Elements of a Secure Access Solution The Secure Citrix Virtual Workplace Securing Remote Access using CSG 1.0 Security with Server Based Computing and MetaFrame XP

(1)

Solutions in Security

Securing Remote Access to the

(2)

Workplace Solutions

Secure Centralized Business Solutions

Following September 11 attacks as reported by reuters:

“This tragedy and others have brought home that the

security of systems, applications, and data is a very

serious issue.”

“The need before this tragedy was cost. Now, the issue

is security, which will lead to an architecture that has far

more concentration of data, processing, and applications

in secure servers, and much more lightweight, protected

access devices.”

Louis Gerstner

(3)

Virtual Workplace Solutions

Agenda

Elements of a Secure Access Solution

The Secure Citrix Virtual Workplace

Securing Remote Access using CSG 1.0

(4)

(5)

Elements of Secure Remote Access

Secure Remote Access consists of:

• Encryption

• Authentication

• Access Control

• Traffic Management

(6)

Elements of Secure Remote Access

Encryption

• Scrambles data so that only those who have the key to read the information are able to decode the message

• Keys are protected through a key management system

• Public Key Infrastructures (PKIs)

 _{Essential to solutions utilizing digital certificates}

 As solution grows in complexity and size, number of keys to be

(7)

Authentication

• Process of verifying that the sender is actually who he/she says they are

• Various authentication methods are available

 Traditional username/password authentication

 RADIUS or TACACS/TACACS+ servers, LDAP-compliant directory

servers

 X.509 digital certificates

 two-factor schemes ( hardware tokens and smart cards)

(8)

Access Control and Management

• Secure Connectivity without access control only protects communications — not your network

• Dictates the amount of freedom a connected user has

• Protects the components of the network

 Intellectual property

 Information Services

 _Applications

• Ensure that users have full access to what they need, but nothing more

(9)

Traffic Control

• Network congestion can adversely affect performance

• Solution benefits will not be fully realized if users suffer from:

 poor response times

 gateway crashes

 _{other network delays or failures}

• Guarantee reliability and Quality of Service

• Enable managers to define policies that actively allocate bandwidth traffic based on relative merit or importance

• Ensure performance of mission-critical applications without “starving” lower priority applications

(10)

Enterprise Management

•

Ability to manage increasing complexity is crucial.

•

Imperative that the remote access can be managed from the

same integrated console as the rest of the organization's

security elements.

•

“Extended Enterprise” has increased the number of

applications, users, and IP addresses in use across many

organizations.

•

A true enterprise secure remote access solution must be

able work across multiple platforms in order to be effective.

(11)

Secure Access Solution

(12)

Citrix Systems…

Who are we?

• We are the application access and deployment company

• We provide application deployment solutions for today’s web and

wireless world

• We provide security solutions for your extranet and internet access

• We provide centralized application and information access solutions

to help make your business more productive

(13)

What is the Virtual Workplace?

The Virtual Workplace is…

• Having access to all of the information you want and need in order to do your job

• Getting that information to come to you, rather than having to go out and find it

• Having access to any applications and tools necessary to manipulate that information

• Having secure access to corporate resources from any computer, anywhere, regardless of your bandwidth, hardware, network

connection, or operating system

(14)

Citrix Product Overview

Citrix MetaFrame™ XP

• Server-based computing solution that delivers an application interface over any network to any device.

Citrix NFuse™ Technology

• Application portal technology. Seamlessly

integrate any application within any standard web browser.

Citrix Secure Gateway

(15)

Components of the Secure Virtual Workplace

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Citrix Secure Gateway

Citrix NFuse 1.6 Technology ICA and SSL

Secure Connectivity Authentication Access Mgmt.

Other Network Resources such as Databases, Messaging Services, File Shares, Data Warehouse

(16)

ICA Solutions

(17)

Security with Citrix Secure Gateway

Remote and Mobile Users, Branch Offices, Partners,

Suppliers, etc.

https://vwp.mycompany.com (Internet based DNS Load Balancing)

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Citrix Secure Gateway

Back-end Network Resources Secure Ticket Authority Local Users

F

ir

ew

al

l

Citrix Secure Gateway

Secure Connectivity Authentication Access Mgmt.

(18)

Encryption and Connectivity

• Secures ICA Traffic only

• SSL v3.0 with 128-bit encryption

• Support for Public Key Infrastructure (PKIs)

• Single IP address is exposed to internet

• Ease of firewall traversal (uses port 443 only)

Security with Citrix Secure Gateway

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

Back-end Network Resources

(19)

Authentication

• Single sign-on through a browser-based solution

• Authentication provided by NFuse Web portal

 Microsoft NT Domain and Active Directory

 Novell NDS

• Support for Public Key Infrastructure (PKI)

• Authentication process is further secured using an HTTPS configured NFuse Web server

• RSA and Smart Card Authentication solutions supported

Security with Citrix Secure Gateway

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

(20)

Access Control and Management

• Protects ICA Traffic only

• Provides Access control to chosen MetaFrame XP servers

• MetaFrame XP provides User and Group based Application Access Control and Management

 Citrix Management Console used to control MetaFrame Server Farm

 IP Range controls let administrators control which IP addresses can

access published applications

 Users on external IP addresses can have limited application sets

Security with Citrix Secure Gateway

F

ir

ew

al

l

Citrix MetaFrame XP w/ Feature Release 1

(21)

Traffic Control

• Configurable device mapping

 Control mapping features that are available to users of ICA

 Mapping includes Hard Drives, Printers, Audio, Clipboard, Audio, and COM

ports

 _{Limiting availability eliminates bandwidth usage from components}

 Limiting mapping also increases security

 Users cannot cut and paste, save files remotely, or print company owned data

• ICA Session Monitoring

 _{Monitor ICA protocol use by Virtual Channel}

 Monitor size of packet and type of data (print, display, clipboard, etc.)

• ICA Priority Packet Tagging

 Provides support for 3rd_{Party QoS solutions}

 Cisco QoS and Packeteer Packet Shaper

(22)

Enterprise Management

• Citrix Secure Gateway is highly scalable and provides support for redundant solutions such as DNS-based Load Balancing

• MetaFrame XPe and the IMA architecture scales to 1000+ servers and tens of thousands of users

• Citrix Management Console provides management for application availability and access control

 _{Load Management}

 _{Network Management integrates to Enterprise Management tools}

from such as HP Openview, CA Unicenter, and Tivoli Netview

 _{System Monitoring and Analysis provides usage monitoring,}

trending, and accounting capabilities

 _{Application Packaging and Delivery to MetaFrame Servers}

• MetaFrame is also available for UNIX on Sun Solaris, HPUX and IBM AIX

• Supported ICA Clients available for all Windows platforms as well as Pocket PC, Unix, and Mac

(23)

Security with Citrix Secure Gateway

Availability

•

Product will be available in December

 Download from secure portal

 Subscription Advantage Customers Only

_{MetaFrame XP}

_{MetaFrame for Unix}

 Cannot be purchased separately

•

Technical Preview is currently available

 Download from Citrix Developer Network

_{Register at apps.citrix.com/cdn}

_{Preview available at apps.citrix.com/cdn/snowy}  Accompanying documentation located here as well

(24)

Server Based

Computing

(25)

Server Based Computing for Security

Server Based Computing is like a window to your

house -

You decide how big the windows is, You decide

what’s in the house, You decide how many windows you want

to have

• Application Access Management – Not just network resource control • Secure Run-time Environment – Not just the connection, but the

applications and functions that can be accessed over that connection • Single Point of Universal Anywhere Access

• Complete End-to-End Control

(26)

Server Based Computing for Security

Application Access Management

– Users run only the

applications that

you

want, the way

you

want to run them

• Users can look, but they can’t touch

 You control whether the user can

 Cut & Paste

_{Save information to a local hard drive}

 Print information to hard copy

 Send information to attached devices (serial devices like PDA’s)

 You decide which features are available

 Back-end data can be secured using OS Security

_{Only install the features that you want to make available}

 Only publish the applications that you want your users to have

(27)

Server Based Computing for Security

Single Point of Universal Anywhere Access

• Remote access can be achieved from any class or type of device

• Users go to a web site and:

1. Logon for secure connection

2. Automatically receive a client download (if necessary)

3. Access only the applications and information you make available

F

ir

ew

al

l

Citrix CSG

Web Server w/ Citrix NFuse 1.6 Technology Encrypted

Traffic

(28)

Server Based Computing for Security

Complete End-to-End Control -

All Management tools

necessary to manage the entire Application Computing

Environment are under you control and within your reach

 Remote Access tools for connection security

 Citrix Management Console to manage application availability

 _{OS and Network Enterprise Management for user and network security}

• The entire user environment is contained behind your firewall from interface to information

Secure Connection and Auth. Citrix CSG Secure Access Point Web Portal, NFuse Application Access Mgmt. Citrix MetaFrame Operating System Security Win2K Security Network Security Firewalls, Physical Separation Resource Security Combo of OS and Network

(29)

Server Based Computing for Security

Intranet AND Remote Access Solution in one

• Secure Remote Access Solutions from Citrix:

 Secure Intranet and Remote Users

 Can be used an an everyday enterprise networking and access

solution • Benefit

 Every day users access their applications by

 Accessing an internal web site _{e.g. - www.myvirtualdesktop.net}

 _{If remote access needs arise or In the event of a disaster}

 Users access a similar external web site  e.g - www.virtualdesktop.mycompany.com

 They are now productive and working in the same environment with

(30)

MetaFrame XP

• MetaFrame XP Supports Authentication to

 Microsoft NT and Active Directory

 Novell NDS

• Program Neighborhood allows added access management

 _{MetaFrame will control which applications are accessible}

 Centralized architecture allows complete control of users computing

environment, regardless of device, OS, connection, etc

 Administrators can prevent users from copy and pasting, saving

files, or printing company data • Traffic Monitoring and Management

 Third Party products from Cisco and Packeteer for QoS

 ICA Traffic Monitoring provided in MetaFrame XPa/e

 Device mapping management

(31)

MetaFrame XPe

• Enterprise Management

 System Monitoring and Analysis  Application Packaging and Delivery

_{Installs applications, hotfixes, and service packs on Servers}

_{Supports MSI packages}

 Supports scheduled installation and auto server reboot

 Network Management _{SNMP alert support}

₃rd_{party support - HP Openview, CA Unicenter, Tivoli Netview}

(32)

Value-Add of NFuse Web portal

• SSL support is provided by MetaFrame XP

• Authentication

 Microsoft and Novell methods supported

 Ticket style authentication can be used in conjunction with user name

and password to secure credentials

• Access Management takes place at the MetaFrame server

 Utilizes Program Neighborhood

 Unified aggregation point for applications and information

• Enterprise Features

 Runs in a web browser and is accessible from anywhere

 Plugs directly into Enterprise Portal

 Provides support for flexible business continuity solutions

 Automatic Citrix ICA client installation

(33)

Secure Remote Access with Citrix Solutions

Summary:

•

Citrix Solutions provide the:

 Encryption

 Authentication

 Access Control

 _{Traffic Management}

 Enterprise Class Features and Scalability

•

Required to secure

 Workforce Mobility

 Business Continuity Solutions

(34)