Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking

    Blame Bad Citrix Admins for Poor Site Security, Expert Says

    By
    Lisa Vaas
    -
    October 9, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Overworked, undereducated or lazy Citrix administrators are neglecting to install even the free SSL VPN that Citrix ships with products, users say, presenting the dismaying scenario of sites full of holes on domains that include government and military sites.

      “I feel most of the problem is, simply put, really bad admins who are not following even the basics,” Douglas A. Brown, president and chief technology officer of DABCC, based in Naples, Fla., said in an e-mail exchange. DABCCs offerings include Citrix support.

      Security researcher Petko D. Petkov—aka “pdp”—said in an Oct. 4 posting that his recent testing of Citrix gateways led him to “tons” of “wide-open” Citrix instances, including 10 on government domains and four on military domains.

      Petkov said he has found that searching on Google or Yahoo for files with Citrixs proprietary ICA (Independent Computing Architecture) extension returns files that offer up dangerously useful information about which server a given site is running on, the underlying transport mechanism and the remote application that Citrix will open. He said he has found several “critical” applications that he was afraid to even poke at, such as Citrix portals running a global logistics system application and a U.S. federal funding program.

      Some users are disgruntled by the idea that Citrix technology might get a black eye from this embarrassing state of affairs, given that its bad Citrix administrators who are to blame.

      “[Petkov] made a very valid point: Yeah, you can hack into Citrix via ICA files. You can brute-force your way in through there and what have you,” Brown said in an interview with eWEEK. “But thats not the way its [supposed to be] implemented. If there are environments out there that havent followed basic practices 101 and implemented various technologies that ship with [Citrix] Presentation Manager, I dont think thats Citrixs fault.”

      During his years of working as a Citrix engineer, including working for Citrix itself, Brown said he walked into plenty of organizations where Web administrators would stick a server on the Internet and just leave it at that. “After [Citrix released an Internet log-in box], you started getting a lot of people that are very apprehensive about security or technologies theyre not necessarily good at, right? So you have these poor administrators who say Ill just stick a Citrix box out there, Ill create a hole in my firewall back to my Citrix server and stick [the application its running] out there.”

      Citrix has numerous security components that can be used to avoid putting up an insecure site. Citrix Presentation Server has a feature, Secure Gateway, which only needs to be turned on. That feature protects any application delivered via CPS.

      Citrix Access Gateway also ships as an SSL (Secure Sockets Layer) VPN appliance that secures both ICA and non-ICA traffic. Access Gateway licenses come free with all versions of Presentation Server. To use them, customers must purchase the Access Gateway appliance, however.

      Citrix also has a gateway product that maintains ICA file information that is only valid for less than 1 minute, which would render useless the information returned in a Google or Yahoo search such as those done by Petkov, Brown said.

      “Citrix has … a slew of other stuff. Citrix sees itself not necessarily as a security company but one that can supply secure access,” Brown said. “But the admin has to deploy it. He cant just install the server and be done with it. [This problem] comes down to poor, poor administrators.”

      Will Microsoft buy Citrix? Click here to read more.

      The problem, in other words, isnt a lack of options for securing Citrix instances; the problem is that administrators arent using them. Thats due to a host of reasons: administrators being told to get a Citrix box up right away within a constant “its a fire” time frame, administrators being overworked and a lack of education as to how to do Citrix deployments securely, Brown said.

      “We need to give them the education and time to do their job properly,” he said. “Its not just government [and military domains that have security holes in their Citrix deployments]. Its .edu and .coms [as well]. Everybodys guilty of poor security practices, period,” Brown said.

      “If anything, this shows that administrators need to be aware that software is vulnerable. If you allow a way for a user to come into your company, you create a way for a hacker to come into your company. If you dont lock that door, youre guilty of anything that happens. If I dont the lock door to my house, thats my fault. Softwares not secure by nature; we have to secure it,” he said.

      Resources for secure Citrix deployment include a free e-book Brown wrote back when he was working for Citrix, available here. Its dated regarding screens but the essentials are still valid, he said.

      DABCC has also recently released a book titled “Securing Microsoft Terminal Services” that addresses how to secure a Terminal Services/Citrix environment.

      Citrixs security resources are available here.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×