660 likes | 689 Views
Learn how to secure remote access with Citrix security architecture, encryption basics, and best practices for safeguarding your Citrix servers. Technical requirements for SSL/TLS, IIS, and secure ticket authority are covered.
E N D
Mitigating Security Risks with Citrix Server Hardening and Encryption Management N. Brian Stearman Systems Engineer Citrix Systems Barry Flanagan Senior Systems Engineer Citrix Systems
Non Disclosure Agreement • This presentation is confidential. By virtue of your relationship with Citrix, you are bound to retain in confidence all information in this presentation.
Objectives… • Secure remote access • Citrix security architecture • Brief look at encryption/certificates • Security Basics • Best practices for securing Citrix
Why are we here? “I need to mobilize my workforce, making access to the information and tools needed for their jobs as easy as ordering a book from Amazon.com, with the security of a traditional VPN.” Solution… Citrix MetaFrame
STA Secure Gateway Server DNS Server 443 MetaFrame Server 1494 ICA Client 80 Web InterfaceServer RSA Ace/Agent 5.0 Web Browser 80 XML Service Web Site 443 Secure Gateway Architecture (External Users) Secure Computing Agent Internal MetaFrame Server Farm Internet De-Militarized Zone
STA MetaFrame Server 1494 ICA Client 80 Web Inerface Web Server RSA Ace/Agent 5.0 Web Browser 80 XML Service Web Site 443 Internal Web Site 80 Secure Gateway Architecture(Internal Users) Secure Gateway Server DNS Server 443 DNS Server
Technical Requirements Secure Gateway • Windows 2000 or Solaris (SPARC) server – SSL/TLS gateway between ICA clients and Metaframe farm. • Microsoft Windows 2000 Server with SP 2 or later. • Recommended minimum requirements for Windows 2000 Server – 256 meg of RAM, 150 meg of available disk space, etc.
Technical Requirements Web Server • Metaframe Web Interface 1.61 or later • IIS5, Apache or Tomcat Secure Ticket Authority • Windows 2000 + IIS5, Recommended minimum requirements for Windows 2000 Server • IIS 5 running ISAPI.dll for ticketing
Technical Requirements • ICA client version 6.3 or later (to take advantage of TLS security) • Microsoft Internet Explorer 4.x or later that supports high encryption
Encryption Defined: “…The transformation or scrambling of data into an unreadable format using a mathematical algorithm.” Benefits: • Protects against eavesdropping or password sniffing • SSL-TLS = 128 or 168-bit key lengths
SSL vs. TLS SSL v3 Key Material Generation master_secret = MD5(pre_master_secret + SHA('A' + pre_master_secret + ClientHello.random + ServerHello.random)) + MD5(pre_master_secret + SHA('BB' + pre_master_secret + ClientHello.random + ServerHello.random)) + MD5(pre_master_secret + SHA('CCC' + pre_master_secret + ClientHello.random + ServerHello.random)); key_block = MD5(master_secret + SHA(`A' + master_secret + ServerHello.random + ClientHello.random)) + MD5(master_secret + SHA(`BB' + master_secret + ServerHello.random + ClientHello.random)) + MD5(master_secret + SHA(`CCC' + master_secret + ServerHello.random + ClientHello.random)) + [...];
SSL vs. TLS TLS v1 Key Material Generation PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed); master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) key_block = PRF(SecurityParameters.master_secret, "key expansion", SecurityParameters.server_random + SecurityParameters.client_random);
Why SSL • The threats: • Server masquerading • Network sniffers • Secure Sockets Layer (SSL) provides: • Authentication • Digital certificates prove identity on the Internet • This prevents “man-in-the-middle” or DNS attacks • Encryption • Using 128-bit key lengths • This prevents network sniffers from viewing your information
SSL Certificates A certificate consists of • A public key • Information about the certificate • The subject name (as an X.500 distinguished name) • The issuer name (as an X.500 distinguished name) • Period of validity (not-before and not-after dates) • Serial number (assigned by the issuer) • Description of the public key and signature algorithms used (public key is nearly always RSA) • The issuer’s signature for all of the above 19
SSL Certificates • A new concept for many of our customers • Need to be very careful – can be difficult • Obtain certificates from: • Private Certificate Authority (CA) • Public CA • Evaluation cert from Public CA (Baltimore, Verisign) • Possible need to install root CA on Client. Windows 6.20 ICA client supports all Windows standard CA’s
Could I see some ID please? • SSL Certificates are like Driver’s Licenses
Server Certificates • Server certificates are unique to a particular server name • The “subject” of the certificate is the FQDN of the server • Server certificates also include fields dictating what the certificate can be used for • View the Certification Path to find out what CA issued this certificate (may be a chain of CA’s)
Root Certificates • Root certificates (aka CA certificates) are self-signed entities that are used to verify server certificates • If you trust a CA, install their root certificate. • Windows ships with many pre-installed CA certificates for well-known CA’s: • Verisign • Entrust • Baltimore • RSA • Thawte
Client needs the root, server needs a cert • Sample Certificate Placement
Default root certificates • Root certificates need to be installed into the Windows operating system • To see what certificates are installed, use MMC or IE
Common Threats What attacks are we securing against? Brute Force password crack IP spoofing Man-in-the-middle Denial-of-service
Security…in a nutshell Security basics: • Design well – including physical security • Audit – Third-party, or self-assessment tools • Lockdown local file system – Windows or Unix • Maintain required hot fixes and security patches HFNETCHK.EXE – at www.microsoft.com/technet.
Securing Windows Securing the Windows 2000 File system: • DumpSec • Hyena • Windows 2000 Resource kit tools All means of checking or dumping file system, share, printer and other system resource permissions
Securing Windows File Permissions Account
Securing Windows Share list Local user rights
Securing Windows • Keep up with manufacturer security patches and fixes • http://www.Microsoft.com/security/ • Use some form of host –based security scanner to check vulnerabilities • Symantec Net Recon • ISS System Scanner • Languard, Shadow Tools or other free scanner
Metaframe Policy – Create OU Start,click Programs then Administrative Tools, thenActive Directory Users and Computer, then Action andNew Organizational Unit.
Metaframe Policy – Move servers Right click on the desired server and click Move, then select the newly created Citrix OU
Local Security Policy - Server Open the Local Computer Policy and drill down to: Computer Configuration, Administrative Templates,System, Group Policy folder and doube-click to select User Group Policy loopback processing mode.
Assign GPO Permissions Citrix User and Administrator permissions
Design Firewall • Traffic cop to control protocol access to protected networks Demilitarized Zone – What is it? • A perimeter network – also known as a DMZ – is an additional network added between a protected and external network to provide another layer of security. • Location of public resources like FTP, Telnet and Web servers • Separates CSG installation from other Citrix security solutions
Physical Security Secure Ticket Authority: • Security server • Contains important connection information • Isapi.dll service CAN run on Citrix/file server • SHOULD be segregated as separate server
Auditing Auditing local events • MMC Security and Analysis Snap-in • Event log size increased to 500MB • Regular backups on event log • Audit specific objects: • Account management • Logon events • Policy change
Authentication • Secure Gateway is a remote access solution • Use some form of secure authentication as with VPN • Use industry standard, two-factor authentication • Certificates • Token-based such as RSA SecureID • Secure Computing External AND Internal Security!
Two-factor Authentication RSA Ace Agent Web Interface Login Page
Two-factor Authentication Token passcode
Alternate Authentication Local User Authentication • Use Windows NT LAN Manager (NTLM) for authentication only if local or GPO specifies NTLMv2 authentication only. • MMC Security and Analysis + Security Templates • Modify Securews template to specify NTLMv2
Authentication Security parameter New Template
Locking down IIS • Microsoft IIS lockdown tool • Secure the server • Alternative to manual changes • Single file – iislockd.exe
Locking down IIS To lock down Metaframe Web Interface on Microsoft IIS: Choose Dynamic Web Server with ASP enabled
Locking down IIS Click next to leave existing services enabled