mailing list archives
[PEN-TEST] Security of Citrix server to client protocol
From: Peter Van Epp <vanepp () SFU CA>
Date: Wed, 13 Sep 2000 13:20:19 -0700
The though struck that this is a good list to ask this question on.
We are considering the NT Citrix terminal server as a firewall of sorts.
We have a VPN protected network which is currently fully isolated (i.e. no
access to the Internet which in our case includes email and obviously the web).
They desire email and web access from this net. One thing we are considering
is using Citrix terminal server. The server would be on our backbone (and
thus the Internet) and subject to compromise (although it will be as heavily
secured as is possible with NT which in my view is not very). With the
assumption that Citrix was careful with the server client protocol, that
shouldn't matter, because breaking in to the server should only get you
key strokes from the secure net (which are by definition not secure because
they are heading for the Internet, and rightly or wrongly we trust the users
to not send things they shouldn't that route) and be able to get video images
back to the client. In theory this shouldn't allow the client machine to be
compromised (if the protocol was designed and implemented right).
My question is can any one tell me I don't even need to look because
the server client protocol is (for instance) a full IP connection and full of
holes? Has anyone been able to compromise a client machine by breaking in to
the server on Citrix? If not Citrix, does anyone know of a product that would
do this (run a server subject to compromise for email and web surfing without
a data connection other than keystrokes out and video in) in to the secure
network? In some sense I want a cheap (because it is very dumb) firewall that
can't pass anything but video commands in towards the secure net. Web and email
viruses may infect the external server but can't compromise the secure net.
It presents some interesting problems (dual printers, one on the Internet side
for printing email and web pages, one on the secure side for printing documents
from the secure side is one instance), but would seem to be a lot cheaper (and
safer) that an application proxy firewall for email and web (web being the
main worry assuming I'm allowed to nuke all email attachments) from the
secure side to the Internet.
I recognize that sensitive data can be leaked out of the secure segment
manually, but that has been decided to be an acceptable risk (small group, well
educated about the need for and implementation of security). I figure the
folks that break in to things are the best people to ask this question of
(followed by attempting to break in to a test setup ourselves of course).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada