Smart Access in a Box 1.0

(1)

Smart Access in a Box 1.0

Author: Roddy Rodstein, CISSP, CEH, MCSE, CCA Senior SE, Western Region, Citrix Systems, Inc. [email protected]

NOTICE

The information in this publication is subject to change without notice.

This is not an official Citrix Systems, Inc. document.

THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”) SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Roddy Rodstein.

The exclusive warranty for any Citrix products discussed in this publication, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own.

(2)

http://www.vellity.com

[email protected]

WARNING: The information found in this document was gathered from many different sources in the computing world. It is provided for informational purposes only. The authors assume no responsibility for its usage. Use common sense in applying these concepts and tips. Screen shots may vary from environment to environment. Please verify correctness and applicability in a test environment first and then deploy to your production environment(s).

Use the information found in this document at your own risk.

Trademarks

Microsoft, Microsoft Windows Server™ 2003, Windows® 2000 Server, Windows NT®, Microsoft Active Directory®, Microsoft® GINA, SharePoint Portal Server, SharePoint Team Services, Windows SharePoint Services, Exchange Server, IIS, SQL, Front Page, Office and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Adobe®, Adobe Acrobat®, Acrobat Reader® is a registered trademark of Adobe Systems, Inc. in the United States, other countries, or both.

Sun® Java® Directory Server, Solaris, Sun One, Java, Star Office and their respective logos are trademarks of Sun Microsystems Inc, in the United States, other countries, or both.

Linux and their respective logos are trademarks of Linus Torvalds, in the United States, other countries, or both.

UNIX® is a registered trademark of The Open Group in the United States, other countries, or both.

Citrix® Access Suite, Citrix® Presentation Server, Citrix® Access Gateway, Citrix® Password Manager, Citrix® Access Management Console, Citrix® License Server, ICA® , SpeedScreen™, Citrix® Access Gateway, Citrix® Advanced Access Control, Citrix® Secure Access Manager, Citrix® Password Manager, Citrix® Program

Neighborhood, Citrix® ICA and their respective logos are trademarks of Citrix Systems, Inc. in the United States, other countries, or both.

(3)

Special Thanks

Smart Access in a Box is a by-product of my excitement working with Citrix products and experiences working for Citrix Systems Inc. as a Sr. Sales Engineer. I really hope you like Smart Access in a Box and find it useful for your Citrix education and deployments.

I must also say thanks to the following folks that helped to create what you see before you.

Special thanks to Doug Brown of DABCC.com. Doug is the originator of the “in the Box” series and continues to build upon his success with his latest book, Methodology in a Box. Without his contributions and support this document would not be the same. Thanks again Doug!

Special thanks to Phil Duffield in Santa Monica, California who introduced me to Citrix solutions. Phil is a Citrix evangelist and remains a resource and mentor in the information technology industry. Thanks again Phil!

Document Revision History

Smart Access in a Box is a project that I have created and maintained since NFE in a Box. This project has taken some wild detours from NFE in a Box through various revisions of MSAM in a Box and now Smart Access in a Box. Smart Access in a Box will be re-revved with new content on a regular basis so please stay tuned to my home page http://www.vellity.com for the latest version of this project and to the following document revision history section for the latest editions of this document.

Please send any and all suggestions and or comments to: [email protected]

Date Version Updated By Description of Changes

2-12-2006 Draft Roddy _Rodstein First draft vision of Smart Access in a Box 2-27-2006 1.0 Roddy _Rodstein

Component and Traffic Flow

Access Gateway Advanced Edition System Design Strategies

4-20-2006 Roddy

Rodstein Network Resources, Policies & Filters

Future Additions:

(4)

• Remediation strategies • Centralized Logging

• PEN testing and server hardening with Metasploit and SARA

• Windows SharePoint Portal Server and WISP installation and configuration. • Netscaler load balancing configurations for Access Gateway and Advanced

Access Control

How to use Smart Access in a Box

This document was developed to provide analysts, project managers, network and security administrators with a general reference to assist in the deployment of Citrix Access solutions. With Smart Access in a Box to help show you the way, a copy of your written security policies, and a detailed project plan, you can set-up an access server farm, configure and enforce security policies, and test and deploy a Smart Access solution.

Important: Procedures and settings in this guide may not be appropriate for enterprise

deployment and scalability.

Finding On-line Help

For additional assistance, turn to http://vellity.com, http://support.citrix.com as well as the Citrix help files.

TABLE

OF

CONTENTS

NOTICE ... 1

TRADEMARKS... 2

SPECIAL THANKS... 3

DOCUMENT REVISION HISTORY... 3

HOW TO USE SMART ACCESS IN A BOX ... 4

FINDING ON-LINE HELP... 4

PREFACE ... 6

CHAPTER 1: SMART ACCESS OVERVIEW... 7

ACCESS GATEWAY ADVANCED EDITION FEATURE SUMMARY... 9

SMART ACCESS CLIENTS... 14

ACCESS GATEWAY EDITIONS... 15

ACCESS GATEWAY STANDARD EDITION... 17

Access Gateway Specifications ... 18

CHAPTER 2: ACCESS GATEWAY ADVANCED EDITION ARCHITECTURE AND SYSTEM DESIGN... 19

COMPONENTS AND TRAFFIC FLOW... 19

APPLIANCE,ADVANCED ACCESS CONTROL AND MANAGEMENT CONSOLE TRAFFIC AND FIREWALL TRAVERSAL... 22

(5)

Remote Access Strategies... 27

Internal Access Strategies... 30

FAULT TOLERANCE AND HIGH AVAILABILITY... 34

CHAPTER 3: SMART ACCESS DEPLOYMENT METHODOLOGY... 36

DEPLOYMENT PHASES OVERVIEW... 37

Analysis... 37

Analysis phase (Business and Technical) ... 37

Design Acceptance... 38

Infrastructure Assessment (4 parts) ... 39

Roll-out phase ... 39

PART 1:BUSINESS ANALYSIS PHASE,VISION AND STRATEGY PLANNING... 40

PART 2:TECHNICAL ANALYSIS PHASE,ENTERPRISE SECURITY ARCHITECTURE... 41

SMART ACCESS POLICY MATRIX... 56

DECISION TREE... 61

ANALYSIS PHASE... 64

ANALYSIS OVERVIEW... 64

PROJECT SCOPE, AND STATEMENT OF WORK (SOW)... 65

PROJECT PLAN... 69

INFRASTRUCTURE ASSESSMENT... 72

PROOF OF CONCEPT... 73

IN ANALYSIS -CHECKPOINT... 74

DESIGN OVERVIEW... 75

IMPLEMENTATION OVERVIEW... 75

CHAPTER 4: ADVANCED ACCESS CONTROL INSTALLATION OVERVIEW... 76

ADVANCED ACCESS CONTROL SYSTEM REQUIREMENTS... 77

AACINSTALLATION SEQUENCES... 78

USING HISECWS.INFSECURITY TEMPLATE... 79

CHAPTER 5: ADVANCED ACCESS CONTROL POLICY INFRASTRUCTURE ... 80

CHAPTER 6: PART 1 ADVANCED ACCESS CONTROL PREREQUISITES: ... 86

IIS6.0INSTALLATION ON AN ADVANCED ACCESS CONTROL DOMAIN MEMBER... 86

ENABLE ACTIVE SERVER PAGES AFTER IISINSTALL... 91

VERIFY MDACVERSION... 92

VERIFY MICROSOFT WINDOWS INSTALLER VERSION... 94

CHAPTER 7:PART 2AACPREREQUISITES: ... 95

GRANT ADMINISTRATIVE ACCESS TO AACSERVICE ACCOUNT... 95

MICROSOFT EXCHANGE SYSTEM MANAGEMENT TOOLS INSTALL... 99

CHAPTER 7: ADVANCED ACCESS CONTROL INSTALLATION ... 105

ACCESS SUITE CONSOLE (ACS) AND THE SERVER CONFIGURATION UTILITY... 114

POST INSTALLATION ADOBE ACROBAT HTMLPREVIEW SUPPORT... 117

CHAPTER 8: CONFIGURATION NEXT STEPS ... 120

CITRIX PRESENTATION SERVER FARM FILE TYPE ASSOCIATION SUPPORT... 126

NETWORK RESOURCES... 133

WEB RESOURCES... 146

Procedure to Create a Web Interface Portal ... 151

Procedure to Delete a Web Resource ... 180

Procedures to Edit Web Resources... 182

Troubleshooting Web Resources... 184

FILE SHARES... 187

WEB EMAIL AND OUTLOOK WEB ACCESS... 200

(6)

RESOURCE GROUPS... 211

END POINT ANALYSIS &END POINT SCANS... 221

FILTERS... 250

Filter Development ... 251

Policy Development ... 274

WINDOWS SHAREPOINT PORTAL SERVER AS THE PRIMARY UI... 307

LOGON POINTS... 311

ACCESS GATEWAY ADMINISTRATION TOOLS... 325

Administration Tool ... 325

Administration Portal ... 326

Administration Desktop ... 327

ACCESS GATEWAY ADMINISTRATION TOOL INSTALLATION... 327

ACCESS GATEWAY APPLIANCE UPGRADE... 345

BRINGING IT ALL TOGETHER... 348

CHAPTER 9: LOGON PAGE AND NAV UI BRANDING ... 355

LOGON PAGE BRANDING... 357

SESSION INITIALIZATION PAGE BRANDING... 364

NAVUIBRANDING AND MODIFICATIONS... 367

CUSTOMIZING HOW THE NAVUIDISPLAYS RESOURCES... 367

NAVUIHEADER BRANDING AND MODIFICATIONS... 369

NAVUIBRANDING USING A CASCADING STYLE SHEET... 372

CHAPTER 10: PENETRATION TESTING A SMART ACCESS SOLUTION... 377

PORT SCANNING AND TCP/IP STACK FINGERPRINTING... 382

PORT SCANNING TECHNIQUES... 383

NMAP... 383

Nmap Usage... 385

Nmap Conclusion... 388

APPENDIX ... 389

HOST SCAN RESOURCES... 389

WINDOWS WEB INTERFACE INSTALLATION AND CONFIGURATION... 390

WEB INTERFACE 4.2INSTALL ON WINDOWS SERVER 2003... 391

Preface

Welcome to the latest book in the “In the Box” series. My goal was to provide you with the tools you’ll need to plan and successfully deploy Citrix Access Gateway Advanced Edition. I understand that Citrix access solutions may be new to many project managers, analysts, network and security administrators, so I’ll try my best to explain how to analyze, plan, deploy, and close down a successful Citrix access solution with a project-oriented approach.

This document is a work in progress so please excuse any grammatical errors, incorrect formatting and/or incomplete sentences, chapters or sections.

(7)

© 2006 Roddy Rodstein all rights reserved Page 7 Please take the examples provided here at face value and do not expect to apply them ‘as is’ to your environment. Each IT environment is unique, and as we all know, extremely complex. By applying some of the techniques presented here, as well as seeking

professional services assistance at key points, you can minimize risk factors and maximize the probability of success.

The biggest risk any deployment faces is lack of adoption. An access solution is successful only if employees use it.

Roddy Rodstein, CISSP, CEH, MCSE, CCA http://www.vellity.com

[email protected]

Chapter 1: Smart Access Overview

The next several chapters will provide a high level overview of Citrix’s Smart Access and how it fits in to an organization’s security system. Smart Access is a feature of Citrix’ Access Suite which consists of Citrix Presentation Server, Citrix Password Manager, and Access Gateway Advanced Edition. Citrix’s Access Gateway Advanced Edition directly enables Smart Access and is the focus of this book. After the Smart Access overview chapters we will review Access Server Farm design and then move on to the deployment methodology behind a successful Smart Access deployment. After the methodology chapters we will progress to the installation and configuration of Access Gateway Advanced Edition’s Advanced Access Control and the Access Gateway. Once we have initially configured and tested our Access Server Farm, we will cover topics ranging from resource publishing, logon points, policies, filters, host scans, NAV interface

customization and branding, UI selection, core services such as Web Interface and Windows SharePoint Portal Server, and remediation and penetration testing. Each topic in the overview section will be covered in greater detail in subsequent chapters.

The term "enterprise" used throughout Smart Access in a Box refers to organizations with multiple internal networks, diverse set of PCs, numerous information systems and

applications, various access requirements as well as a diverse user presence.

Note: The names of Citrix products and technologies are still changing. You will notice

that the naming convention on the software and documentation does not reflect or match Citrix’s current marketing naming convention.

(8)

© 2006 Roddy Rodstein all rights reserved Page 8 gain access to a network. The posture of a host is checked by running a scan against the operating system and then establishing appropriate entitlements and access rights based on the results of the scan. Scans are configured to reflect and enforce an organization’s written security policy. This is accomplished by configuring scans to ensure that a host complies with an organization’s security policies such as operating system version, security patch levels, the presence of approved antivirus and malware software, registry watermark, unique file, browser version, domain membership, etc., before the host gains access to a network. By enforcing security policies before a host gains access to the network, the risk associated with a host infecting critical information systems is reduced. Host scans provide an important piece of an organization’s security system.

Note: Citrix uses the terminology end point analysis (EPA) for a “host scan”.

PC vulnerabilities present a huge risk to the confidentially, integrity and availability of organizations' information systems. Organizations realize that legitimate users(e.g. remote workers, business partners and consultants) need to access their networks, even though the posture of their PCs can endanger the security of the organizations' IT systems by allowing infected PCs on their networks. This is especially troublesome within

organizations that have laptops being used at work, home and all points in-between. PCs inevitably get infected and wind up on an organization's network infecting other PCs and servers which sit behind firewalls. As infected PCs remain on the network, they infect other machines and risk the confidentially, integrity and availability of an entire

information system. Because organizations realize that they need to enforce their written security policies to reduce the risk from PC infections, they have turned to network access control to enforce policies and reduce risk.

Smart Access allows organizations to map their written security policies to network access controls in order to control access to information systems in Business to Employee (B2E) and Business to Business (B2B) environments. Smart Access functionality is a product of the components of Citrix’s Access Suite i.e. Presentation Server, Password Manager and Access Gateway Advanced Edition. The Access Suite components can be purchased a la carte or together.

(9)

The next table shows a partial list of scan types and their attributes.

Scan Type Scan Attribute

Machine Identity NetBIOS name

Domain membership MAC address

Machine Configuration Operating System Anti-Virus System Personal Firewall Browser Type Hidden File

Device location IP Address (internal or external)

Authentication Method Machine logon type such as Windows, Novell, Two-factor etc.

Incidentally, ActiveX is a proprietary Microsoft technology which is exclusively supported on the Windows platform. All of the Smart Access clients install exclusively on the Windows platform. This does not prohibit non-windows clients such as Mac and Linux from accessing a Smart Access solution, it simply eliminates the ability to utilize the Secure Access Client, End Point Analysis scans and Live Edit. Many Smart Access features are supported on Mac, Linux and UNIX clients (e.g. client-less access).

Access Gateway Advanced Edition Feature Summary

Smart Access has an extensive list of features including policy enforcement, protocol filtering, role based access, host scans, Action Control, NAV UI, Web Interface, Email Synchronization and small form factor support. The following table highlights some Smart Access features.

Note: The next chapter named “Client Requirements” explains which Smart Access

client is required to support Smart Access. Policy enforcement and entitlements are dependent on a variety of Smart Access clients.

Feature Explanation Client Requirements

SSL VPN Citrix’s Access Gateway

Standard Edition is an SSL VPN appliance that supports multiple protocols which can be used standalone for simple access or together with Advanced Access Control to provide Smart Access.

*Secure Access Client

(10)

to network resources using filters, access and connection policies, logon points, host scans, and group membership.

Client, Secure Access Client, ActiveX clients, NAV UI.

Host Scans (End Point

Analysis) An ActiveX control scans Windows hosts before users authenticate to the system. The scan determines the posture of the host and applies the appropriate access and

connection policies to the user session.

*Web Browser, ActiveX client.

Actions Control consists of two separate

technologies: • Live Edit • HTML Preview

Actions Control was designed to minimize the risk of accidental leakage of corporate information associated with improper access of data.

Live Edit is a technology which controls Microsoft Office

features like Save and Save As. Live Edit requires Microsoft Office to be installed locally or on a Citrix Presentation Server. HTML Preview supports the ability to render Microsoft Office and Adobe Acrobat files from an AAC Web server as a Web page not in their native file format. This allows users to preview files in a view-only format which secures the original files and eliminates residual caching of the file on the host system.

Live Edit requires a Web Browser andActiveX client or ICA client (ICA with Presentation Server backend).

HTML Preview requires a Web browser.

Email Synchronization Email synchronization allows users to synchronize local installations of Microsoft Outlook and Lotus Notes with the mail server for offline use.

Access Client.

(11)

• Web email • Web Interface • File Browser • Web Application

Browser

• Re-factoring / Small Form Factor Support

The NAV UI is Citrix’s default Smart Access UI. It is a

collection of Web page templates. There are a total of four templates: Web email client, Web Interface, File and Web Application browser. They can be used together in the NAV UI or individually within 3rd party portals such as Windows SharePoint Portal Server. The NAV UI is where

Presentation Server, web and file resource entitlements are

enforced by showing or hiding resources and enforcing Action Control. It’s a simple framed Web page with a tabbed UI. The default navigation page is optional.

Web Browser

Web email (NAV Template)

Web email is a light weight full featured email client requiring only Internet Explorer, Safari, Firefox or Netscape. It’s accessed from the NAV

interface. Web mail can also be accessed directly from 3rd party portals as an iFrame. Web email only supports Microsoft

Exchange.

Web Browser

Web Interface (NAV Template)

The Windows version of the Web Interface allows seamless integration of Citrix’s

Presentation Sever within the NAV UI. The Web Interface can also be used with 3rd party portals such as Windows SharePoint Portal Server.

Web Browser

File Browser (NAV Template)

The File Browser enumerates directories and files and enforces Action Control on Microsoft Office and Adobe Acrobat files. The File Browser can also be used with 3rd party portals such

(12)

Server. Web Application Browser

(NAV Template) The Web Application Browser allows the configuration of role based access control to Web applications. The Web Application Browser also

supports Action Control on Web resources. The Web Application Browser can also be used with 3rd party portals such as Windows SharePoint Portal Server.

Web Browser

Re-factoring / Small Form Factor Support (NAV Template)

Advanced Access Control will detect small form factor devices and re-factor the NAV interface to display Web email and file shares.

Palm Tungsten C, HP iPaq Pocket PC h6315, VOQ Sierra Phone, RIM BlackBerry 7290

Web Proxy Citrix uses Microsoft’s winhttp proxy to process Web pages and rewrite URLs. This allows remote access to internal web sites.

Web browser.

*Windows Support Only

The next image shows the NAV UI.

(13)

© 2006 Roddy Rodstein all rights reserved Page 13 allows the configuration of Smart Access policies to Web and Files resources. The image below shows the policy settings that can be applied to a file share.

The next image shows the NAV UI file browser (MyFiles.asp) enumerating a user’s home directory named My Documents running in Windows SharePoint Portal Server. A PowerPoint document has been clicked and the dynamic DHTML menu is displayed. The dynamic DHTML menu is how Smart Access policies are enforced by exposing

configured policy settings.

The above example shows the DHTML menu and how Action Control entitlements such as Preview, Download, Live Edit and Email are made available to users. Each Action Control setting can be configured as Not Configured which is the default setting meaning that the feature is disabled, Enabled or Disabled. These configurations are made in the Access Suite Console and dictate which Action Control is available to users.

The images below show the Action Control policy settings and values that can be applied to a file share.

File Share Policy Settings File Share Policy Values

(14)

Smart Access Clients

Before we review Smart Access features let's review the client requirements. To enforce Smart Access policies a total of four clients is needed; the Secure Access Client, two ActiveX clients, and a Web browser. The Secure Access Client is analogous to a VPN client and enables protocol tunneling and filtering. The first of the ActiveX clients is used to run host scans while the latter enables Live Edit which is an Action Control. All of the Smart Access clients require administrative or power user rights to install.

The next list shows the various Smart Access clients, which functionality they provide, and which platform they are supported on.

Client Functionality Supported Platform

Web Browser NAV UI, Web email, Web

Interface, File Browser, Web Application Browser.

Windows, MAC and Linux with Internet Explorer, Safari and Mozilla

ICA Client Allows Access to Presentation Server resources.

Any Access Client Analogous to a VPN client. Windows ActiveX controls Host Scans and Live Edit. Windows Java Runtime Environment

(JRE)

Allows access to Presentation Server via Citrix’ Java ICA client.

Any

The next table highlights Access Gateway Advanced Edition browser support.

Platform Browsers

• Windows XP Professional and Home Editions (32-bit)

• Windows 2000 Professional • Windows 98

• Windows NT 4.0 Workstation • Windows ME

• IE 5.5 SP2 and above • Netscape 7.0 and above • Mozilla Firefox

• Mac OSX English Only • Safari 1.0 and above • Netscape 7.0 and above

• Linux • Mozilla Firefox

• Palm Tungsten C • PalmSource Web Browser 2.0 on

PalmOS

(15)

Sierra Phone Windows Mobile for Pocket PC

Phone Edition 2002 and above • RIM BlackBerry 7290 • RIM Factory Browser with BES

and BlackBerry Gateway services As the above table shows, it is important to understand Access Gateway Advanced Edition’ browser support to effectively design a Smart Access solution.

The following requirements should be considered when developing a Smart Access policy matrix (see chapter 4 for Smart Access policy matrix details).

1. Features only supported on Windows:

• Live Edit requires Windows 2000 or XP with IE 6+ configured to download signed ActiveX controls

• Endpoint Analysis requires Windows 98 and above with IE 5+ configured to download signed ActiveX controls or Netscape 7+ or Mozilla Firefox when used as a plug-in

2. No client is required on an end point in the following scenarios when no end point analysis is used:

• When utilizing HTML preview capabilities to view accessible documents • When accessing email using the web-based native email client

3. Small form factor devices support is limited to the following interfaces: • Native web-based email interface

• Web-based file shares • Authentication screen • Default homepage UI

• The re-factoring of documents is limited to simple text, html and Office documents

Access Gateway Editions

The Access Gateway comes in three Editions: Standard, Advanced and Enterprise. Only the Advanced Edition supports Smart Access. The Enterprise Edition is a Citrix

(16)

© 2006 Roddy Rodstein all rights reserved Page 16 (IIS) Windows 2000 and Windows 2003 Server platforms. The Access Gateway Advanced Edition allows organizations to enforce security policy with tiered access based on the results of end point analysis scans. The primary difference between a Standard and Advanced host scan technique is that the Standard Edition uses a binary scan which is pass or fail. Passing a scan allows access and a failed scan restricts access. The result of a failed Advanced Edition scan could be configured to allow a user limited read only access to resources. This type of tiered access (Smart Access) would allow a user to read and send email, view attachments and files as well as access Presentation Server resources while protecting the network from a compromised host machine. The Advanced Edition’ Smart Access capabilities can provide tiered access by sensing and responding to the posture of the host machine providing the appropriate level of access while still protecting the confidentially, integrity, and availability of information systems from virus infection and intellectual property leakage.

Incidentally, during an AAC installation you might not notice that Citrix’s MetaFrame Secure Access Manager components are selected and will be installed by default. MetaFrame Secure Access Manager components along with Citrix’ Index Server are included for backwards compatibility and originally came from Citrix’s NFuse Elite product which was re-branded as MetaFrame Secure Access Manager. All of these components are optional and should NOT be installed unless you have dedicated

hardware to support the MetaFrame Secure Access Manager infrastructure. Smart Access in a Box will not cover these legacy components. Citrix has included these legacy

components for backwards compatibility and they are 100% optional.

Notes: If you’re interested in installing and using Access Centers please refer to Vellity’s e-book MSAM in a Box. Secure Gateway is a software based single protocol SSL Proxy (supporting ICA only) that is bundled with Presentation Server as a value add to

Presentation Server.

The following table is a feature comparison between Citrix’s Secure Gateway and Access Gateway(Standard, Advanced, and Enterprise Editions):

High Level Features Secure

Gateway Standard Edition Advanced Editions Enterprise Editions

Bundled with Citrix

Presentation Server. Yes No No No

Software solution. Yes No ½ Yes AAC No

A component of Citrix’s Access Suite.

No Yes

The client licenses are included, not the hardware. Yes The client licenses are included, not the hardware.

No

Host scans. No Yes (Binary -

pass or fail)

Yes (Smart Access)

Yes

(17)

Multi protocol SSL VPN

No (ICA only)

Yes Yes Yes

Smart Access Support No No Yes (with or

without AG) No Clientless access

with URL rewriting

No No Yes No

Multiple UI support No No Yes No

3rd party portal support

No No Yes No

Active Directory support

Yes Yes Yes Yes

Email

synchronization

No Yes Yes Yes

Two factor

authentication Yes Yes Yes Yes

IP Telephony support No Yes Yes No

Small Form Factor Support

No No Yes No

Server Load Balancing (SLB)

No No No Yes

Caching No No No Yes

As indicated above, Citrix’s Secure Gateway, Access Gateway Standard, Advanced and Enterprise Editions offer varied functionality which allows customers to select which technology is appropriate for their environment.

Access Gateway Standard Edition

Citrix’s Access Gateway Standard Edition is an SSL VPN appliance offering simple access to corporate resources. It supports the configuration of pass/fail host scans, 128bit SSL encryption, VoIP soft phones, data and network services access in a Business to Employee (B2E) and Business to Business (B2B) format without the need of a traditional IPSec VPN infrastructure. Access Gateway Standard Edition is a hardened Linux

appliance running on an x86 platform.

The Access Gateway Standard, as well as Advanced Edition, requires the installation of a Windows client to enforce policies and entitlements. The Access Gateway client has two modes of installation, administrative and non-administrative. The administrative install of the client provides full functionality in contrast to the non-administrative install which looses UDP (soft phone) and SMB (file access) support. The Access Gateway Standard Edition offers users an “administrative client install” which supports seamless desktop access to all of their job specific information systems as if they where sitting on the corporate LAN.

(18)

© 2006 Roddy Rodstein all rights reserved Page 18 The following image shows the Access client (which is running in the system tray) and how it provides seamless access to remote resources from local applications like Outlook and Windows Explorer within a Windows XP desktop.

Access Gateway Specifications

The Access Gateway has two models, the 2000 and 5000*. The 2000 is built for Citrix on hardware from Supermicro and the 5000 runs on the Citrix’ NetScaler hardware platform. The following list highlights the Acccess Gateway 2000 specifications:

• 2.8 GHz P4 • 1 GB RAM • 40 GB Drive

• 2 NICs (1 GB each)

• 1 Rack Unit in height – with mounting rail kit • Access Gateway firmware (software)

• Port access 443/9001

• 2,000 concurrent connections at 300 MB/s • VoIP support

(19)

Chapter 2: Access Gateway Advanced

Edition Architecture and System Design

Chapter 2 will review Access Gateway Advanced Edition(AGAE) components, traffic flow and system design. The system design section will focus on the physical placement of the appliance and Advanced Access Control components and which ports need to be open between networks.

Components and Traffic Flow

This section will start with a review of Access Gateway Advanced Edition (AGAE) components and traffic flow. AGAE Advanced Access Control can be deployed on a single server for testing, or on multiple servers in an enterprise production environment. The components that can be deployed on dedicated servers are listed below:

• Web Server – facilitates connection establishment, session creation, and policy enforcement. Hosts the NAV UI interface and forwards traffic to the Agent server for access center requests. The Web server consists of several modules including the Authentication Service, Endpoint Analysis Service, Session Manager, Web Proxy, Policy Engine, Auditing Service, Logon Agent Service, Gateway Notification Service, Gateway Configuration Service and Host.DLL (only for Access Centers). Each of these modules is reviewed further in this document.

• HTML Preview Server – converts MS Office, Visio and Adobe PDF documents to HTML so they can be previewed with a browser. This scenario leaves the original document on the internal network.

• Server Farm Database Server – MSDE or MS SQL support. Stores all Advanced Access Control configurations that are made within the Access Suite Console. Also stores static and dynamic session information for open, established sessions. The next image shows Access Gateway Advanced Edition services and how they

communicate between an appliance and Advanced Access Control machine.

(20)

© 2006 Roddy Rodstein all rights reserved Page 20 The appliance performs the heavy lifting in the Access Gateway Advanced Edition architecture. When an appliance starts up, it notifies the Advanced Access Control Web server that it is online. It then retrieves appliance configurations which are created in the Access Suite Console. The appliance also receives a list of available logon points and caches the static logon point resources to improve performance during the connection process.

The next table lists the services that run on an Advanced Access Control machine.

Service Explanation

Logon Agent Service HTML rendering, page execution and validates rule sets. Communicates with the appliance Connection Manager.

Authentication Service Ticket validation. Communicates with the appliance Connection Manager.

Endpoint Analysis Service Receives Endpoint Analysis client requests from the appliance Endpoint Analysis Proxy.

Gateway Notification Service Pushes state change notifications to the appliance Connection Manager.

(21)

Notification Service.

Configuration Business Objects Pushes notification requests to the Gateway Notification Service and receives cluster

configurations from the Gateway Configuration Service.

Policy Engine Receives session configuration from the Gateway Configuration Service.

The next table lists the services that run on an appliance.

Service Explanation

Connection Manager Manages client connections and communicates with the Logon Agent Service, Authentication Service and receives state notification changes from the Gateway Notification Service.

Endpoint Analysis Proxy Proxys client Endpoint Analysis requests to the Endpoint Analysis Service.

Configuration Service Pushes cluster and session configuration requests to the Gateway Configuration Service.

(22)

Appliance Responsibilities

• Detect new user sessions • Proxy traffic between the client

workstation and LAN (such as between the endpoint analysis client on the client workstation and the endpoint analysis service on the Advanced Access Control Web server, or between the Secure Access Client (VPN client) and a server in the LAN)

• Cache static resources used during the authentication (login) sequence • Coordinate with Advanced Access

Control to deliver dynamic pages used during the logon sequence, and validate the user responses prior to forwarding them back to Advanced Access Control.

• Enforce Advanced Access Control policies specific to the appliance (obtained as a result of logon) on each user session

• Associate each user session with an Advanced Access Control session key

• Ensure that each user session has a valid Advanced Access Control session (to ensure proper product licensing)

• Refresh user sessions when requested by Advanced Access Control

Advanced Access Control Responsibilities

• Allow system administrators to define access and connection policies • Allow system administrators to define

endpoint analysis rules • Perform endpoint analysis by

communicating with the endpoint analysis client running on the end users workstation.

• Accept or reject a user session based on endpoint analysis scan results and user credentials

• Drive the endpoint analysis,

authentication, and client activation process with the assistance of the appliance

• Furnish the appliance with an XML description of the session policies. This session is identified by means of a common session key defined by Advanced Access Control.

• Notify the appliance(s) when a change has occurred to a user session. This indicates to the Access Gateway to refresh session policies for all active sessions.

• Perform system maintenance on the

Access Gateway appliance (such as notifying when configuration changes have been made)

• Perform URL re-writing and document protection

• Allow web-based access to file shares • Generate a portal (landing page) for the

user session

• Acquire and release product licenses from the Citrix License Server

Appliance, Advanced Access Control and Management

Console Traffic and Firewall Traversal

(23)

changes. This is called the notification port.

• 9002 for Access Gateway Administration Tool using the Java console (assuming your XP workstation below is behind the firewall)

• 9001 for Access Gateway Administrative Portal and the Citrix Admin Monitor. The Access Gateway Administration Portal is an HTML interface which is accessible by pointing a Web browser to https://yourgatewayname:9001. It allows administrators to perform basic maintenance and provides the ability to download documentation, installers and log files for a single appliance.

The Administration Desktop is used for monitoring an appliance. It allows access to a variety of monitoring tools i.e. Citrix Real-time Monitor, xNetTools, Ethereal, fnetload, traceroute and System Monitor.

(24)

Authentication Flow

This section will review the authentication flow. The next image shows the authentication flow from a client device through Active Directory.

Source Citrix 2006 Summit PowerPoint:

(25)

Client -- Appliance

A user points her browser to an SSL encrypted logon point using port 443, i.e.

https://yourcompany.com. The user enters her credentials and clicks the Login button as show in the example.

Appliance -- Authentication Service

The credentials from the above logon event are passed as unencrypted data in a SOAP envelope from the appliance to the Authentication Service on an Advanced Access Control Web server. The SOAP traffic can and should be encrypted using SSL.

Logon Agent Service -- Logon Point

The Logon Agent Service passes the credentials via HTTP to the Logon Point, i.e. localhost: 80. The Logon Agent Service connects to the Logon Point on behalf of gateway users essentially acting as a connection proxy.

Logon Point – Authentication Service

The Logon Point passes the credentials in a SOAP envelope to the Authentication Service, i.e. localhost:80.

Authentication Service -- Active Directory

The Authentication Service authenticates the users to Active Directory using Kerberos or NTLM.

Appliance Connection Manager -- Presentation Server Secure Ticket Authority (STA)

There is actually no user name or password information transferred from the Access Gateway to the Secure Ticket Authority. A session ticket is passed as an XML message in HTTP from the Appliance Connection Manager to the Secure Ticket Authority. The Session Ticket information is sensitive because it contains Presentation Server connection information which allows a user to open an ICA connection through the firewall. In every case SSL or IPSEC should be used to secure the Secure Ticket Authority traffic.

Authentication Service -- Presentation Server XML Service

The username/domain is sent in clear text although the password is encoded with a hash. The XML message can and should be encrypted using SSL. There is a checkbox in the Presentation Server farm settings to configure SSL to secure the traffic.

(26)

Access Gateway Advanced Edition System Design

Strategies

This section will review Access Gateway Advanced Edition system design strategies. The first section will review remote access strategies with an Access Gateway appliance in a DMZ. The Second section will review internal access strategies with an Access Gateway appliance in a DMZ between the user and data security domains as well a scenario

without an Access Gateway appliance or DMZ allowing direct communication between users and Advanced Access Control machines.

In the following examples we will reference three basic security domains: data, user and transport security domains. The data security domain is represented in the examples as a data center enclave hosting the majority of an organization’s IT infrastructure. The user security domain represents a network segment where the end user devices live. The transport security domain represents what connects the user and data security domains to each other and to the Internet. These terms are generally defined in an organization’s enterprise security architecture.

(27)

© 2006 Roddy Rodstein all rights reserved Page 27 If an organization wishes to enforce Smart Access policies, network traffic between the user and the data security domains must flow through an Access Gateway appliance and each workstation must have a Secure Access client.

DNS Resolution

As shown above in the authentication flow section, appliances need to communicate with the Advanced Access Control web servers - outbound from the web server on port 9005 and inbound to the web server on port 80 or 443. The appliances do not make DNS resolution to internal Web, File and email resources. Advanced Access Control does not provide all address resolution for an appliance unless the Advanced Access Control web server itself is a DNS server (not very common) and you have configured an appliance to point to Advanced Access Control to handle resolution requests. If Advanced Access Control is not a DNS server, any resource not accessed through the web proxy must be resolvable by an appliance. This is why it is necessary to configure DNS server settings and suffixes on appliances.

Remote Access Strategies

This section will review three sample remote access configurations with an appliance in a DMZ. The difference between the configurations is how the appliance’s two Ethernet ports are used and which network segments the NICs are placed in. The first example will use one Ethernet port (int0) which requires meticulous firewall rules to allow traffic to flow from the appliance in the DMZ to each desired service or network resource in the data security domain. The second configuration uses both Ethernet ports int0 and int1 straddling the DMZ. This configuration works without any additional firewall rules or configurations between the DMZ and data security domain, effectively routing and filtering traffic through an Access Gateway appliance. The downside to this configuration is that the second NIC is placed in the data center network eliminating the ability to do deep packet inspection on the second NIC. The third example places both Ethernet ports int0 and int1 in the DMZ. Int0 is used as the external NAT address while int1 is used for communication to the data security domain. This configuration gives firewall

administrators the ability to create meticulous firewall rules on the second NIC and also allows deep packet inspection to be configured on int1.

If supporting Exchange and Outlook synchronization is a requirement, it may be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static ports for the Exchange Server service

(http://support.microsoft.com/?kbid=270836).

Three Remote Access strategies using an Access Gateway Appliance in the DMZ: • #1. Appliance sits in a DMZ and only one Ethernet port int0 is used.

(28)

© 2006 Roddy Rodstein all rights reserved Page 28 HTTP, SMB, LDAP, etc… If Outlook synchronization is a requirement, it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default, the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static Exchange Service ports.

o Port 80 or 443 is used by an appliance to make requests to an Advanced Access Control server; 9005 is used by the Advanced Access Control machine to notify an appliance of configuration changes; 9002 provides access to the Access Gateway Administration Tool using the Java console; 9001 is used by the Access Gateways Administrative Portal and the Citrix Admin Monitor.

The next image shows an appliance in a DMZ using only one Ethernet port, int0.

• #2. Appliance straddles a DMZ and both Ethernet ports int0 and int1 are used.

(29)

• #3. Appliance sits in a DMZ and both Ethernet ports int0 and int1 are used.

o Int0: This requires port 443 to be open to the Internet for remote access. Int1: All desired ports to be open between the DMZ and data security domain to allow the delivery of services. i.e. Internal DNS, IMAP, POP3, SNMP, HTTP, SMB, LDAP, etc… If Outlook synchronization is a requirement it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option would be to configure static Exchange Service ports.

o Int1: Ports 80 or 443 is open so an appliance can make requests to an Advanced Access Control server; 9005 is used by an Advanced Access Control machine to notify an appliance of configuration changes; 9002 for is used by the Access Gateway Administration Tool using the Java

(30)

Internal Access Strategies

The configuration of internal access uses the same three design strategies mentioned above plus a fourth approach which eliminates the use of the Access Gateway appliance. The three remote access strategies already described use the Access Gateway appliance - the only difference between the configurations are how the appliance’s two Ethernet ports are used and in which network segments the NICs are placed. The additional strategy mentioned above excludes an Access Gateway appliance and relies on existing router or switch rules to filter traffic. The first example will use one Ethernet port (int0) which requires meticulous firewall rules to allow traffic to flow from the appliance in the DMZ to each desired service or network resource in the data security domain. The second configuration uses both Ethernet ports int0 and int1 straddling the DMZ. This

(31)

© 2006 Roddy Rodstein all rights reserved Page 31 security domain. This configuration allows firewall administrators the ability to create meticulous firewall rules on the second NIC and allows deep packet inspection on int1. The final example excludes an appliance and relies on existing router or switch rules to filer traffic.

If an organization has the need to enforce Smart Access protocol entitlements, network traffic between user and the data center networks must flow through an Access Gateway appliance. In this scenario each Windows workstation must have an Access client. In the event that Smart Access protocol entitlements are not required, workstations can

communicate directly with Advanced Access Control servers. This scenario does not require any additional configurations on existing switches or routers nor is an Access client needed on the workstation.

Tip: This may be preferred in thin client and non-windows environments where an Access client can not be installed.

(32)

(both ports).

The next image shows an appliance straddling a DMZ and both Ethernet ports int0 and int1 are used.

(33)

Exchange File Server

Citrix License Server

Web Interface

Active Directory Internal DNS TS Licensing Firewall

DMZ

Internet

Presentation Server Farm

SQL CPS DS & SDB Access Farm Citrix Access Gateway

DNS

Advanced Access Control Citrix Access Gateway

• #4. In addition to the three appliance-based access strategies described in the remote access section above, our fourth approach eliminates the Access Gateway appliance. Smart Access entitlements are exclusively enforced with the NAV UI and protocol entitlements are enforced with existing router or switch

configurations allowing users to communicate directly with the Advanced Access Control server. Users authenticate via a Logon Point and entitlements are

enforced via the NAV interface, HTML preview, Live Edit and existing router or switch configurations.

(34)

Fault Tolerance and High Availability

Both components in Citrix’s Smart Access solution, namely an appliance and Advanced Access Control, can be configured to provide fault tolerance and high availability by utilizing hardware load balancing such as the Citrix Netscaler. Multiple Access Gateways as well as Advanced Access Control machines can be load balanced by using a virtual IP (VIP) with the appropriate DNS entries.

(35)

© 2006 Roddy Rodstein all rights reserved Page 35 Citrix’s Netscaler solution offers load balancing for Access Gateway appliances and Advanced Access Control servers, as well as caching, compression, DDOS protection and TCP optimization for Advanced Access Control. The latter features allows more users to access an Advanced Access Control load balanced pair and greatly enhances the user experience by speeding up the rendering of pages up to 15x.

The following list shows the desired load balancing persistence metrics:

From Access Gateway to Advanced Access Control.

• Layer 7 LB: Cookie Hashing • Cookie Name: LogonSessionID

From Secure Access client to Access Gateway.

(36)

Chapter 3: Smart Access Deployment

Methodology

Like any IT initiative, an access solution cannot succeed without a detailed plan, strong backing from management, and dedicated resources to manage and monitor the

environment. The following chapters focus on the underlying deployment methodologies such as Business Requirements Analysis, Enterprise Security Architecture, Project Management, and System Design. Access solutions that enforce security policy are especially dependent on up to date enterprise security architecture with comprehensive written security policies, standards, and best practices. Like other IT projects, access solutions have common fundamentals that can be taken into account to reduce

engagement risk and ensure a successful deployment. My main goal is to help you meet your objectives with minimal time and investment. I hope to help you avoid unnecessary steps and shorten the decision-making and deployment time-frame by focusing on the following:

• Avoid time consuming non-value added steps • Shorten decision making time-frame

• Identify and confirm business case • Identify and deliver business value • Identify and define critical steps • Improve quality

• Reduce risks

We will break down the steps of creating an access solution plan by Business and Technical tracks. Once the initial Business Requirements Analysis, (referred to in this document as a “Vision and Strategy plan”) is completed and signed off by your customer, the Technical track will follow. In order to meet objectives and your time-frame, there must be strong backing from management, effective project management and

communication between the Business and Technical teams. Expect close to 80% of your time-frame to fall into the business track. You know the old saying, “The technology is easy, it’s the people that take up all your time.” That means for your project to succeed, it will not be completely technology driven.

Organizations use technology to reach strategic objectives by facilitating secure

information flow between business units, corporate departments, geographical regions, and business partners. Citrix’s access solution can play a critical role in allowing your customers to meet regulatory compliance, enforce written security policies and execute on their high-level corporate strategy.

The Project Management methodology utilized in Smart Access in a Box is made up of four phases:

(37)

• Proof of Concept (POC) • Roll-out

Deployment Phases Overview

Note: Each topic will be addressed in detail in following chapters.

Analysis

The Analysis phase is also known as the “setting expectations” phase. During the process of completing each segment, you will spend the bulk of your time in meetings with your customer asking questions and setting the rules for the project.

The analysis phase will consist of Business, Technical and Design Acceptance tracks. The first part is the Business track and the creation of a Vision and Strategy Plan. Once this is completed and accepted by your customer, we proceed to the Technical track and then on to the design acceptance track.

Before we even consider the technical and design phases, we must first analyze the customers’ enterprise security architecture to determine if it needs to be updated or created. Once the enterprise security architecture analysis is available, we can map customer written policies to business and technical requirements.

Following these steps will eliminate a great deal of uncertainty and engagement risk.

Analysis phase (Business and Technical)

Business

Creating a vision and strategy plan that encompasses business needs is the critical first step required for a successful implementation. The following list shows the areas of focus.

• Identify Business requirements • Identify Compliance requirements • Identify Data classifications

• Identify and classify user communities • Identify Functional requirements

• Identify user roll-out and migration strategy

Technical

(38)

© 2006 Roddy Rodstein all rights reserved Page 38 updated or created. The enterprise security architecture is used to map written policies to business and technical requirements. We need to define the customer’s technical

requirements based upon their business needs and enterprise security architecture provides this direction.

The following list highlights the technology assessment’s focus. • Enterprise Security Architecture Review

• Access criteria

o LAN, WAN, Remote and Wireless

o Busines to Employee

o Business to Business

• User and application authentication mechanisms

o Directory Service (Active Directory or LDAP)

o 3rd Party Authentication (Secure Computing, RSA, RADIUS)

o Web Application authentication types

o Legacy Application authentication types

o Single Sign-on / pass-through authentication • High availability and fault tolerance / load balancing • Information services (aggregation and presentation)

o Client server applications, email, Terminal Emulation, etc…

o Citrix Presentation Server services

o File Server resources

o Web applications

o Telnet, SSH, X, RDP, etc….

• Create a Smart Access Policy Matrix to map policies and entitlements to user communities

• Select user interfaces, i.e. NAV interface or 3rd party portal such as Windows SharePoint Portal Server

• Branding (look and feel)

Once this information is captured, it may be necessary to update the enterprise

security architecture schematic(e.g. Visio diagrams) to get a conceptual view of all of the components in the security system. The next step is to create a Smart Access Policy Matrix, which is used to configure Smart Access policies.

Design Acceptance

(39)

© 2006 Roddy Rodstein all rights reserved Page 39 In a Proof of Concept (POC), you create a test environment to prove to your customer and yourself that a Citrix access solution is able to meet the vision set forth.

The following list details the POC process:

• Create both a Smart Access Policy and Decision tree matrix • Install and configure access farm

• Offer a limited pilot

• Query users about performance, content, look and feel

• Monitor firewall, Access Gateway, Advance Access Control, and resource utilization during the POC to determine baselines

• Implement change management and modify the infrastructure to suit needs

Infrastructure Assessment (4 parts)

Infrastructure assessments are one of the most overlooked sections of a successful project, but they are one of the most important steps necessary to mitigate risk. A Citrix access solution can enhance the environment in which it is deployed. However, if you place an access farm in an insecure, poorly designed network, you will experience challenges. Conversely, if you prepare your environment and deploy to a network that is set-up properly, your customer will love the outcome, and you will be a rock star! The following list shows the areas of focus for an infrastructure assessment:

• Hardware requirements • Network architecture

• Firewall, router and switch configurations • Authentication mechanisms

• Encryption

• Desktop environnent

• Change control environment

Roll-out phase

1. Roll-out services (two phases, 20/80%)

2. Maintain, adjust user environment

3. Build out new capabilities

Note: During the first months of an implementation, there should be ongoing discussions

between management, security and network administrators, and end users to encourage and assist in meeting business requirements.

(40)

© 2006 Roddy Rodstein all rights reserved Page 40 At the end of each phase, you can present your customer with a deliverable that signifies the completion of the phase. The checkpoints at the end of each phase also act as an opportunity for you to compare your plan against what you have completed and to verify that you are still on track with the original project plan. At this point, you might need to add or subtract items. It is important to measure your progress and not just blow through each of the checkpoints. If you make a change to the plan, you should present the change and the revised plan to the customer for sign off.

Note: The project examples found throughout this document represent a specific

deployment in a specific organization; in other words, they cannot be applied directly to other IT environments. It is important to remember that your projects will differ from deployment to deployment and you will need to take what you learn in this document and adapt it to your future projects.

The following sections will review the business and technical analysis tracks. The business track will highlight a vision and strategy plan and the technical track will focus on enterprise security architecture.

Part 1: Business Analysis Phase, Vision and Strategy

Planning

Creating a vision and strategy plan that encompasses an organization’s business and technical needs is critical for a successful access implementation. A vision and strategy plan is the first step on the road to a successful Smart Access deployment.

Here is a high-level list of the “big picture” items which need to be identified, examined and planned for in a vision and strategy plan:

• Identify Business requirements • Identify Compliance requirements • Identify Data classifications • Identify Functional requirements • Identify and classify user communities • Identify user community entitlements • Identify user roll-out and migration strategy

Once the big picture has been defined, establish objectives for the infrastructure that are measurable and achievable. Include such items as:

• Problems to be solved e.g. enforce written security policy, compliance issues, etc. • Information access and entitlements should be clearly mapped

• Define integration points

• Expected tangible and intangible benefits

(41)

• Is there an enterprise security architecture? • Has a vision and strategy plan been developed?

• Does the vision and strategy plan include all major phases, such as integration and implementation?

• How realistic is the plan?

Projects that do not start with a detailed vision and strategy plan usually fade away. Like any information system deployment, an access solution project cannot succeed without a detailed plan, strong backing from management, and dedicated resources. The following sections address these points in greater detail and explain how to mold them into your project plan.

Part 2: Technical Analysis Phase, Enterprise Security

Architecture

Citrix’s Access Suite is a part of an organization’s security system and will be an integral part of its enterprise security architecture. Enterprise security architecture is a field unto itself and detailed instructions on how to create enterprise security architecture is beyond the scope of Smart Access in a Box. Our goal in this chapter is to show how

organizations design security systems and how Smart Access fits within the design. The goal of enterprise security architecture is to ensure the confidentiality, integrity, and availability of information systems while supporting corporate business objectives. Organizations develop enterprise security architecture to present a conceptual design of their network security infrastructure, related security systems and security policies. Enterprise security architecture is used as a guideline in making strategic, architectural security decisions that tie together all of the components in a security system such as Citrix’s Access Suite and Smart Access. Understanding how Citrix’s Access Suite and Smart Access fits within the security system will assist in developing an effective enterprise security architecture, using policies to describe high level business processes, information flows among these processes, and security rules associated with the

(42)

architecture and how they affect Citrix’s Access Suite and Smart Access.

Elements of ESA Explanation

Written Policy Written policies are the rules that define acceptable

behavior of employees, system and security administrators and also clearly define the consequences of policy

violation. Written policies, standards and guidelines are used to configure and support Smart Access components and supporting systems.

Security Domains Security domains separate an enterprise network into logical, isolated entities such as user, transport and data domains. Each security domain uses a specific enterprise security policy.

Data Classifications Data classification into categories such as public, private and secret is necessary to identify the information’s value. Once the value is determined the appropriate security measures can be implemented.

Tiered Networks A tiered network model allows organizations to physically partition an enterprise network.

Application Infrastructure An organizations application infrastructure consists of all of the applications their end users access.

(43)

© 2006 Roddy Rodstein all rights reserved Page 43 specific best practices and, unlike standards which are compulsory, guidelines are recommendations. Standards and guidelines are used to configure and support components within the security infrastructure including Smart Access components. The next image shows policy infrastructure.

A policy infrastructure provides organizations a way to communicate management’s goals, defines high level business processes, ensures that information securely flows among these processes and provides detailed written procedures for employees to follow. Policies sit at the top of the policy infrastructure communicating high level concepts that explain in general terms what needs to be protected. Standards are the middle tier of the policy infrastructure and are derived from policies. Standards define system-specific or procedural-specific requirements. Guidelines sit at the bottom of a policy infrastructure and are best practices that can be system specific or procedural specific. Policies, standards and guideline are used as instructions to configure and support components within a security infrastructure, including Citrix’ Smart Access components.

Smart Access in a Box will provide policies, standards and guideline templates to assist with the design and successful deployment of a Smart Access solution. These templates can also be utilized to assist organizations with IT compliance such as Sarbanes-Oxley. This section will review three policies which allow organizations to educate and instruct employees on acceptable system usage, behavior and information security.

The three policy examples that we will discuss are:

• Information Security (InfoSec) Acceptable Use Policy • Information Sensitivity Policy

• Extranet Policy

(44)

InfoSec Acceptable Use Policy

1.0 Overview

InfoSec's intentions for publishing an Acceptable Use Policy are not to impose

restrictions that are contrary to <Company Name> established culture of openness, trust and integrity. InfoSec is committed to protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of <Company Name>. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details.

Effective security is a team effort involving the participation and support of every

<Company Name> employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>. These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes <Company Name> to risks including virus attacks, compromise of network systems and services, and legal issues.

3.0 Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at <Company Name>, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by <Company Name>.

4.0 Policy

4.1 General Use and Ownership

1. While <Company Name>'s network administration desires to provide a

reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of <Company Name>. Because of the need to protect <Company Name>'s network, management cannot guarantee the confidentiality of information stored on any network device belonging to

<Company Name>.

2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsibl