I interviewed Jon Andersen for this topic.
Jon Anderson is a Lead Security Engineer at Citrix. Jon has a Masters in Computer Science and has also worked on web application security for several open source projects.
Here is Jon:
Q: Jon, what are the advantages of SSL? Tell me a little about the technology.
A: According to Wikipedia: “transport Layer Security (TLS) Protocol and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).”
Q: Why would an enterprise NOT choose SSL?
1. It requires the enterprise to purchase certificates from certificate authority (CA).
2. An enterprise may not entrust its security to an external CA.
3. Traditional SSL may not prevent phishing attacks.
4. Certificates may expire or be revoked, and are complicated for end-users.
Q: What else might they use?
A: The enterprise may have other options such as traditional password-based symmetric cryptographic protocols (Kerberos or Entity Authentication and Key Distribution) and password based asymmetric cryptographic protocols (SRP). The current SSL/TLS standards incorporate support for SRP and traditional pre-shared symmetric key cryptographic protocols which makes it more versatile and robust.
Q: How does SSL compare with Secure ICA?
A: Secure ICA is an RD5-based encryption layer that protects just the ICA connection itself. It is a lighter-weight solution for protecting connections to remotely hosted applications, as compared to SSL. However, Secure ICA does not protect all of the network traffic involved in the use of remote applications; it only protects the connection to the XenApp server itself. A defense-in-depth approach might include both SSL and Secure ICA.
Q: What are Citrix recommendations on using SSL? Where and how would it be used in context of XA?
A: Citrix recommends the use of SSL and certificates for high-security protection against eavesdropping and network tampering. Citrix follows industry best-practices in recommending the use of SSL for all connections to XenApp servers, as well as the various other gateways and servers involved in a complete application virtualization solution. Customers can protect all of the components of their CitrixDeliveryCenter using SSL, including their Web Interface, Gateway, and streamed application servers. Most web servers support SSL, and customers can improve the performance of SSL by using a hardware SSL solution such as Citrix NetScalar.
Q: How do the vulnerabilities in the MD5 hashing scheme affect a customer’s Citrix Delivery Center?
A: The MD5 hash algorithm has known flaws that security researchers have recently demonstrated are exploitable to produce falsely trusted SSL connections. This is a general industry problem and not specific to Citrix. Customers should ensure that none of the root certificates trusted by SSL are signed by an MD5 hash. For more from Microsoft on this topic please see http://www.microsoft.com/technet/security/advisory/961509.mspx