Some very important things to understand:

1. This code is by-passing your firewall. Where hopefully your firewall
code has been certified by an independent organization, this software has no
such attestation.
2. Even though you are (hopefully) using SSL/TLS, you are still vulnerable
potentially to the same IIS bugs that everyone is because all authentication
takes place at the http layer.
3. The security of the system depends upon the secrecy of the cookie that
is passed to the client from the N-Fuse server. If the client has a Trojan
Horse or sniffing virus on it, this secrecy can be easily compromised even
with SSL/TLS.
4. Make sure that use the same level of authentication that you'd use for a
VPN. For example, if you require 2-factor authentication for a VPN, then
you should enforce the same with this solution.
5. Without client side authentication with SSLv3 or TLS, a hacker can
attack both the N-Fuse server and the Citrix Secure Gateway at the
application layer without detection from your firewall or network IDS
systems.

If you can, require SSLv3 or TLS with client side authentication. If you
can validate the user at the SSL/TLS layer, then higher levels will be
viewed by only authorized users. Note that this validation could be done
through a non-IIS reverse proxy.

Use a host based intrusion detection system that can identify unauthorized
activity. This data needs to sent to an off-system server for recording
real-time.

Use something like Tripwire to validate your configuration on a regular
basis. Preferably the database that has the baseline data was written on a
CDROM, so that the database can't be changed by a hacker.

Consider looking at another similar solution from Aspelle. I was also
looking at the Citrix solution, and I hadn't heard of Aspelle. I just
returned from the RSA conference in Europe where I saw a presentation by
Aspelle. They have some of the same weaknesses as Citrix; however, they
have a more flexible back end that allows connections to other systems such
as AS400s and mainframes directly.

Worst case, Aspelle may give you some bargaining power with Citrix which is
pretty expensive.

My .02Euro
Ron Ogle
Rennes, France

> -----Original Message-----
> From: auto300258hushmail.com [mailto:auto300258hushmail.com]
> Sent: Friday, October 18, 2002 6:22 PM
> To: focus-mssecurityfocus.com
> Subject: Securing Citrix NFuse and IIS 5
>
>
>
> I'm working on a pilot deployment of Citrix with its NFuse
> component on Win2000 to allows remote users to access our LAN
> via web browser. NFuse uses IIS 5 installed on the same
> machine to deliver all of our applications to the remote user.
>
> Is there anything special to know about hardening IIS 5 in
> conjunction with NFuse that anyone here has any experience
> with? What about a good white paper on hardening IIS 5,
> besides what Microsoft has on their web site?
>
> Has anyone used EEye's SecureIIS product with NFuse/IIS5?
> I've heard very good things about it and hope it might be useful here.
>
> Thanks for any information you might be able to provide.
>
> Regards.
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]