《3111SecuringTheCorporateDatacenterWithCitrixAccessGatewayFinal》由会员分享,可在线阅读,更多相关《3111SecuringTheCorporateDatacenterWithCitrixAccessGatewayFinal(37页珍藏版)》请在金锄头文库上搜索。
1、Securing the Corporate Data Center with Citrix Access GatewayTim SimmonsSr. Mgr., Technical MarketingCitrix Systems, Inc.Aaron CockerillDirector, Product ManagementCitrix Systems, Inc.2 2005 Citrix Systems, Inc.All rights reserved.AgendaTodays Enterprise Security Model is FlawedEnclave NetworksMinim
2、ize the Infrastructure Cost Impact3 2005 Citrix Systems, Inc.All rights reserved.Todays ModelFinance SubnetWirelessNetworkFile ServersWeb/App ServersPresentation ServerE-mail ServersData CenterFirewallFirewallDMZInternetIDSDomain Services4 2005 Citrix Systems, Inc.All rights reserved.Assumptions The
3、 Corporate NetworkTrusted machines can host untrusted softwareMore mobile usersMore public access pointsMalware is increasingSplit tunnels on remote VPN connections#1: Only trusted machines connect to the corporate network5 2005 Citrix Systems, Inc.All rights reserved.The Malware Threat“Although we
4、saw a steady decline in the rate of virusesproduced from 2000 to 2004, down to a 5% year over year growth,weve seen a 20% increase in malware-related threats between 2004and 2005, and anticipate that these numbers will stay at the higherrate of growth for the immediate future Vincent Gullotto, Vice
5、President of McAfees Security Lab, Avert6 2005 Citrix Systems, Inc.All rights reserved.AssumptionsTrusted visitorsAccess to wired connectionsRogue access points#2: Only employees connect to thecorporate network7 2005 Citrix Systems, Inc.All rights reserved.Assumptions#3: Authenticated users should b
6、e trusted on the network8 2005 Citrix Systems, Inc.All rights reserved.OSI Model7ApplicationHTML6PresentationSSL5SessionHTTP4TransportTCP and UDP3NetworkIP and ICMP2Data LinkMAC1Physical User IdentityMachine Identity9 2005 Citrix Systems, Inc.All rights reserved.AssumptionsApplications may transmit
7、sensitive data unencrypted due toUser errorConfiguration errorPoor software design#4: Applications communicate securely on the networkWeb/App Servers10 2005 Citrix Systems, Inc.All rights reserved.Threat SummaryUntrusted machines on the networkMalware Split tunnels on VPN connections Network infrast
8、ructure is not user-awareUnencrypted sensitive data on the networkThe model needs to evolve11 2005 Citrix Systems, Inc.All rights reserved.Enclave ModelInternetFirewallFirewallFirewallFile ServersWeb/App ServersPresentation ServerE-mail ServersData CenterDomain ServicesFirewallFirewallDMZSSL/VPN Gat
9、eway12 2005 Citrix Systems, Inc.All rights reserved.Enclave Support ServicesData CenterUser EnclaveFirewallInternet13 2005 Citrix Systems, Inc.All rights reserved.Enclave ModelInternetFirewallFirewallFirewallFile ServersWeb/App ServersPresentation ServerE-mail ServersData CenterDomain ServicesIDSFir
10、ewallAccess GatewayWirelessAccess PointsSSL/VPN Gateway14 2005 Citrix Systems, Inc.All rights reserved.Data Center DeploymentNetScalerLoad-BalancerData CenterFileSharesWeb ServersAdvanced Access Control ServersAccess GatewaysEnterprise Resource Servers Exchange/ NotesCitrix Presentation ServerActive
11、 DirectoryDomainFirewallFrom User Enclave Networks15 2005 Citrix Systems, Inc.All rights reserved.Access Gateway 4.2Access Gateway integrated with Advanced Access ControlNo more software secure gateway in AAC packageSG continues to ship with Presentation ServerNew Advanced Access Control User Interf
12、aceNavigation UI includes Presentation Server applications Support for double source authentication (e.g. AD & RSA)New Black Bezel Rename Access Gateway Enterprise to “Access Gateway and Advanced Access Control”Multi-Lingual SupportWhats New?ReleaseENJAFRESDEAG 4.2 clientXXXXXAG 4.2 administrationXA
13、AC 4.2 clientsXXXXXAAC 4.2 administrationXXXXX16 2005 Citrix Systems, Inc.All rights reserved.Standard AG+AAC DeploymentFirewallFirewallClient DeviceSecure Control Channel (SOAP) Responsibilities:AuthenticationEnd Point Analysis serviceConfiguration ManagementPolicy decisionsLicensingSession Managem
14、entResponsibilities:Fetch configuration from Advanced Access Control servers (at start-up)Authentication page delivery and validationEnd Point Analysis proxyConnection policy enforcementSession verificationAdvanced Access ControlAccess GatewayManagementConsoleHTML AuthenticationFile ServersE-mail Se
15、rversIP PBXWeb/App ServersPresentation Server17 2005 Citrix Systems, Inc.All rights reserved.AG+AAC Traffic Browser-basedFirewallAccess GatewayAAC responsibilities are:Policy DecisionsRender Navigation PagesEnforce Granular AccessAction ControlWeb Browser AG ClientAG responsibilities are:Validate Se
16、ssion with AACEnforce Level 3-4 policiesProxy HTTP traffic to AACAdvancedAccessControlFirewallPresentationServer ClientHTML/HTTP TrafficFile ServersE-mail ServersIP PBXWeb/App ServersPresentation Server18 2005 Citrix Systems, Inc.All rights reserved.AG+AAC Traffic ICA/CGPFirewallFirewallAccess Gatew
17、ay AG ClientPresentationServer ClientWeb BrowserICA/CGP TrafficFile ServersWeb/App ServersPresentation ServerE-mail ServersIP PBXAdvancedAccessControlSecure Control Channel 19 2005 Citrix Systems, Inc.All rights reserved.AG+AAC Traffic - VPNFirewallFirewallFile ServersWeb/App ServersPresentation Ser
18、verE-mail ServersIP PBXAccess GatewayAdvancedAccessControlWeb Browser AG ClientSecure Control Channel PresentationServer ClientVPN Client Traffic20 2005 Citrix Systems, Inc.All rights reserved.Action ControlEditView OnlyPrintSaveSmartAccessGranularAccess RightsAdvanced Endpoint Sensing+ User Scenari
19、oWhich User21 2005 Citrix Systems, Inc.All rights reserved.Analyze Access Scenario :Analyze endpoint to ensure connections are:Safe ensure connection will not harm corporate infrastructureTrusted analyze user, machine, and network identity to ensure the connection is being made as claimedSecure ensu
20、re malicious parties cannot attack corporate infrastructure from connecting devicesProvide an extensible architecture (via SDK) to allow customers and 3rd parties to easily create custom scansSmartAccess: OverviewAnalyze Access ScenarioMachine Identity:NetBIOS nameDomain MembershipMAC addressMachine
21、 ConfigurationOperating SystemAnti-Virus SystemPersonal FirewallBrowserNetwork ZoneLogin AgentAuthentication MethodCustom Endpoint Scans22 2005 Citrix Systems, Inc.All rights reserved.SmartAccess: OverviewAnalyze Endpoint & ConnectionImplement Access ControlCPS applications File & network shares (UN
22、Cs)Web based emailWeb sites (URLs)Web applicationsEmail & application synchronizationMachine Identity:NetBIOS nameDomain MembershipMAC addressMachine ConfigurationOperating SystemAnti-Virus SystemPersonal FirewallBrowserNetwork ZoneLogin AgentAuthentication MethodClient Certificate QueriesCustom End
23、point ScansPolicy Based Access Control:Situational or contextual access control based on user membership, authentication strength, device and connection to ensure IT resources are not exposed to unwarranted risk23 2005 Citrix Systems, Inc.All rights reserved.Full download of documentsLiveEditEdit lo
24、callySave back to serverRetain in memory during editAvoid data leakage on clientPreview documents with HTMLAccess from PDAsView without application on clientAttach to emailAvoid data transmission to clientCPS ApplicationsControl available applicationsLimit local mapped drives & printingAnalyze Endpo
25、int & ConnectionImplement Access ControlImplement Resource Usage ControlCPS applications File & network shares (UNCs)Web based emailWeb sites (URLs)Web applicationsEmail & application synchronizationMachine Identity:NetBIOS nameDomain MembershipMAC addressMachine ConfigurationOperating SystemAnti-Vi
26、rus SystemPersonal FirewallBrowserNetwork ZoneLogin AgentAuthentication MethodCustom Endpoint ScansSmartAccess: OverviewIntellectual Property Control:Manage the use of sensitive information by:controlling how information is accessed and used(CPS, HTML Preview, LiveEdit etc.)controlling what can be d
27、one with that information(download, print, save, copy, etc.)ensuring no data is left on the local machineEnable companies to log all accessSSL-VPNs24 2005 Citrix Systems, Inc.All rights reserved.Access Methods Full desktop experience Client-server applications Web-based applications Voice over IP So
28、ftphonesBrowser basedClientless accessDevice aware interfacePresentation ServerICA Client25 2005 Citrix Systems, Inc.All rights reserved.Granular Access ControlsFile PreviewWeb E-mailControlled Presentation Server Access File Download Local Edit and Save File Upload E-mail Sync Web E-mail Full Prese
29、ntation Server Access Full Presentation Server App SetEdit in MemoryLimited Presentation Server access (read-only local drive mapping)Limited Presentation Server application setFile PreviewFile UploadE-mail SyncWeb E-mailCorporate DesktopRemote Corporate DevicePresentationServer ClientPublic Kiosk26
30、 2005 Citrix Systems, Inc.All rights reserved.Intelligent NetworksNetwork infrastructure vendors are building “intelligent networks”Technology is still in developmentRequires a replacement of existing firewalls, switches, and routers27 2005 Citrix Systems, Inc.All rights reserved.Citrix Access Gatew
31、ay BenefitsImproved management and controlEnsure client devices are secured prior to accessHelps to reduce administrative errorsGreater visibility into network activities28 2005 Citrix Systems, Inc.All rights reserved.Citrix Access Gateway BenefitsImproved management and controlAddress regulatory co
32、mplianceDocument ProtectionStrong AuthenticationAuditing & Logging29 2005 Citrix Systems, Inc.All rights reserved.Citrix Access Gateway BenefitsImproved management and controlAddress regulatory complianceEnhanced network policiesAdaptive policy based access controlGreater intelligence results in bet
33、ter defense30 2005 Citrix Systems, Inc.All rights reserved.Citrix Access Gateway BenefitsImproved management and controlAddress regulatory complianceEnhanced network policiesAll network traffic is secureSecure (encrypted) CommunicationsEnhances Intrusion Detection Systems (UserID-IP)Restrict visitor
34、 access 31 2005 Citrix Systems, Inc.All rights reserved.Citrix Access Gateway BenefitsImproved management and controlAddress regulatory complianceEnhanced network policiesAll network traffic is secureSimplify wireless networksMinimize complexity associated with LEAP, EAP, WEP, WPA, etc32 2005 Citrix
35、 Systems, Inc.All rights reserved.Citrix Access Gateway BenefitsImproved management and controlAddress regulatory complianceEnhanced network policiesAll network traffic is secureSimplify wireless networksMitigate threats to the networkMinimizes interconnection between computers/subnetsDivides networ
36、k into manageable pieces33 2005 Citrix Systems, Inc.All rights reserved.Cost Effective ImprovementsThe Citrix Access Gateway provides a cost- effective implementation of enclavesThe technology is available today!34 2005 Citrix Systems, Inc.All rights reserved.Before you leaveRecommended related brea
37、kout sessions:3114: Securing Remote Access with Citrix Access GatewayTuesday, October 11 11:00am - 11:50am2128: Citrix Access Gateway, the Best Way to Secure Citrix Presentation Server Tuesday, October 11 3:30 - 4:20pmSession surveys are available online at Tuesday, October 11 (please provide feedback)Breakout session handouts are located at the Breakers Registration Desk South
