One of the unique new features of Citrix XenApp is Smart Auditor. The Smart Auditor feature of Citrix XenApp gives you the ability to capture all application screens of specific users or applications based on a number of different factors. This information can be used for compliance, activity monitoring and problem resolution. This presention goes under the cover of the Smart Auditor feature to give you an inside look.

(click here to see the presentation in full screen)

You can learn more from the Smart Auditor's Administrator's Guide.

The St.Bernard iPrism works with Citrix's Application Virtualization platform - XenApp, and works quite well. Seen as a perfect complement to each other the Citrix NetScaler and XenApp products were tested with the St.Bernard iPrism Web Filter. Both companies offer architectures of one-arm (out-of-band) and two-arm (in-band) deployments. At Citrixlabs in Santa Clara, CA, USA, we tested both the out-of-band and in-band configuration of the iPrism Web Filter. We loved the fact that the iPrism is auto-discovered by the management software, so no console cable was needed.

With NetScaler:

We deployed the iPrism Web Filter behind the NetScaler in our proof of concept datacenter in Santa Clara, CA, USA, and configured the NetScaler for NAT (Reverse NAT) for outbound connections to the Internet. NAT is often performed by the Firewall. The Web Application Firewall, also part of the Citrix NetScaler, was configured for protection of inbound security threats to websites and web applications.

The iPrism was configured to monitor outbound traffic from the internal subnet of 172.16.104.0/24, and block all traffic to offensive websites, and monitor traffic to all other websites. The Real-Time monitor in iPrism gave us a detailed report on the users and IP Addresses that were going out to which sites on the internet. We could see who was accessing what, and which content was being blocked. Particularly nice, was the fact that the iPrism automatically authenticated each user to the Citrixlabs domain controller, every time they surfed a new website, without them knowing it. This was very useful for keeping a tight grip on security and for compliance reporting.

With XenApp:

The powerful value is in the integration with XenApp. We plugged the iPrism in as an in-line device, and configured it to work with Citrix XenApp©, formerly known as Citrix Presentation Server. One of the key questions that will arise in this situation is with all of those Citrix XenApp thin clients logging into the XenApp and then launching browsers to the internet, how does iPrism keep track of them. By adding the XenApp IP Address to the iPrism configuration, the users are tracked using "Session Based Authentication" - this catches each individual user and IP Address in each browser session and in the reports. We were impressed by this and determined the iPrism to be an excellent fit into a datacenter outfitted with Citrix.


Citrix & St.Bernard Deployment Guide!

Network Diagram:

Watch this video tip:

NetScaler Developer Network!

Everybody has heard the stories and wants to believe - but there's no such thing as "PCI Compliant" products*.

People are constantly asking the question: Is "Product X" PCI compliant? The short answer is: No.

The long answer requires some careful explanation.

PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes - but the result is the same: the organization is deemed compliant or not)

But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don't these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.

So, given that PCI doesn't directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?

1. Verify vendor claims - just because a salesperson says it, it doesn't make the statement true.
   
2. Rely on trusted third-parties - organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
   
3. Discuss concerns with your auditors - because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
   

There have been some wild claims with PCI - including the notion of "PCI certified products." When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.

With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard - the PCI DSS.

PCI Backgrounder

PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.

*Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval._

In my previous SmartAuditor blog post, I described how SmartAuditor works and its benefits for improving security and regulatory compliance. Well, guess what? Recently, a major healthcare company (obviously highly regulated by HIPAA) with tens of thousands of employees shared with me their thoughts, experiences, and main use cases regarding our SmartAuditor technology. In addition to providing care and services, this healthcare company partners with numerous nursing homes, hospitals and other healthcare organizations in the United States. The interesting part is that the more I talk to customers about SmartAuditor for recording ICA sessions, the more interesting the use cases get. So here's their success story.

Background

This customer offshore most of their development to India, had employees and non-employees accessing production systems remotely on a daily basis and wanted to monitor what they were doing, and needed to deliver custom applications in a faster way. They started using the SmartAuditor technology since it was released as a beta a little over two years ago.

The Challenges

The main challenges for this customer were:

• How to track and monitor IT change control?
• How to ensure employees comply with company policies?
• How to allow offshore developers to see user interaction with custom applications in QA and test environments?

Use Case #1: IT change control management

The customer had a lot of employees and non-employees logging in remotely to production systems on a daily basis and wanted to monitor them and ensure they were compliant (especially tracking the activity of users offshore). In order to improve security and compliance, they set up a secure portal using Citrix Access Gateway and turned on the SmartAuditor capabilities of Citrix XenApp. So by using SmartAuditor, any time a developer, employee or non-employee access the production system, all the ICA sessions are being recorded, making sure that they are keeping up with company policies.

Use Case #2: Rapid application delivery

Like most businesses, this customer has some fragile and complex applications and users that just don't get it. So instead of releasing an application into production and having users call the help desk trying to diagnose problems, this customer put SmartAuditor ahead of the process. The customer turned SmartAuditor on before the application was fully delivered into production. They took the application and released it only to their test users and generated a list with issues. Then, with the rapid playback and bookmarking capabilities of SmartAuditor, the developers very quickly diagnosed what was wrong with the application and made the changes. The main benefits the customer got out of this were that they were able to deliver the application to market quicker and that the application was clean. By doing this, they have minimized the number of help desk calls and problem resolution for this application.

The Benefits

The main benefits for this customer were:

• Enhanced auditing for improving compliance
  • Encouraged employees to comply with company policies. The customer is watching and recording. People log in, get out, and stick to the script.
• Improved the quality of the application development process by visually seeing problems and accelerating time-to-resolution
  • The rapid playback and bookmarking capabilities saved time. Experts were able to find the issues and solved them right away.

The Results

• Low storage requirements
  • With SmartAuditor, compression over a period of time was very good. The customer has been using SmartAuditor for over 2 years. In that period of time, they recorded 8,222 sessions which only required 43GB of storage space. On average, that's a 5.2MB file size per recorded session. Wow!
• Excellent performance when recording and reviewing sessions
• Faster application delivery and better user acceptance

How are you using SmartAuditor? What has been your experience with this feature of XenApp?