This is an interview with Andrew Innes.  Andrew is the Platform Architect for user interaction components of XenApp and XenDesktop, notably Web Interface and the desktop integration clients.  His job entails finding creative ways to improve the usability and security of these products, and helping strike the right balance between them.

Here is Andrew:

 Q: Andrew, what are the security issues Citrix Admins should be aware of with Web Interface?
A: Hi Kate.  There are two main categories of issues admins need to think about: security of the web server itself and security of the whole XenApp or XenDesktop delivery system.  For the web server itself, there are all the standard hardening rules to follow, especially if it is facing the Internet - I won't try to summarize these here.  The aim is to prevent intrusions into the web server itself or the network behind it.

It's worth mentioning though that Web Interface has undergone probably hundreds of evaluations in customer environments as well as regular security audits within Citrix as part of our secure development process.  It has been engineered with all the known web application threats in mind, and we track 'webappsec' developments closely to build in defenses against new styles of attack as they emerge. 

Hardening the web server itself is the #1 recommended best practice for everyone.  Some customers will still want to employ extra measures, such as a web app firewall or other monitoring systems to spot potential attacks.  NetScaler can easily be configured to provide web app firewall, SSL and detailed logs.

For the Citrix specific aspects of security, the admin should start by understanding the business reason for publishing resources (apps, desktops, documents etc) via the web, and the appropriate policies on access rights and restrictions.  These feed into the design requirements for the delivery system, including the configuration of Web Interface.  The aim here is primarily to ensure authorized users are allowed access in the intended way while unauthorized users are denied access, and that policies are not circumvented.
Web Interface has a brokering role in the delivery system, making it an effective place to enforce certain policies, for instance ensuring strong authentication happens before access is granted.  It can be augmented with Citrix Access Gateway to scan end point devices to make fine-grained access decisions; in this case Web Interface plays a supporting role in upholding those policy mechanisms.  It also implements a number of sensitive features, like password change and password reset, which can be enabled when the usability gains outweigh the security considerations.

Q: What are the prescribed security precautions Citrix Admins should use with WI?
A:  There are a few standard precautions we recommend all customers follow:
   -      Require SSL on the Web Interface server; this protects user credentials in transit and helps prevent spoofing attacks (like those that could result from the recent DNS vulnerabilities). 
   -    Use SSL or IPSec for requests to the XML service on XenApp or XenDesktop; again this protects credentials.
   -      Follow best practices for web server administration; this protects against accidental or malicious reconfiguration.
   -      Disabling the HTTP port, or having it redirect to the HTTPS port can be helpful.  Then to prevent potential phishing attacks (MITM against the HTTP connection that redirects to a replicated WI site) the Internet Option setting "Websites in less privileged web content zone can navigate into this zone" should be disabled.

Where possible, we encourage customers to consider using the Kerberos or smart card support in XenApp which avoids the need to send passwords at all.

Q: Do you have any Knowledge Base articles to reference that might be of help?
A:  There is a collection of technotes for Web Interface which cover useful points, but my favorite reference is the Troubleshooter's Guide for Web Interface.

And it's FREE! Throw away those behemoths that suck power from every grid in the state and drain your budget. This baby is Free, Open Source and VIRTUAL, meaning you can run as many instances of this router as you want on your choice of hardware. What is even more gratifying is it's faster than the old router technology.

Vyatta has commoditized router, firewall and VPN deployment in the same way that Linux commoditized the operating system market. Vyatta open-source networking offers you an alternative to over-priced, inflexible products from proprietary vendors.

Vyatta software enables customers to build routing and security solutions using standard x86-based hardware of their choosing, ensuring networks will always meet performance requirements. Vyatta open-source software delivers the unique advantage of allowing customers to scale networks from the simplest LAN configurations to large BGP WAN edge configurations using a single software package.

Vyatta software includes support for most commonly used network interfaces, industry standard routing and management protocols, and all of these features are configurable via a single command-line interface (CLI) or web-based graphical user interface (GUI) - avail Q3'08. The integrated features and functionality make Vyatta software ideal for SMB, Branch Office, Enterprise and Service Provider deployments.

Summary of features:
BGP, OSPF, RIP, DHCP, QoS, IPSec VPN, VRRP, PPP, 802.1Q, Complete List.

This open source router is already running on XenServer in a large service provider in Europe. We are using it in our Citrix Ready program as a multi-link Intranet with connections to the Internet along with high availability link load balancing.

This para-virtualized Vyatta image runs as a virtual appliance in XenServer v3.2.1 and v4.1.

The XenServer Platform we are using:

• Dell Poweredge 2950 server.
• 2 x Intel 64-bit Quad-Core Xeon Processors, Model E5335 @ 2.00 GHz each, for a total of 8 CPUs.
• 2 Intel 82571EB Gigabit Ethernet (on-board)
• 2 Broadcom NetXtremeII Gigabit Ethernet
• 16 GB of memory.
• 300 GB of Storage.
• XenServer v4.1
• *note: CPU's must support virtualization technology.
  
  
  
  
  
  

Virtual Router - Install:

Virtual Router - Config:

Tap into the power of AppExpert.