cryptzone.com
CRYPTZONE — WHITE PAPER
Does your Citrix or Terminal
Server environment have
an Achilles heel?
Moving away from IP-centric to role-based access controls
to secure Citrix and Terminal Server user access
Table of Contents
Executive Summary ... 3
The Popularity of Virtual Desktops ... 3
The Inherent Security Risks of Multi-User Desktop Environments ... 3
More Security is Needed ... 4
Moving Away from IP-centric to Role-based Access Controls ... 4
3
The Popularity of Virtual Desktops
Many enterprises have chosen to virtualize their corporate desktop environments either using Citrix’s XenDesktop™ and XenApp™ solutions or Terminal Servers. These are Windows-based multi-user systems, which are used to present corporate applications to employees in a secure and controlled environment. The technology is a real business asset, great for presenting applications or a desktop to any user from almost any device and any location.
There are multiple use cases for these systems including remote access, as jump servers connected to secure networks, or as access to privileged applications and resources. They also allow an organization to greatly reduce its need to manage employee devices, and are designed to increase application response without data leaving the corporate network. Many of these benefits are derived from being able to place the virtual desktops on hardware that is within the datacenter.
The Inherent Security Risks of Multi-User
Desktop Environments
This ‘virtual’ placement of client desktops inside the datacenter also results in many security concerns. Citrix has published a white paper1
detailing many of the risks inherent in environments with multi-user desktops and virtual desktop infrastructure (VDI). These include remote access to the virtualized desktop environment, the proliferation of unmanaged personal devices used to connect to that environment, the access that virtual desktop users have to downstream network resources, and the concentration of corporate resources onto a few virtual hosts rather than being distributed among multiple user workstations. To counteract these vulnerabilities, Citrix recommends utilizing their NetScaler™ appliance as shown in Figure 1 .
Figure 12
1
http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/securing-virtual-desktops-infrastructure-with-citrix-netscaler.pdf?accessmode=direct
2 Cryptzone representation of NetScaler use
Executive Summary
Citrix and Terminal Servers provide highly valuable functionality for session-based access, but to date have had an Achilles heel when it comes to privileged account management across multiple users.
Citrix and Terminal Servers allow multiple virtual desktops to share a single hardware resource. This grants several benefits, but also causes additional security concerns not typically found in traditional distributed desktop environments. Citrix and others have primarily focused on securing user access to the virtual desktop infrastructure, but not enough attention has been paid toward securing access to the datacenter applications these users utilize.
This white paper will highlight the information security risks inherent in all multi-user virtual desktop solutions, and offer a better way to secure access using a ‘zero trust’ security methodology.
Citrix Users Virtual Desktop Infrastructure Data Centers FIREWALL SERVERS SERVERS 192.###.###.100 185.###.###.100 Internal External NETSCALER SSL WAN
Most security solutions, such as Citrix’s
NetScaler, focus on securing access to the multi-user desktop itself. With this product or using similar solutions, an organization can address several important concerns in this area including: • External Network Firewall - Blocks
external users or attackers from accessing datacenter resources, including the virtual desktop infrastructure and multi-user desktop systems.
• Intrusion Detection/Prevention - Monitors application data entering and leaving the datacenter. When malicious traffic is identified by comparing it to known attack signatures, the intrusion prevention system (IPS) drops the connection and/or logs the event.
• Secure Remote Access - An SSL-VPN server provides access control and a secure encrypted tunnel for connections. This allows only authenticated users on authorized, compliant devices to connect to desktop resources.
An often less addressed area is securing access from the multi-user desktop to datacenter applications and resources. The challenge is that all traffic using the Citrix/Terminal Server is seen on the network as coming from a single IP address, sometimes representing dozens of users. Using VDI to give each individual a complete virtual desktop system rather than publishing multiple user spaces on a single OS Kernel space is a costly alternative that only addresses a small portion of the issue. Network-layer IP-centric access controls do not take the actual user into account. For a traditional firewall, this means that an access rule is needed to allow the server to access every resource that any user on that server could need. In the case of VDI desktop pools it means preassigning each individual user’s IP address in a predictable way. In practice, these access rules can often become a “permit all” for the Citrix/Terminal Server multi-user desktop or VDI environment IP address pools.
More Security is Needed
The new threat landscape we now live in requires us to consider the security implications of compromised accounts and machines farmore than in the past. The threat of a Citrix server being compromised either by malware or a malicious user exploiting vulnerabilities in the system is too dangerous to be ignored. A single successful attack now has the potential to impact a substantial number of critical applications.
For example, there have been a number of reported break-ins where compromised credentials allowed access to a terminal server that was acting as a ‘jump box’. This terminal server access provided the opening that attackers required to establish unimpeded access to retail POS systems. This single compromised account led to countless credit card details and customer records being stolen. In today’s evolving threat landscape new vulnerabilities are constantly being discovered in operating systems, and Citrix and Microsoft both stress the need to always install their latest security updates. However this process of enumerating ‘bad’ behavior is limited to a reactive approach to security. New malware and attack vectors are always being developed, and a compromised Citrix server with access to secure network areas can be used as a launching point for a serious attack.
The reason that attacks like this are successful is because controlling a user’s access to their desktop and/or applications is just one side of the equation. In order to truly protect corporate data and resources there also needs to be tight user-based controls around network access from virtual desktops.
Moving Away from IP-centric to
Role-based Access Controls
To solve this problem, enterprises need to move away from IP-centric architectures to a role-based security model that maintains the distinction between individual users connecting through a Citrix or Windows Terminal, then provisions access on the network and application level depending on those users’ roles and attributes. Cryptzone’s AppGate® can deliver this functionality, by replacing Discretionary Access Control (DAC) devices like traditional and next generation firewall systems with a fully context aware user and session specific dynamic application firewall.The threat of a Citrix server being compromised either by malware or a malicious user exploiting vulnerabilities in the system is too dangerous to be ignored. A single successful attack now has the potential to impact a substantial number of critical applications.
5 By placing the AppGate Security Server between the VDI and
multi-user desktop environment and the rest of the corporate datacenter this access can be securely controlled (see Figure 2). Unlike traditional firewalls, AppGate is able to dynamically enforce access on a per user basis, even when those users share the same physical host. It accomplishes this using Cryptzone’s patented methodology that uniquely identifies each virtual desktop’s traffic on the network on a per user session basis.
Figure 2
In figure 2 above the AppGate cluster (appliance or VM) is placed between the Citrix/Terminal Server farm and any area of the network that needs a higher degree of security. Two users are connected to the same virtual desktop server: User A from an internal network and User B through an external SSL VPN. The AppGate server provides an individual user-specific policy for controlling access to the network connected resources in the data center. When either needs to access a secured datacenter resource, they launch the AppGate client and connect to the AppGate server using a five layer security model:
Encryption- Always assume that unauthorized users are able to
intercept communication, regardless of whether services are accessed internally or remotely. All communication between the AppGate client running on the virtual desktop and the AppGate server is strongly encrypted using one of several configurable methods.
Authentication - Strong user authentication is the first step in gaining
authorized access to applications, services and data — essential for information security and risk mitigation. The user is prompted for authentication credentials including one or multiple chained authentication methods such as Active Directory, Radius, RSA, or built-in options like Cryptzone’s OTP.
Session Authorization - In an environment where users can
access information from different types of devices in a wide array of locations, advanced authorization methods must include the ability to capture the posture and context of each session. Once credentials are authenticated, the AppGate server examines contextual data such as client posture information (anti-virus (AV) version, corporate watermarks, etc.), time of day, geographic location, and more.
Policy Enforcement - Each transaction must be evaluated
against security policies to determine which resources should be made available to a specific user, on a specific device, in a specific environment. Account information gathered from the authentication source and contextual data gathered during the authorization phase are used to determine what services, applications and resources are presented to the user. Access rules are then dynamically created when the user accesses a resource, and are torn down once the user disconnects from that resource. In this way there are never any permanent ‘permit all’ style access rules to be exploited by attackers. This also prevents any potential attacker from scanning the datacenter to determine what IP addresses and ports are available to exploit.
Global Audit and Logging - All session activity is recorded in an
enforceable manner to assist with both investigations and compliance reporting. All user access must be systematically logged and accurately tracked to support on-demand security reporting and auditing for compliance.
Conclusion
Multi-user and virtual desktop infrastructures like Citrix’s XenDesktop and XenApp solutions or Terminal Server offer too many tangible benefits to be ignored, but they also come with several security concerns. Securing Citrix user access requires more than just authenticating a user before they access their desktop.
With AppGate, an organization is in a much better position to defend against cyber attacks than if its Citrix and Terminal Server users were represented by a single IP address. It can provision access to network resources and applications based on what an individual needs to do their job, rather than everybody who uses the same server. AppGate can also produce better security alerts - and meet compliance objectives - via the ability to trace activity back to a single user. NETSCALER
SSL
Cryptzone AppGate Cryptzone AppGate
User A User B
192.###.###.100 185.###.###.100
Internal External
Citrix Users &
Vi
rtual
Desktop Infrastruc
tur
e
User Traffic Isolated For Individualized Policy Treatment TUNNELING DRIVER AppG at e TM TM Cluster
SECURE MICRO-SEGMENT SECURE MICRO-SEGMENT
Data Ce nters WALLED-GARDEN POLICY ENGINE groups attributes posture context User Account Device Attributes ACL USER “A” WALLED-GARDEN POLICY ENGINE ACL USER “B” groups attributes posture context User Account Device Attributes
About Cryptzone
Cryptzone secures the enterprise with dynamic, identity-driven security solutions
that protect critical services, applications and content from internal and external
threats. For over a decade, enterprises have turned to Cryptzone to galvanize
their Cloud and network security with responsive protection and access
intelligence. More than 750 public sector and enterprise customers, including
some of the leading names in technology, manufacturing and consumer products
trust Cryptzone to keep their data and applications secure. For more information
go to www.cryptzone.com or follow us @Cryptzone.
Copyright © 2015 Cryptzone North America Inc. All rights reserved. Cryptzone, The Cryptzone Logo and AppGate are trademarks of Cryptzone North America Inc., or its affiliates. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other product names mentioned herein are trademarks of their respective owners.
