1 / 66

Secure Citrix Server: Hardening & Encryption Management

Learn how to secure remote access with Citrix security architecture, encryption basics, and best practices for safeguarding your Citrix servers. Technical requirements for SSL/TLS, IIS, and secure ticket authority are covered.

iriswhite
Download Presentation

Secure Citrix Server: Hardening & Encryption Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mitigating Security Risks with Citrix Server Hardening and Encryption Management N. Brian Stearman Systems Engineer Citrix Systems Barry Flanagan Senior Systems Engineer Citrix Systems

  2. Non Disclosure Agreement • This presentation is confidential. By virtue of your relationship with Citrix, you are bound to retain in confidence all information in this presentation.

  3. Objectives… • Secure remote access • Citrix security architecture • Brief look at encryption/certificates • Security Basics • Best practices for securing Citrix

  4. Why are we here? “I need to mobilize my workforce, making access to the information and tools needed for their jobs as easy as ordering a book from Amazon.com, with the security of a traditional VPN.” Solution… Citrix MetaFrame

  5. Citrix Security Architecture

  6. STA Secure Gateway Server DNS Server 443 MetaFrame Server 1494 ICA Client 80 Web InterfaceServer RSA Ace/Agent 5.0 Web Browser 80 XML Service Web Site 443 Secure Gateway Architecture (External Users) Secure Computing Agent Internal MetaFrame Server Farm Internet De-Militarized Zone

  7. STA MetaFrame Server 1494 ICA Client 80 Web Inerface Web Server RSA Ace/Agent 5.0 Web Browser 80 XML Service Web Site 443 Internal Web Site 80 Secure Gateway Architecture(Internal Users) Secure Gateway Server DNS Server 443 DNS Server

  8. Technical Requirements Secure Gateway • Windows 2000 or Solaris (SPARC) server – SSL/TLS gateway between ICA clients and Metaframe farm. • Microsoft Windows 2000 Server with SP 2 or later. • Recommended minimum requirements for Windows 2000 Server – 256 meg of RAM, 150 meg of available disk space, etc.

  9. Technical Requirements Web Server • Metaframe Web Interface 1.61 or later • IIS5, Apache or Tomcat Secure Ticket Authority • Windows 2000 + IIS5, Recommended minimum requirements for Windows 2000 Server • IIS 5 running ISAPI.dll for ticketing

  10. Technical Requirements • ICA client version 6.3 or later (to take advantage of TLS security) • Microsoft Internet Explorer 4.x or later that supports high encryption

  11. Encryption

  12. Encryption Defined: “…The transformation or scrambling of data into an unreadable format using a mathematical algorithm.” Benefits: • Protects against eavesdropping or password sniffing • SSL-TLS = 128 or 168-bit key lengths

  13. SSL vs. TLS SSL v3 Key Material Generation master_secret = MD5(pre_master_secret + SHA('A' + pre_master_secret + ClientHello.random + ServerHello.random)) + MD5(pre_master_secret + SHA('BB' + pre_master_secret + ClientHello.random + ServerHello.random)) + MD5(pre_master_secret + SHA('CCC' + pre_master_secret + ClientHello.random + ServerHello.random)); key_block = MD5(master_secret + SHA(`A' + master_secret + ServerHello.random + ClientHello.random)) + MD5(master_secret + SHA(`BB' + master_secret + ServerHello.random + ClientHello.random)) + MD5(master_secret + SHA(`CCC' + master_secret + ServerHello.random + ClientHello.random)) + [...];

  14. SSL vs. TLS TLS v1 Key Material Generation PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed); master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) key_block = PRF(SecurityParameters.master_secret, "key expansion", SecurityParameters.server_random + SecurityParameters.client_random);

  15. Intro to SSL/Certificates

  16. Why SSL • The threats: • Server masquerading • Network sniffers • Secure Sockets Layer (SSL) provides: • Authentication • Digital certificates prove identity on the Internet • This prevents “man-in-the-middle” or DNS attacks • Encryption • Using 128-bit key lengths • This prevents network sniffers from viewing your information

  17. SSL Certificates A certificate consists of • A public key • Information about the certificate • The subject name (as an X.500 distinguished name) • The issuer name (as an X.500 distinguished name) • Period of validity (not-before and not-after dates) • Serial number (assigned by the issuer) • Description of the public key and signature algorithms used (public key is nearly always RSA) • The issuer’s signature for all of the above 19

  18. SSL Certificates • A new concept for many of our customers • Need to be very careful – can be difficult • Obtain certificates from: • Private Certificate Authority (CA) • Public CA • Evaluation cert from Public CA (Baltimore, Verisign) • Possible need to install root CA on Client. Windows 6.20 ICA client supports all Windows standard CA’s

  19. Could I see some ID please? • SSL Certificates are like Driver’s Licenses

  20. Server Certificates • Server certificates are unique to a particular server name • The “subject” of the certificate is the FQDN of the server • Server certificates also include fields dictating what the certificate can be used for • View the Certification Path to find out what CA issued this certificate (may be a chain of CA’s)

  21. Root Certificates • Root certificates (aka CA certificates) are self-signed entities that are used to verify server certificates • If you trust a CA, install their root certificate. • Windows ships with many pre-installed CA certificates for well-known CA’s: • Verisign • Entrust • Baltimore • RSA • Thawte

  22. Client needs the root, server needs a cert • Sample Certificate Placement

  23. Default root certificates • Root certificates need to be installed into the Windows operating system • To see what certificates are installed, use MMC or IE

  24. Security Basics

  25. Common Threats What attacks are we securing against? Brute Force password crack IP spoofing Man-in-the-middle Denial-of-service

  26. Security…in a nutshell Security basics: • Design well – including physical security • Audit – Third-party, or self-assessment tools • Lockdown local file system – Windows or Unix • Maintain required hot fixes and security patches HFNETCHK.EXE – at www.microsoft.com/technet.

  27. File System

  28. Securing Windows Securing the Windows 2000 File system: • DumpSec • Hyena • Windows 2000 Resource kit tools All means of checking or dumping file system, share, printer and other system resource permissions

  29. Securing Windows File Permissions Account

  30. Securing Windows Share list Local user rights

  31. Securing Windows • Keep up with manufacturer security patches and fixes • http://www.Microsoft.com/security/ • Use some form of host –based security scanner to check vulnerabilities • Symantec Net Recon • ISS System Scanner • Languard, Shadow Tools or other free scanner

  32. Policies

  33. Metaframe Policy – Create OU Start,click Programs then Administrative Tools, thenActive Directory Users and Computer, then Action andNew Organizational Unit.

  34. Metaframe Policy – Move servers Right click on the desired server and click Move, then select the newly created Citrix OU

  35. Local Security Policy - Server Open the Local Computer Policy and drill down to: Computer Configuration, Administrative Templates,System, Group Policy folder and doube-click to select User Group Policy loopback processing mode.

  36. Create Group Policy

  37. Assign GPO Permissions Citrix User and Administrator permissions

  38. Best Practices

  39. Design Firewall • Traffic cop to control protocol access to protected networks Demilitarized Zone – What is it? • A perimeter network – also known as a DMZ – is an additional network added between a protected and external network to provide another layer of security. • Location of public resources like FTP, Telnet and Web servers • Separates CSG installation from other Citrix security solutions

  40. Physical Security Secure Ticket Authority: • Security server • Contains important connection information • Isapi.dll service CAN run on Citrix/file server • SHOULD be segregated as separate server

  41. Auditing Auditing local events • MMC Security and Analysis Snap-in • Event log size increased to 500MB • Regular backups on event log • Audit specific objects: • Account management • Logon events • Policy change

  42. Authentication • Secure Gateway is a remote access solution • Use some form of secure authentication as with VPN • Use industry standard, two-factor authentication • Certificates • Token-based such as RSA SecureID • Secure Computing External AND Internal Security!

  43. Two-factor Authentication RSA Ace Agent Web Interface Login Page

  44. Two-factor Authentication Token passcode

  45. Alternate Authentication Local User Authentication • Use Windows NT LAN Manager (NTLM) for authentication only if local or GPO specifies NTLMv2 authentication only. • MMC Security and Analysis + Security Templates • Modify Securews template to specify NTLMv2

  46. Authentication Security parameter New Template

  47. Locking down IIS • Microsoft IIS lockdown tool • Secure the server • Alternative to manual changes • Single file – iislockd.exe

  48. Locking down IIS To lock down Metaframe Web Interface on Microsoft IIS: Choose Dynamic Web Server with ASP enabled

  49. Locking down IIS Click next to leave existing services enabled

More Related