Reduce Information Security Risks when Deploying a Citrix Solution

February 17, 2015 |
Reduce Information Security Risks when Deploying a Citrix Solution

It’s perhaps never been more important for IT security professionals to think about the implications of a compromised user account or networked device. Whether it’s Target or JPMorgan Chase, there’s a common story behind most of the major data breaches happening today: hackers use login credentials stolen from employees and contractors to gain a foothold in a network. A simple phishing attack might be enough to start toppling an organization’s cyber defenses, resulting in catastrophic damage.

Unfortunately, some of today’s most common network architectures make it very difficult to protect against this type of attack. Take Citrix and Windows Terminal servers, which are commonly used to provide remote access to network resources. These servers offer enterprises big productivity gains and even security advantages. Citrix and Windows Terminaldefe allow geographically distributed workforces to connect into IT environments without actually moving data off a company’s servers. However, remote desktops also introduce vulnerabilities into the mix:

  • They are typically accessible from the internet, providing an entry point into internal servers – making them an attractive target for hackers, for obvious reasons.
  • A single Citrix or Windows Terminal server might be accessed by dozens of different users with various levels of clearance, so the server itself needs to allow very open access to the network almost always exceeding any individual user’s requirements.
  • Despite how hard an enterprise tries to lock down a Citrix environment, there are well-documented ways that users even inadvertently expose their organization to attacks. Some examples include the abuse of Windows dialog boxes and using Microsoft Word hyperlinks.

In many ways, these vulnerabilities are intrinsic to the nature of remote desktops, and trying to eradicate them risks losing the functionality that makes Citrix and Windows Terminal servers an attractive business proposition in the first place. However, an organization can still take steps to improve the security of an out-of-the-box remote desktop solution.

Moving away from IP-centric to role-based access controls

The network has been considered a ‘safe place’, but this is no longer the case. The very way we traditionally think about identity and access management is proving wrong; identity should be persistent. All too often, once a user is authenticated, his or her access is completely open with only very occasional network-based firewalls controlling internal IP traffic.

This is a big problem when a Citrix or Windows Terminal server is part of the equation. All the traffic flowing into the internal network originates from that same machine – there’s only one IP address in the mix, regardless of how many users might be connecting through the server. There’s no way to restrict this kind of traffic with a traditional firewall rule except to represent the sum of all the users’ individual access rights, which can translate into wide open access for everyone.

To solve this problem, enterprises need to move away from ‘open networks’ to a role-based security model. This model should maintain the distinction between individual users, even inside the network and especially when connecting through Citrix or Windows Terminal Servers. Network access should be provisioned at the application level depending on those users’ specific roles and attributes.

The recently released AppGate v. 11.0 can deliver this functionality, using a combination of an application firewall behind the server and an agent installed on the Citrix or Windows Terminal machine itself. It does this by altering the traffic created by a user so that it appears to be coming from a unique IP address, rather than lump dozens of individuals with different needs together under the same IP. These IP addresses can be allocated from a pool, much as if they were assigned via DHCP to VPN users or handed out in more intelligent ways, such as on the basis of Active Directory (AD) attributes.

With this type of solution in place, an organization is in a much better position to defend against cyber attacks than if that organization’s Citrix and Windows Terminal server users are represented by a single IP address. AppGate can provision access to network resources and applications based on what an individual needs to do their job. If that user’s credentials have been stolen, then any resultant rogue Citrix session can never see network resources beyond the original limit – even if the individual tries to ‘break-out’ of his or her user space. AppGate also now enables better security alerts which help organizations meet compliance objectives – via the ability to trace activity across the whole network back to a single Citrix user.

Without AppGate an out-of-the-box Citrix or Windows Terminal server is an easy target for hackers and is one of the most common attack patterns in use today. Surely that’s motivation enough to tighten your defenses?

Read more about the Citrix and Windows Terminal server functionality of AppGate in our white paper Does your Citrix or Terminal Server environment have an Achilles heel? or visit our website to explore our secure access solutions in more depth.

Back to Blog Home

Jamie Bodley-Scott

Jamie Bodley-Scott is the Technical Product Manager responsible for the identity & access management solutions offered by Cryptzone. He has worked in a wide range of industries, including financial services, aerospace, automotive and mobile computing prior to moving into IT security. He brings a wealth of accumulated experience in many disciplines: engineering, product & business development and channel management to the strategic team defining and driving the road map of Cryptzone's next generation of dynamic, identity-driven security solutions. Jamie graduated from London University with a degree in Electronic engineering and holds a Diploma in Marketing.

Leave a Reply

Your email address will not be published. Required fields are marked *