Design decisions for a secure framework: Citrix TIPs

I wanted to start this post by revisiting my five-part Security Design Decisions blog series, which you can find here and is linked throughout this blog. Its purpose was to explore the need for a robust security framework, which still holds true today.

Designing a strong and effective security framework requires making a host of decisions around each of the layers listed below.

User Layer

Humans are considered the most significant threat to information security. Identifying user groups is the primary step before moving into design or deployment of any Citrix solution. Enterprises must perform an in-depth assessment of user workflows to define which resources each user group requires access to.

These identified user groups should be fed into the Citrix delivery method, which drives key decisions including between server OS (multi-user) and desktop OS (single user) workloads and between persistent and non-persistent. Generally, multi-user workloads are more cost-effective but inherently riskier than single user workloads, as both high-value and high-risk personnel can co-exist on the same system.

By applying the principle of least privilege, we can categorize users before assigning them to a group so that different security measures can be applied to different user groups. It is important to avoid providing “super” administrator roles to any users and adhere to separation of duty guidelines.

Access Layer

The access layer is like a great wall that stands between users and the resources they need. This layer is the first line of defense and it cannot be weak — your security is only as strong as your weakest link.

The first step here is to identify the employees, partners, clients, or vendors who require access and further categorize them as described in the User Layer section. The next step is to identify the resources we intend to safeguard from potential risks associated with access.

We live in a hypermobility environment where users can access resources from anywhere, at any time, and using any device. Mobility has expanded the threat landscape, and the enterprise now must assume that internal and external access are equally risky considering the spread of personal device usage within the enterprise environment. The Citrix ADC MPX or SDX series have all the right ingredients to mitigate security threats and risks for both internal and external access. For example, Citrix Web App Firewall can be leveraged to protect the environment against internal or external threats such as denial of service (DOS), cross-site scripting (XSS), and other security-related attacks.

Finally, how are users authenticated? Traditional passwords are no longer an effective means to protect the enterprise environment, as users are considered their own worst enemies when it comes to password management. One solution is to use multi-factor authentication (MFA).

Resource Layer

The resource layer is used to provide virtual application and desktop services. Virtualizing applications and desktops is a secure means to deliver resources to users. But without proper controls in place, the user session can be “jailbroken” to gain a foothold in the environment. By applying a segregation model, we can categorize and separate types of users and applications based on their sensitivity level. Sensitivity level is determined by three elements:

1. The types of data (high value or low value) being accessed;
2. Each user’s value and risk to the organization; and
3. Each application’s value and risk.

The next step is to identify the type of policy needed to control the resource delivery and develop it by addressing the following questions:

• What is the policy controlling?
• Where and when will the policy be applied?
• How will the policy impact the end-user experience?

Finally, secure the server and desktop VDAs by removing unused services, uninstalling unused applications, applying Citrix and Microsoft updates, and installing an anti-virus agent, host intrusion prevention system (HIPS), host intrusion detection system (HIDS) and data leak prevention tools. In short, establish and enforce a minimum VDA hardening baseline policy.

Control Layer

As the command center, the Control Layer is the most critical component that requires protection — a lot can go wrong if a malicious user takes control. Four strategies can be applied to secure this layer. First, apply multilateral security by dividing the Control Layer into access controllers, delivery controllers, infrastructure controllers, shared storage, and network connectivity. The purpose of applying multilateral security is to reduce the failure domain and containerize any malicious activity within a silo, preventing it from overflowing into the next one.

The second strategy is to manage the vulnerabilities of critical infrastructure servers. All the components that directly or indirectly relate to this layer need to be proactively monitored for potential vulnerability. All an attacker requires is an exploitable vulnerability to gain access to the environment and perform a malicious act.

The next strategy is managing the overall Citrix infrastructure configurations. Improper configuration or an inability to configure the correct options can expose the environment to various types of threats from inside and outside the enterprise realm. A thorough configuration management process should be in place to ensure protective actions are taken, such as changing or disabling default account passwords, which can be easily obtain by performing a quick search on the internet.

The final piece in the Control Layer strategic plan is access management. The administrator’s role should be specific to job scope and avoid privilege creep. It is also important to restrict service account permissions as they can enable a malicious user to launch an attack using a privileged account.

Physical Layer

The hardware layer is the foundation of the overall security framework. Failure of security control in the Physical Layer can ripple through the layers built on top. We need to start by securing physical access to the environment with measures such as employee access cards, barricades, locks, biometrics, turnstiles, log books, and more. Next is environmental monitoring, which includes a CCTV command center staffed by security personnel. Third, it is critical to continuously monitor temperature and humidity of the data center and ensure that fire, smoke, and CO2 alarms are functional and tested.

A key part of this layer is physical control over human resources by implementing separation of duty, carefully selecting and authorizing administrators to access the physical environment, performing thorough background verifications, having employees sign a nondisclosure agreement, and, finally, scheduling periodic security awareness and policy training.

Aside from these physical access and personnel controls, we need to implement security controls on the virtualization stack, such as the hypervisor. While virtualization offers many benefits, it also introduces specific threats such as VM sprawl, hypervisor attacks, inter-VM attacks, data co-mingling, and instant-on gaps. These can combine with existing guest operating system concerns, such as hyper-jumping, inter-VM attack, hypervisor attack, VM sprawl, data co-mingling, and instant-on gaps.

Linux VDA 1906 is a rich post-Synergy release

At Citrix Synergy 2019, we made several exciting bulletins round the Citrix Workspace, especially some good updates for the Linux install base. We announced support for Linux VDA on the internet Cloud, giving customers more choice, we featured hands-on demos of a few of the latest and finest for Linux VDA, so we delivered a session that featured a vital customer’s real-world story and finest practices on delivering Linux Workspace for their finish-users. We would have liked to provide thank you very much to Synopsys, a number one EDA software company, for discussing their story.

Developing the heels of Synergy, our June release delivers multiple key features, highlighting our constant innovation for Linux users and our dedication to enhancing Linux VDA with every current release. So let’s have a look!

Support for Google Cloud Platform

Exactly what does it imply that we’re launching Citrix Workspace for Google Cloud?

Now you must an option to deploy Linux VDA workloads on the internet Cloud Platform (GCP). Quite simply, Citrix delivers Linux virtual desktops and applications safely inside your workspace, on the new cloud platform, to higher support your hybrid or multi-cloud strategy.

Support for Google Cloud Platform likewise helps to increase Citrix Workspace and it was a vital demand, especially from your develop community.

By the 1906 release, Linux VDA adds support for GCP.

Enhanced Configuration for Smart Card Authentication

Using smart card is normal in industries with regulatory needs like the public sector, healthcare, and financial services.

With Linux VDA 1906, Citrix is further enhancing configuration for smart card authentication. Now, advertising media are the ctxsmartlogon.sh script for configuring the smart card atmosphere, you are able to specify the road to a good card driver apart from Coolkey, like Gemalto.

Support for PBIS

Active Directory is needed for authentication and authorization within the Citrix Virtual Apps and Desktops infrastructure. The Kerberos infrastructure in Active Directory can be used to be sure the authenticity and confidentiality of communications using the Delivery Controllers. In the past releases, Linux VDA supported Winbind, SSSD, Centrify, and Quest as domain-joining methods on Linux.

With Linux VDA 1906, you should use PowerBroker Identity Services (PBIS) as a substitute for join Linux VMs towards the Home windows domain.

Selection of Printer Motorists

Printer choice is a key demand with Linux environments. With 1906, we’re getting much more feature parity with Home windows VDA with regards to printing. Moving forward, now you can decide to configure the printer driver mapping and compatibility policy in Citrix Studio instead of configuring on every Linux VDA.

Greater Resilience

Resilience is really a system’s ability to go back to its original condition or move to a different desirable condition after being disturbed.

Linux VDA 1906 introduces a resilience-related capacity - a monitor service daemon - to make sure Linux VDA deployment is much more resilient and powerful.

The computer monitor service daemon monitors key services through periodic checking. When discovering exceptions, the daemon restarts or stops service processes and cleans up process residuals for releasing sources. The detected exceptions are recorded within the /var/log/xdl/ms.log file.

Use on-prem Citrix Gateway as an identity provider for Citrix Workspace

Citrix is dedicated to supplying the very best consumer experience with best-in-class security within Citrix Workspace. That is why we’re excited to announce an open tech preview inside the Citrix Workspace UI that allows integration by having an on-premises Citrix Gateway to grow third-party identity-provider integration.

Exactly What Does This Suggest for you personally?

You’ve made a good investment within an on-premises Citrix Gateway to build up a name solution that most closely fits your organization. Today, Citrix Gateway supports a multitude of identity integration, which is now able to leveraged for authentication to Citrix Workspace. With this particular tech preview with an on-premises Citrix Gateway, admins can enable authentication via:

• RADIUS authentication
• Smart-Card Authentication
• Integrated Home windows Authentication (Pass-through Auth)
• Conditional access policies

Expanding the World

Admins are now able to architect an expanded group of identity solutions with Citrix Workspace because all Citrix Gateway AAA functionality has become readily available for used in the tech preview. Citrix Workspace will instantly federate towards the customer’s on-premises Gateway AAA during logon (Workspace->Gateway AAA login).

An important use-situation available these days in Citrix Workspace with the Citrix Gateway is the opportunity to leverage on-premises RADIUS along with other third-party MFA providers for example Symantec, RSA, DUO. Additionally to multi-factor authentication, you may also extend the nFactor policy framework that the on-premises Citrix Gateway provides to apply a zero-trust model for enforcing your contextual access control policies. For instance, you can now authenticate your on-premises users having a username/password and challenge your remote users having a second-factor authentication.

Who Should Have fun playing the Tech Preview?

If you are a current customer using StoreFront on-premises by having an on-premises Citrix Gateway and therefore are searching to maneuver to Citrix Workspace within the cloud, you need to take part in this tech preview.

If you are a existing Citrix Workspace or Citrix Virtual Apps and Desktops service customer and also have an on-premises Citrix Gateway or Citrix ADC, you need to take part in this tech preview.

Why certificates are more important today than ever

Every single day we all do increasingly more on the web. We send messages, buy online, handle financial and sensitive data, plus much more. We may not be considering what goes on between our computer and also the website, or, if we’re utilizing an application, how our data are now being used in the destination. You would like this visitors to be as secure as you possibly can.

First of all, use good sense when you are on the web. Only distribute your sensitive data on sites you can rely on and make certain the website or connection is applying TLS (or frequently known as SSL) certificates/file encryption. If you wish to find out more about certificates and just how they work, read this explanation. Citrix has additionally several sources you need to read, including this Citrix networking/TLS guidelines article which blog publish.

Increasingly more sites are now being encrypted every single day. Based on Mozilla the net went from 67 percent encrypted page loads to 77 percent in 2018 which keeps rising. At the begining of 2018, Google Chrome began marking non-SSL sites (HTTP) as unsafe. Also sites without any kind of file encryption are assigned a lesser rank in internet search engine results. We’re moving from HTTP to HTTPS as default.

Certificates Everywhere

There are lots of kinds of TLS certificates. Some certificates cost lots of money and a few have the freedom. Is really a free certificate every bit as good as you you have to pay for? This will depend on the organization or website and what sort of data you’re securing. For instance, if I’m hosting an internet site for any bank or an insurer, I have to make certain that everything examines, is insured, which people trust my website. This method of verification, trust, and insurance charges money. However, basically simply have an easy website or perhaps a blog like my very own and that i want something to be encrypted, an inexpensive reely certificate will suffice.

Let’s Secure provides the way to instantly create and apply a totally free TLS certificate. There are other than 150 million websites which use certificates from Let’s Secure.

The approach from Let’s Secure is diverse from you may be accustomed to. As with other standard certificates, you have to produce a certificate request and transfer it towards the certificate issuer. Following a verification you will get certificates that you simply then have to implement. The validity of those certificates is usually around 1 to 3 years. More often than not, this can be a manual action that needs your attention.

A Let’s Secure certificate are only able to be requested through the ACME protocol - an automatic process. This automated process handles the request, evidence of possession, and certificate transfer. The lifespan of 1 Let’s Secure certificate is restricted to 3 months. Then you definitely must continue doing this process. Due to this degree of automation, it is simple to run everything again (typically after two months) to exchangeOrrestore your certificate.

How Can Let’s Secure Certificates Work?

As with all TLS certificates, at some stage in the procedure you have to prove possession from the domain you're requesting certificates for. Let’s Secure gives you several automated choices to prove possession. Within this blog I’ll explain two:

• DNS: Prove possession by provisioning a DNS (TXT) record beneath your domain
• HTTP: Prove possession by provisioning a HTTP resource within well-known URI somewhere in your webserver

Essentially, both HTTP and DNS validation make use of the same steps:

1. Request of the certificate, for instance “domain.com”. Inside the request, you should also provide some data, much like your current email address.
2. In exchange, you’ll get a unique order ID and knowledge regarding how to prove possession. At this time, you have to choose if you wish to make use of the DNS or HTTP method.
3. Once you make a decision regarding how to proceed using the challenge validation, you need to make certain it’s configured properly. For DNS, produce a TXT record, for instance “_acme-challenge.domain.com”=”ABCDEF.12345”. For HTTP, produce a resource which contains the information “ABCDEF.12345” and it is offered at the next URI: “http://domain.com/.well-known/acme-challenge/ABCDEF”.
4. When things are in position, inform Let’s Secure to allow them to carry out the challenge validation.
5. Let’s Secure will look into the TXT record or even the HTTP resource and verify whether it will return the right data.
6. If all goes well, this course of action can lead to certificates for the validated domain “domain.com”. Otherwise, you're going to get a mistake message.
7. The final step is cleanup in your finish. The TXT record or HTTP resource can be taken off since this is no more needed. Next time you repeat these steps, new details is going to be specified.