Home page logo
/

basics logo Security Basics mailing list archives

RE: Teleworking
From: "Gunn, Jeff" <Jeff.Gunn () FMR COM>
Date: Wed, 12 Nov 2003 11:04:13 -0500

 
I'm not an expert in it, I helped with the config and I did the verification
testing from the point of view of the Citrix servers (which I support) and
the end user.  So I can't really give a lecture on the technical details.  I
also don't have any experience with using it for access to any other number
of apps it supports.  That being said...

Basically, the Neoteris device sits on the firewall and proxies all requests
to the internal resources, and only the resources that you explicitly allow.
You make a session request to that box with a web browser and authenticate.
It then acts as a proxy for the web connection to the Nfuse server in your
extranet (or intranet).  When you request an application on your Metaframe
farm, it intercepts the connection file (the .ica file) and inserts its own
tags on the fly.  It uses a java based "session manager" to then handle the
traffic that would normally run direct from the client to the Citrix box,
but is now being routed through the Neoteris device.

Advantages over traditional VPN?  For the good and accurate spiel you'd have
to talk to them, or someone who has had more hands-on exposure than me.
From the security standpoint I'd say the fact that all traffic is funneled
through a single point with centralized access control is an advantage over
the traditional VPN.  In my experience, a VPN connection is something you
give to someone you trust completely because it allows access to a range of
resources on your network.  This is more like an "access nothing except what
I allow" scenario than a traditional VPN, which I thought of as a "access
everything except what I lock down".  It also does all the usual VPN stuff
that you'd expect, like high encryption, two-factor authentication, etc.

More user-oriented advantages are that you don't need to install anything -
the session manager is popped up in a java window, no client install
required (although you still need the Citrix ICA client if you're not using
the Java one).  It also integrates very well, so your users aren't launching
their VPN, authenticating, going to a website, authenticating, then getting
to their remote apps...etc.  It streamlines the process a bit.

I don't work for Neoteris, I just used their stuff and thought it worked
well.

        -Jeff


-----Original Message-----
From: Charles Mitchell [mailto:charles () research datalocate net] 
Sent: Wednesday, November 12, 2003 3:42 AM
To: Gunn, Jeff
Cc: 'security-basics () securityfocus com'
Subject: RE: Teleworking

On Mon, 10 Nov 2003, Gunn, Jeff wrote:

but I know our telecom guys were happier with it for external access
than a traditional VPN because it's really more of a 
reverse proxy than a
real VPN solution, so it can be more secure.


Will you explain in more detail what you mean by 'reverse 
proxy' in this
situation & the advantages/disadvantages in security over 
traditional VPN
technologies ?

-- 
Thanks in advance

Charles Mitchell
datalocate.net


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]