Main Nav

For many years, we've been using citrix as our remote access tool. Although from the beginning this happened mostly by accident, I like the solution because this way, applications and sensitive data aren't exposed to the home machine, which, from a security perspective is an unknown quantity. I've always been a little leary to allow any home machine the direct access to sensitive apps and data that VPN provides, not to mention exposing the school's network directly to these home machines. Or are my fears unfounded, and I'm just missing something basic about the features and controls vpn's have? Jim Gramke College of St. Benedict | St. John's University

Comments

On 20120312 10:28 , Gramke, Jim wrote: > For many years, we've been using citrix as our remote access tool. > Although from the beginning this happened mostly by accident, I > like the solution because this way, applications and sensitive data > aren't exposed to the home machine, which, from a security perspective > is an unknown quantity. > > I've always been a little leary to allow any home machine the direct > access to sensitive apps and data that VPN provides, not to mention > exposing the school's network directly to these home machines. > Or are my fears unfounded, and I'm just missing something basic about > the features and controls vpn's have? While a fan of "the hosted desktop" for a number of reasons, I'll note that it doesn't mitigate against all threats to the endpoint -- keyloggers running on the user's home machine probably capture keystrokes bound for the Citrix client as well as any other. Depending upon what gets saved in the client's login dialog, this could lead to an enticing-looking string of entries in a keylog. I perk up when I find a text file with lines like ... citrix.uvm.edu sthooker h0lym0ly1'ml33t ... Although I haven't looked for any such thing specifically, I'd be surprised if there *weren't* malware designed to at least screen-scrape the Citrix and MS RDP clients -- and wonder if there's any practical countermeasure against such a technique. Cheers, -sth -- Sam Hooker | samuel.hooker@uvm.edu Systems Architecture and Administration Enterprise Technology Services The University of Vermont >
Here are two other unmitigated risks to consider associated with an untrusted device accessing sensitive resources through a terminal services environment: 1) Direct interactive control of a session through BOT/remote control malware. 2) Download of sensitive data through file transfer and clipboard features of the terminal services environment. Credential stealing risks can be mitigated by using 2-factor authentication. File transfers and clipboard functionality can be limited with terminal services configurations reducing risk associated with local storage of sensitive data and unauthorized transfer....if your use cases will allow you to set up such a restrictive environment. But with an untrusted device, risks associated with screen scraping and interactive control by unauthorized parties remain. A properly configured terminal services environment protected with two factor authentication adds a significant extra layer of defensive hurdles between an untrusted device and sensitive resources that may be adequate to bring risk down to an acceptable level for run of the mill malware and attackers and moderately sensitive data. But when sophisticated, motivated attackers and/or highly sensitive, attractive data is involved I think the problem (i.e. the untrusted device) has to be addressed directly through strict configuration controls and policies to attempt to retain device integrity. That costs money, operational time, and practically, limitations on the devices that can be adequately supported with consistent policies. Not particularly popular in an era of "consumerization". To answer the original questions: 1) yes 2) We're migrating from Cisco 3000 series IPSEC VPN to a Juniper SSLVPN supporting clientless web, RDP/SSH proxy client, and IPSEC Network Connect clients. 3) We have a 500 user license for our Juniper SSLVPN 4) Access is granted primarily by coarse LDAP based roles with a few specialized one-offs handled manually. 5) Yes 6) Our Cisco VPN client was configured to disable split tunneling in the belief that the extra traffic through our internet connection is not consequential enough to accept risks associated with a client possibly bridging the campus and the home network. There was also some thought that campus security measures also slightly decreased risk when all internet traffic was funneled through the campus internet connection (e.g. dns blackhole, IPS, inbound blocks). Though that occasionally results in an RIAA notification for a home computer, it is rare enough that it has not been sufficient motivation to change. Sam Hooker wrote: > On 20120312 10:28 , Gramke, Jim wrote: >> For many years, we've been using citrix as our remote access tool. >> Although from the beginning this happened mostly by accident, I >> like the solution because this way, applications and sensitive data >> aren't exposed to the home machine, which, from a security perspective >> is an unknown quantity. >> >> I've always been a little leary to allow any home machine the direct >> access to sensitive apps and data that VPN provides, not to mention >> exposing the school's network directly to these home machines. >> Or are my fears unfounded, and I'm just missing something basic about >> the features and controls vpn's have? > While a fan of "the hosted desktop" for a number of reasons, I'll note > that it doesn't mitigate against all threats to the endpoint -- > keyloggers running on the user's home machine probably capture > keystrokes bound for the Citrix client as well as any other. Depending > upon what gets saved in the client's login dialog, this could lead to an > enticing-looking string of entries in a keylog. I perk up when I find a > text file with lines like > > ... > citrix.uvm.edu > sthooker > h0lym0ly1'ml33t > ... > > Although I haven't looked for any such thing specifically, I'd be > surprised if there *weren't* malware designed to at least screen-scrape > the Citrix and MS RDP clients -- and wonder if there's any practical > countermeasure against such a technique. > > > Cheers, > > -sth > > -- > Sam Hooker |samuel.hooker@uvm.edu > Systems Architecture and Administration > Enterprise Technology Services > The University of Vermont > >>
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.