Sharing internet through Citrix (or better solution) in isolated network?

Hi list ,

I`m preparing solution for providing internet-access to
internal
users . What I`m looking for is a solution that completely
isolate
internet usage and internal systems.

I`m thinking about publishing internet through Citrix based
solution,
and keep everything restricted on citrix server/sessions.
But I though there must be better solutions ,as using Citrix
p.server
for such case have it`s own security risks , some of them
hard to
skip ! 

The good point about terminal based solution IMO is keeping
user
workstation clean and (almost) isolated, as it will act like
a sandbox
for running browser . 
Any comments?

As always , open-source solutions (if any) are more welcome





I`l like to hear your personal experiences both as user
& administrator
of such service.


regards
H.K



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around 
http://mail.yahoo.com 

The best way I have found so far:

Publish IE/Firefox on Citrix, and use "Anoymous Citrix
users
accounts". Clean Anonymous user space after logoff.

This works very well, if you don't need to track your
internal user's
activity on the internet i.e. you trust your internal
users.

saqib
http://security-
basics.blogspot.com/




On Nov 5, 2007 6:41 AM, Hamid . K <elite_netbiosyahoo.com> wrote:
> Hi list ,
>
> I`m preparing solution for providing internet-access to
internal
> users . What I`m looking for is a solution that
completely isolate
> internet usage and internal systems.
>
> I`m thinking about publishing internet through Citrix
based solution,
> and keep everything restricted on citrix
server/sessions.
> But I though there must be better solutions ,as using
Citrix p.server
> for such case have it`s own security risks , some of
them hard to
> skip !
>
> The good point about terminal based solution IMO is
keeping user
> workstation clean and (almost) isolated, as it will act
like a sandbox
> for running browser .
> Any comments?
>
> As always , open-source solutions (if any) are more
welcome 
>
>
>
>
> I`l like to hear your personal experiences both as user
& administrator
> of such service.
>
>
> regards
> H.K
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>



-- 
Saqib Ali, CISSP, ISSAP
http://www.full-d
isk-encryption.net

I was in an environment where all services ran under Citrix
PS4
including Internet. From a security standpoint it made
things easier, we
only had to deal with isolating a single subnet for Internet
access...
Proxy configurations, Firewall configurations, majority of
changes
surrounding security became simpler to deal with...



-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Hamid . K
Sent: Monday, November 05, 2007 6:41 AM
To: security-basicssecurityfocus.com
Subject: Sharing internet through Citrix (or better
solution) in
isolated network?

Hi list ,

I`m preparing solution for providing internet-access to
internal
users . What I`m looking for is a solution that completely
isolate
internet usage and internal systems.

I`m thinking about publishing internet through Citrix based
solution,
and keep everything restricted on citrix server/sessions.
But I though there must be better solutions ,as using Citrix
p.server
for such case have it`s own security risks , some of them
hard to
skip ! 

The good point about terminal based solution IMO is keeping
user
workstation clean and (almost) isolated, as it will act like
a sandbox
for running browser . 
Any comments?

As always , open-source solutions (if any) are more welcome





I`l like to hear your personal experiences both as user
& administrator
of such service.


regards
H.K



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around 
http://mail.yahoo.com 

Hi!

Here's how you can build a solution using only Microsoft's
tools, no Citrix
is needed:

1) Implement Windows Terminal Services
2) Deploy Microsoft Softgrid application virtualization
platform
3) Deploy IE/Opera/Firefox through Softgrid to your terminal
services
clients (each application instance works in it's own virtual
environment,
like a sandbox)
4) Filter internet users via ISA server based on AD Policies
for better
security

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Hamid . K
Sent: Monday, November 05, 2007 4:41 PM
To: security-basicssecurityfocus.com
Subject: Sharing internet through Citrix (or better
solution) in isolated
network?

Hi list ,

I`m preparing solution for providing internet-access to
internal
users . What I`m looking for is a solution that completely
isolate
internet usage and internal systems.

I`m thinking about publishing internet through Citrix based
solution,
and keep everything restricted on citrix server/sessions.
But I though there must be better solutions ,as using Citrix
p.server
for such case have it`s own security risks , some of them
hard to
skip ! 

The good point about terminal based solution IMO is keeping
user
workstation clean and (almost) isolated, as it will act like
a sandbox
for running browser . 
Any comments?

As always , open-source solutions (if any) are more welcome





I`l like to hear your personal experiences both as user
& administrator
of such service.


regards
H.K



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around 
http://mail.yahoo.com 

On 2007-11-05 Hamid . K wrote:
> I`m preparing solution for providing internet-access to
internal
> users . What I`m looking for is a solution that
completely isolate
> internet usage and internal systems.

If you want complete isolation of internet from intranet
access you need
separate computers on a separate network running over
separate network
hardware.

> I`m thinking about publishing internet through Citrix
based solution,
> and keep everything restricted on citrix
server/sessions.
> But I though there must be better solutions ,as using
Citrix p.server
> for such case have it`s own security risks , some of
them hard to
> skip ! 
> 
> The good point about terminal based solution IMO is
keeping user
> workstation clean and (almost) isolated, as it will act
like a sandbox
> for running browser . 
> Any comments?

This scenario is known as a "graphical firewall".
It's common practice
for allowing internet access from the workplace while
keeping it in an
isolated environment. It's reasonably secure as long as you
keep the
terminal server locked down (i.e. terminal server in a DMZ,
no shared
files/printers between terminal server and LAN hosts, etc.)

> As always , open-source solutions (if any) are more
welcome 

VNC would be another option for building a graphical
firewall, but it's
heavier on the resources than a Citrix (or Windows) terminal
server.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior
to patches
becoming available."
--Jason Coombs on Bugtraq

I would agree with this, we have some terminals at my job
that are only use for internet access, but like you
mentioned if you are using p.server, make sure you are using
a trusted proxy server, for internet filtering, and
malicious code scanning, don't want to get your servers
infected now.
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Ali, Saqib" <docbook.xmlgmail.com>

Date: Mon, 5 Nov 2007 09:21:03 
To:"Hamid . K" <elite_netbiosyahoo.com>
Cc:security-basicssecurityfocus.com
Subject: Re: Sharing internet through Citrix (or better
solution) in isolated network?


The best way I have found so far:

Publish IE/Firefox on Citrix, and use "Anoymous Citrix
users
accounts". Clean Anonymous user space after logoff.

This works very well, if you don't need to track your
internal user's
activity on the internet i.e. you trust your internal
users.

saqib
http://security-
basics.blogspot.com/




On Nov 5, 2007 6:41 AM, Hamid . K <elite_netbiosyahoo.com> wrote:
> Hi list ,
>
> I`m preparing solution for providing internet-access to
internal
> users . What I`m looking for is a solution that
completely isolate
> internet usage and internal systems.
>
> I`m thinking about publishing internet through Citrix
based solution,
> and keep everything restricted on citrix
server/sessions.
> But I though there must be better solutions ,as using
Citrix p.server
> for such case have it`s own security risks , some of
them hard to
> skip !
>
> The good point about terminal based solution IMO is
keeping user
> workstation clean and (almost) isolated, as it will act
like a sandbox
> for running browser .
> Any comments?
>
> As always , open-source solutions (if any) are more
welcome 
>
>
>
>
> I`l like to hear your personal experiences both as user
& administrator
> of such service.
>
>
> regards
> H.K
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>



-- 
Saqib Ali, CISSP, ISSAP
http://www.full-d
isk-encryption.net