

 Novell NDS

• Support for Public Key Infrastructure (PKI)

• Authentication process is further secured using an HTTPS configured NFuse Web server

• RSA and Smart Card Authentication solutions supported

Security with Citrix Secure Gateway

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

(29)

Access Control and Management

• Protects ICA Traffic only

• Provides Access control to chosen MetaFrame XP servers

• MetaFrame XP provides User and Group based Application Access Control and Management

 Citrix Management Console used to control MetaFrame Server Farm

 IP Range controls let administrators control which IP addresses can access published applications

 Users on external IP addresses can have limited application sets

Security with Citrix Secure Gateway

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

(30)

Traffic Control

• Configurable device mapping

 Control mapping features that are available to users of ICA

 Mapping includes Hard Drives, Printers, Audio, Clipboard, Audio, and COM ports

 _{Limiting availability eliminates bandwidth usage from components}

 Limiting mapping also increases security

 Users cannot cut and paste, save files remotely, or print company owned data

• ICA Session Monitoring

 _{Monitor ICA protocol use by Virtual Channel}

 Monitor size of packet and type of data (print, display, clipboard, etc.)

• ICA Priority Packet Tagging

 Provides support for 3rd_{Party QoS solutions}

 Cisco QoS and Packeteer Packet Shaper

(31)

Enterprise Management

• Citrix Secure Gateway is highly scalable and provides support for redundant solutions such as DNS-based Load Balancing

• MetaFrame XPe and the IMA architecture scales to 1000+ servers and tens of thousands of users

• Citrix Management Console provides management for application availability and access control

 _{Load Management}

 _{Network Management integrates to Enterprise Management tools} from such as HP Openview, CA Unicenter, and Tivoli Netview  _{System Monitoring and Analysis provides usage monitoring,}

trending, and accounting capabilities

 _{Application Packaging and Delivery to MetaFrame Servers}

• MetaFrame is also available for UNIX on Sun Solaris, HPUX and IBM AIX

• Supported ICA Clients available for all Windows platforms as well as Pocket PC, Unix, and Mac

(32)

Security with Citrix Secure Gateway

Availability

•

Product will be available in December

 Download from secure portal

 Subscription Advantage Customers Only

_{MetaFrame XP}

_{MetaFrame for Unix}

 Cannot be purchased separately

•

Technical Preview is currently available

 Download from Citrix Developer Network

_{Register at apps.citrix.com/cdn}

_{Preview available at apps.citrix.com/cdn/snowy}  Accompanying documentation located here as well

(33)

Server Based

Computing

(34)

Server Based Computing for Security

Server Based Computing is like a window to your

house -

You decide how big the windows is, You decide

what’s in the house, You decide how many windows you want

to have

• Application Access Management – Not just network resource control • Secure Run-time Environment – Not just the connection, but the

applications and functions that can be accessed over that connection • Single Point of Universal Anywhere Access

• Complete End-to-End Control

(35)

Server Based Computing for Security

Application Access Management

– Users run only the

applications that you want, the way you want to run them

• Users can look, but they can’t touch

 You control whether the user can

 Cut & Paste

_{Save information to a local hard drive}  Print information to hard copy

 Send information to attached devices (serial devices like PDA’s)  You decide which features are available

 Back-end data can be secured using OS Security

_{Only install the features that you want to make available}

 Only publish the applications that you want your users to have

(36)

Server Based Computing for Security

Single Point of Universal Anywhere Access

• Remote access can be achieved from any class or type of device

• Users go to a web site and:

1. Logon for secure connection

2. Automatically receive a client download (if necessary)

3. Access only the applications and information you make available

F

ir

ew

al

l

Citrix Extranet, CSG

Web Server w/ Citrix NFuse 1.6 Technology Encrypted

Traffic

Citrix MetaFrame XP w/ Feature Release 1

(37)

Server Based Computing for Security

Complete End-to-End Control -

All Management tools

necessary to manage the entire Application Computing

Environment are under you control and within your reach

 VPN Management and Remote Access tools for connection security

 Citrix Management Console to manage application availability

 _{OS and Network Enterprise Management for user and network security}

• The entire user environment is contained behind your firewall from interface to information

Secure Connection and Auth.

Citrix

(38)

Server Based Computing for Security

Intranet AND Remote Access Solution in one

• Secure Remote Access Solutions from Citrix:

 Secure Intranet and Remote Users

 Can be used an an everyday enterprise networking and access solution

• Benefit

 Every day users access their applications by

 Accessing an internal web site _{e.g. - www.myvirtualdesktop.net}

 _{If remote access needs arise or In the event of a disaster}

 Users access a similar external web site  e.g - www.virtualdesktop.mycompany.com

(39)

MetaFrame XP

• MetaFrame XP Supports Authentication to

 Microsoft NT and Active Directory

 Novell NDS

• Program Neighborhood allows added access management

 _{VPN will control which resources are accessible}

 MetaFrame will control which applications are accessible

 Centralized architecture allows complete control of users computing environment, regardless of device, OS, connection, etc

 _{Administrators can prevent users from copy and pasting, saving} files, or printing company data

• Traffic Monitoring and Management

 Third Party products from Cisco and Packeteer for QoS

 ICA Traffic Monitoring provided in MetaFrame XPa/e

 _{Device mapping management}

(40)

MetaFrame XP

e

• Enterprise Management

 System Monitoring and Analysis

 Application Packaging and Delivery

_{Installs applications, hotfixes, and service packs on Servers}

_{Supports MSI packages}

 Supports scheduled installation and auto server reboot

 Network Management

_{SNMP alert support}

₃rd_{party support - HP Openview, CA Unicenter, Tivoli Netview}

(41)

Value-Add of NFuse Web portal

• SSL support is provided by MetaFrame XP

• Authentication

 Microsoft and Novell methods supported

 _{Ticket style authentication can be used in conjunction with user name} and password to secure credentials

• Access Management takes place at the MetaFrame server

 _{Utilizes Program Neighborhood}

 _{Unified aggregation point for applications and information}

• Enterprise Features

 _{Runs in a web browser and is accessible from anywhere}

 _{Plugs directly into Enterprise Portal}

 _{Provides support for flexible business continuity solutions}

 _{Automatic Citrix ICA client installation}

 _{Use NFuse with Citrix Extranet Java Applet for 100% browser based} solution

(42)

Secure Remote Access with Citrix Solutions

Summary:

•

Citrix Solutions provide the:

 Encryption

 Authentication

 Access Control

 _{Traffic Management}

 Enterprise Class Features and Scalability

•

Required to secure

 Workforce Mobility

 Business Continuity Solutions

(43)