Remember how things were back in 2006? Ahhhh, those were the good old days, when security was simple – proper patch management and having a firewall + antivirus on all machines was considered a standard for security strategy and it usually worked well. End users’ education was mostly about the constant fight about Post-It notes as their favorite password manager. And we were accused of being paranoid when we mentioned the need for two-factor authentication tokens.
Fast forward to 2016 and situation is very different.
Cyberterrorism, professional hackers with 9-5 jobs working for foreign governments, constant streams of targeted new malware, ransomware and scandalous security breaches are on the rise. Most companies now accept the fact that attacks are inevitable and that some, in spite of our best efforts to thwart them, will succeed. Using static and predictable security measures are no longer enough.
Finding the right balance between security, user experience, and productivity is becoming a real challenge for many companies. Educating users about the very real security risks we face each day is critical to them adopting new security measures. If these measures are too restrictive, users will try to find a way to bypass them. Having the right security at the right time is crucial for user adoption – and is one of the primary reasons why context-aware security solutions are on the rise.
Context-aware security with Citrix
By combining the power of XenApp and XenDesktop with NetScaler, you can provide users with highly secured access to their applications and data. NetScaler can improve your authentication process by changing the question from a simple “Who is there?” to “Who is there, where are you coming from and which device are you using?” SmartAccess and SmartControl features fortify your authorization process; instead of plain “You can access application X,” you can now use granular policies to provide just the right access. For example, “You can access application X, but as a remote user, you won’t be allowed to transfer any data or print any documents.” It’s like replacing a regular on/off light switch with a dimmer – you get just the right amount at the right time.
One of the many advantages of a Citrix solution is that it can be applied to a huge range of applications – from modern web applications to legacy client/server systems – that would otherwise be almost impossible to secure. Most enterprises are still running these old applications and ignoring them could be a fatal mistake. With XenApp and XenDesktop, you can add n-factor authentication, client machine certificate checks and record the whole session, even for that old MS Access database that contains critical data from finance department.
What are SmartAccess and SmartControl?
I’ve briefly mentioned SmartAccess and SmartControl. To explain the difference between these two features, we can break the process of obtaining published resources into authentication and authorization. That is, identifying who you are vs. defining what you are allowed to do. Many Windows® administrators are struggling with this concept, as both roles are typically handled by an Active Directory, but they are not the same.
In our examples, authentication (who) is handled by a NetScaler appliance. Whereas authorization can be handled by two different components. With SmartAccess, XenApp or XenDesktop decide access rights, the policies that should apply and/or resources that are provided. With SmartControl NetScaler assigns the privileges; a layer of restrictions is created at a network level before reaching the XenApp or XenDesktop environment.
End Point Analysis Scans
End Point Analysis (EPA) scans are used to scan the user device during the logon phase and decide whether specific conditions were met. This can be anything from checking of the state of antivirus software or firewall; checking for specific processes, file system or registry keys; or checking user or machine certificates. EPA scans are needed on the endpoint whenever the state of endpoint is involved in your authentication policies; this includes user and machine certificates checks.
(*WARNING: Following text contains real experience from the field)
SmartAccess and SmartControl act like a Swiss Army knife in the belt of any experienced Citrix consultant or architect. There are different scenarios when they can be used – and not necessarily all of them are security related. Here I’ll go through different scenarios that I’ve seen while working with customers – and if you’ve seen or hear about any other scenario, be sure to leave a comment.
Applications and Desktops Filtering
Most of the time, we’re using Active Directory groups to filter the displayed resources – sometimes with a very complex nesting that can involve hundreds or thousands of different groups. But what happens if your workforce becomes more mobile and you have applications published that are specific to a branch or are applicable only if a specific peripheral is connected? With SmartAccess, you can filter applications or desktops based on the source IP range or you can use a specific registry key or file using End Point Analysis (EPA) to identify the location and resources that should be displayed. I remember one healthcare project where an EPA scan was used to identify if a specific accessory is attached to the computer to show applications that require that device.
Context Aware Security
Context Aware Security is probably the most commonly presented use case for SmartAccess and SmartControl. Basically, before you provide access to your valuable data or applications, you want to confirm where the user is connecting from and/or what is the state of device being used. Based on these various factors (such as source network, antivirus/firewall state or domain membership) you can decide to completely prevent access, limit it to certain resources or apply more restrictive sets of policies.
While you can easily create very complex policies and sets of rules, I’ve always been a big believer in checking client machine certificates. What is even better, now you can create intuitive workflows with support of nFactor in NetScaler. For example, if user certificate is present, extract the username and ask for the password + PIN only (with unrestricted policies). Otherwise ask for a username + password + PIN and apply a more restrictive set of policies. Note, even in this scenario you don’t want to skip a two-factor authentication.
While this has mostly been presented as a solution for external remote access, it certainly has its place in securing internal access. The way I like to think about it is that XenApp allows you to separate two zones with different trust levels (external vs. internal, users network segment vs. data network segment) and SmartAccess and SmartControl can help you stay in control. Another really great use case is mergers and acquisitions, but this deserves a separate blog post. Check back soon for more on that topic.
And the best news? More licenses are now included in every edition
Universal License is an add-on license required to use SmartAccess, SmartControl and EPA. In the past, five licenses were included in NetScaler Standard and Enterprise editions while Platinum included 100 licenses. This changed dramatically in NetScaler 11.1 – now get 100X, 200X or even unlimited licenses! NetScaler Standard now includes 500 licenses, Enterprise includes 1,000 licenses and NetScaler Platinum includes unlimited licenses. And that’s not the end of good news – if you need more licenses than what you’re entitled to use, the price for additional licenses has been greatly reduced as well.
Security is of the utmost importance to Citrix. That’s why we have a vast library of technical content for XenApp & XenDesktop-related security issues available for you anytime you need it. Check it out!
Martin Zugec (@MartinZugec)