How One Company Solved the Citrix/Terminal Services Security Threat

April 21, 2016 |
Reduce Information Security Risks when Deploying a Citrix Solution

Citrix XenApp, XenDesktop and Windows Terminal Services (which was renamed Remote Desktop Services in Windows Server 2008) are widely deployed virtualization systems used to present corporate apps to employees in a secure and controlled environment. The use cases are wide – remote access, jump servers connected to secure networks or access to privileged applications and resources.

However, both introduce huge security weaknesses. Within every network there is generally a firewall protecting access to the server network. The challenge is that all traffic using the Citrix/Terminal Server is seen on the network as coming from a single IP address, sometimes representing dozens of users. This means that the firewall for the Citrix/Terminal Server IP addresses needs to allow access to EVERYTHING any user might need.

Now let’s say you have a disgruntled employee or hacker who gets in at the network layer, access is granted to everything – customer information, protected healthcare information, personally identifiable information, your intellectual property. That’s a problem.

How One Company Solved the Citrix/Terminal Services Security Threat

An electricity transmission company in Europe has a big Citrix implementation that enables users’ access to certain areas of the infrastructure like SAP. The company opted to use AppGate’s Citrix Module, a secure access network security solution that makes the application/server infrastructure effectively “invisible.” AppGate uses a role and attributes-based security model that maintains the distinction between individual users even inside the network and especially when connecting through Citrix or Windows Terminal Servers. Network access is provisioned/firewalled at the application level depending on a users’ specific role and attributes.

AppGate’s Citrix Module includes a multi-user tunneling driver that is able to recognize individual users’ network traffic from a terminal server and requires that traffic to use the user-specific encrypted tunnel to the AppGate server where firewall rule sets, unique to each user, are applied. This makes it possible to deploy Citrix/Terminal Server-based solutions while ensuring that users are able to access only what your user and attribute-based access control policy allows.

Hide All Network Resources a User is Not Authorized to See. Get the white paper.

Having evaluated AppGate’s Citrix Module on the company’s own infrastructure and using its existing policies, Crytpzone secured access to SAP and gave the company a route to expand use of Citrix within the network and enable access from outside the network.

Moving from IP-centric to role-based access controls

Companies need to move away from IP-centric architectures to a role-based security model that maintains the distinction between individual users connecting through a Citrix or Windows Terminal, then provisions access on the network and application level depending on those users’ roles and attributes.

Get the white paper ‘Does your Citrix or Terminal Server environment have an Achilles heel?’ now to read more about the information security risks inherent in all multi-user virtual desktop solutions and how to deliver secure access using AppGate’s Citrix Module.

Read it now.

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *