Secure Access Control for Citrix and Terminal Servers - Network Secure
Secure Access Control for Citrix and Terminal Servers

The Citrix XenDesktop™ and XenApp™ solutions and Windows Terminal Servers are commonly used to provide remote access to network resources. They are typically located between the internet and the internal network, providing an entry point into internal servers – something that makes them an attractive target for hackers, for obvious reasons.

Access from the server to the network must be very open to allow for all the differing user profiles and use cases. The challenge is that all traffic from every user using a Citrix/Terminal Server is seen on the network as coming from a single IP address which might represent dozens of different user types – all with various levels of clearance. For a traditional firewall, this means that an access rule is necessary to allow the server to access every resource that any user on that server could need. In practice, these access rules often become a permit all for the Citrix/Terminal Server. This open door to the network represents a significant security risk.

User-specific Access

To solve the problem of open networks, AppGate uses a role and attributes-based security model that maintains the distinction between individual users even inside the network and especially when connecting through Citrix or Windows Terminal Servers. Network access is provisioned/firewalled at the application level depending on a users' specific role and attributes.

AppGate's Citrix Module includes a new multi-user tunneling driver that is able to recognize individual users' network traffic from a terminal server and requires that traffic to use the user-specific encrypted tunnel to the AppGate server where firewall rule sets, unique to each user, are applied. This makes it possible to deploy Citrix/Terminal Server-based solutions while ensuring that users are able to access only what your user and attribute-based access control policy allows.

Without AppGate, it is impossible for the network security team to distinguish which traffic belongs to which user. With AppGate, you can make sure users access only what they need.

Security Benefits

With AppGate's Citrix module in place, an organization is in a much better position to defend against cyber attacks than if its Citrix and Windows Terminal server users were represented by a single IP address. You can provision access to network resources and applications based on what an individual needs to do his job. And if users credentials have been stolen, then any resultant rogue Citrix session cannot see into the network beyond the original limit set – even if the user tries to break out of their user space. Critically, AppGate makes it possible to use your legacy IDS/IPS/network alerts because every user will have a unique IP address across the whole network. It also offers forensics, tracking activity from all the system logs and looking at the user view, better enabling you to meet many compliance requirements such as PCI DSS.