Protecting Citrix Applications
Agenda
•
Introduction - 5 min
• Objectives, Agenda & team intros
•
Product overview – 15 min
• Overview, products, customers
• SafeWord for Citrix MetaFrame
•
Technical Session – 25 min
• Architecture, Requirements
• Demonstration, Q&A
•
Wrap-up – 15 min
Product Team
•
Larry Ritter
Consultant
larry.ritter@att.net
•
Willy Leichter
Director, Product Marketing
willy_leichter@securecomputing.com
•
Tony Chimienti
Product Manager
tony_chimienti@securecomputing.com
•
Sandler Rubin
Secure Computing’s products
•
SafeWord™ PremierAccess™
•
Industry leading strong authentication product
•
Used by thousands of enterprises worldwide
•
Sidewinder™
•
World’s strong firewall and VPN gateway—
never been compromised
•
Widely used by government and defense
agencies
•
Supports ICA natively
•
SmartFilter
SafeWord™ PremierAccess™
•
Strong authentication for
• Citrix, VPN, Web, wireless, network and custom applications
•
Widest range of authentication options
•
Role-based authorization
•
Advanced deployment capabilities
Who uses SafeWord products
600,000 users,
600,000 users, $70 billion $70 billion in cash management in cash management transactions daily transactions daily
Authenticate 80,000 Authenticate 80,000 remote users, suppliers remote users, suppliers and business partners and business partners
Secure remote access Secure remote access for 60,000+ users
for 60,000+ users
Secure remote access for 27,000 users Secure remote access for 27,000 users
Authenticate 30,000 employees Authenticate 30,000 employees from any location using
from any location using multiple access methods
multiple access methods Secure remote access for 32,000 usersSecure remote access for 32,000 users Secure remote access
Secure remote access for 40,000 users
Universal Web Agent Universal Web Agent RADIUS RADIUS Agent Agent RADIUS RADIUS Agents Agents WEB VPN Citrix Servers Employees Citrix® Sales Staff System login
Protecting all your applications
Why strong authentication?
•
Many remote access solutions (such as Citrix and
VPNs) create a secure tunnel through the Internet
•
An important component of security
•
But who is accessing that tunnel?
•
How do you identify your users?
•
Many companies rely just on fixed passwords
Username: jmalkovich Password: being_me
Username: jmalkovich Password: being_me
Internet
The password risk
Passwords are weak because…
•
Only one-factor authentication
•
Easily hacked, stolen, borrowed,
guessed or sniffed
•
Difficult to remember and use
•
Difficult to manage
•
These problems limit the use of
remote access systems
•
Anti-password presentations
Protecting Citrix® remote access
•
Citrix is an increasingly popular for
allowing remote access to desktop
applications
•
PremierAccess protects Citrix today
• Universal Web Agent protects NFuse and Citrix Secure Gateway
• Agent protects ICA traffic
•
Includes consolidated login screen for
one-time passcodes and Windows
Recent success stories with
PremierAccess and Citrix
• Altera
• Kindred Healthcare
• Evanston Healthcare
• McKesson HBOC
• Boeing
• Intuitive Surgical
• Naval Research Lab
• ETS Testing Lab
• Asecus, AG
• Thiel Logistics
• Trizec Hahn
• Siegel
• Advent Outsource
• WM Engineering
SafeWord for Citrix MetaFrame
•
Developed Citrix-specific product
• Launched at RSA Show, April 17• Product available May 16
•
Citrix-only implementation
• Pre-configured, simplified installation
• Simplified documentation, packaging
• Citrix branding on tokens & package
• No training requirements for resellers and customers
SafeWord for Citrix: simple and cost-effective
User
User Web InterfaceWeb Interface MetaFrameMetaFrame Active DirectoryActive Directory Microsoft Mgmt Microsoft Mgmt Console (MMC)
Console (MMC)
Users
Agent
Agent
Tokens assigned to
Tokens assigned to
users and managed
users and managed
through MMC through MMC Tokens Authentication Authentication Server Server
In most cases,
In most cases,
the authentication
the authentication
server can live on the
server can live on the
Active Directory box
Active Directory box
One-screen login
One-screen login
for all Windows and
Customer and channel benefits
•
Simpler solution for Citrix customers
• No integration required—makes it easy and practical to deploy strong authentication
• The best solution available—much cleaner than offerings from other AAA vendors
• Be up and running in half an hour
•
Competitive, simplified pricing
• Simplified, consolidated pricing of server software, tokens and support
• Priced per authenticator—no user management
Simplified pricing model
•
Priced on per-authenticator basis (not per user)
• Single price includes tokens, software, 1st year support • Based on Citrix user counts•
Starts at $99 per user
Tokens Price per user Total
5 (starter)
$99
$495
10
$99
$990
20 (starter)
$99
$1,980
50
$96
$4,799
SafeWord for Citrix vs. RSA
•
Citrix focus and branding
•
Dramatically simpler to install & deploy
•
Integration with Active Directory
•
No redundant user records
•
Lower cost ~ ½ the entry price per user
•
Runs on existing hardware
•
Superior tokens: non-expiring, instant pass
codes, lower maintenance
Distribution Plans
•
Channel Focused Product
•
Easy to quote & add on to Citrix sales
•
Easy to integrate into a customer
environment
•
No certification or training requirements
•
Sold through distribution
•
US – Alternative Technology
•
ROW – SCC certified distributors and VARs
Web Interface
Web Interface
MetaFrame XP
MetaFrame XP Active DirectoryActive Directory
MetaFrame Server Farm
MetaFrame Server Farm
SafeWord SafeWord NFuse Agent NFuse Agent SafeWord SafeWord Server Server SafeWord SafeWord Management Management Console Console
About SW4C components
• SW4C consists of the following component
• Core services
• Authentication Engine, Administration Service, and database • SafeWord Active Directory Management Plug-in
• Allows tokens and users to be centrally managed from Active Directory
• Snap-in to the Microsoft Management Console which extends the functionality of Active Directory Users and Computers
• User Center
• Optional web application for user self-service including token enrollment, token testing, and PIN reset
• May be used by the end-user directly or a help desk employee • Agent for MetaFrame XP Web Interface (NFuse Classic)
• Enhances the Web Interface login pages to support SafeWord authentication
Prerequisites for installing SW4C
•
All SW4C components require Windows 2000 Server
• Web Interface is only supported under Windows
• MetaFrame for Unix is supported as long as Web Interface is running under Windows
•
SW4C works both with and without Citrix Secure Gateway
• In practice, however, Secure Gateway is highly recommended
•
SW4C
requires
Active Directory for user management
• MetaFrame environments must be migrated from NT domains to Active Directory
• Token records are stored in the SW4C database
• Users and user-to-token mapping are stored in Active Directory
Prerequisites (continued)
•
SW4C enhances the Web Interface for MetaFrame XP
•
SW4C installer automatically detects the version of NFuse
Classic or W.I. and makes the appropriate modifications
•
SafeWord authentication can be toggled from W.I. Admin
•
Additionally, SW4C allows group-based policies to be built in
order to determine who must strongly authenticate when
accessing applications
Active Directory Integration
•
Expanded Active Directory
plug-in
• SafeWord tab added to standard MMC user management
•
Windows administrators can:
• Assign tokens to users
• Assign, update user PINs
• Test tokens
Active Directory Integration
•
Simplified management tools
• Import, manage token records
• Backup, restore token database
• Administrators don’t have to assign each user a specific token Administrators don’t have to assign each user a specific token • Users can self-enroll through the embedded User CenterUsers can self-enroll through the embedded User Center
• User enters Active Directory username and token serial numberUser enters Active Directory username and token serial number
• Can save up to 85% when compared to traditional token deploymentsCan save up to 85% when compared to traditional token deployments
Security, Firewall, and OS Issues
• Core components can be installed of any Windows 2000 Server in an Active Directory domain
• Should not be located in a DMZ or other insecure area of the network
• Web Interface for MetaFrame XP agent can be installed on any Windows 2000 Server with IIS that is hosting Web Interface
• Does not necessarily need to be a member of a domain
• Can reside in a DMZ of the network
• Communicates with the core server using an XML-based, SSL-secured protocol
• User Center can be installed on any Windows 2000 Server
• This system does not necessarily need to be a member of a domain
• Can reside in a DMZ of the network
• Includes an embedded web server
• Communicates with the core servers using an XML-based, SSL-secured protocol
Product integration direction
•
Our goal is to add easy strong authentication to ALL
MetaFrame products
• MetaFrame Secure Access Manager v2.0 (Magens Bay)
• MetaFrame Password Manager (Bimini)
•
All the necessary pieces are available today in
PremierAccess
• New MetaFrame Web Interface Agent
• Universal Web Agent
• Full RADIUS support and embedded server
• Agent for protecting ICA traffic
•
We are working closely with Citrix product managers to
develop the cleanest, customer-friendly solutions
SafeWord for Citrix Launch & Roadmap
Q303
Q203
Q403
Regional Seminars RSA Show (4/13-17) iForum 2003 (10/13-16) iForum NE (5/12-14) TrainingRelease 1 (May 16)
• Web Interface Agent
• Windows 2000
Release 2 (TBD)
• SAM Agent
• PM Agent
Working Together
•
Citrix Benefits
•
SCC lowers cost/complexity of strong authentication
•
Demo & Eval product for SE’s, EBC’s, CCS…
•
SCC Regional Managers introduce ERM’s to Accounts
•
SCC sponsorship of iForum & Channel Events
•
Mutual Benefits
•
Users Groups
•
Regional seminars
Online demo site
•
Live online demo site
•
Request a token or evaluation
package
• Evals shipping on May 16
•
Self-enroll a token
•
Demonstrate strong
authentication for Citrix
