Citrix Extranet 2.0
Download
Report
Transcript Citrix Extranet 2.0
Citrix Extranet 2.0
Product Overview
Agenda
What is Citrix Extranet 2.0?
Architecture
System Requirements
Citrix Extranet Features
Access Control
Identification & Authentication
Encryption
On-line Registration
Citrix Extranet Admin
Event Logging
Citrix Extranet Advantages
Commonly Used Terms
What Is Citrix Extranet 2.0?
Citrix Extranet provides a virtual private
network (VPN) which allows you to
securely deploy the latest businesscritical applications to users around the
world, via the Internet – all while
maintaining the manageability,
scalability, reliability and control you’ve
grown to expect from Citrix.
Citrix Extranet Architecture
Leverage your existing network design
Citrix Extranet System Specifications
Windows NT
Microsoft Windows NT
Server operating system
4.0, service pack 5 or 6a
Sun SPARC
Pentium II processor at 350
MHz
2 or more network adapter
cards
64 MB of RAM
10 MB of free hard disk
space
Sun Solaris 2.6, 7, or 8
20 MB minimum of free hard
disk space
All required software
packages
2 or more network adapter
cards
Client Specifications
All Users
Internet access
Connection to a network using TCP/IP protocol
The Citrix Extranet Client software
PC Users
Microsoft Windows 95 osr2, 95b, 98, 98 SE, or Windows
NT Workstation 4.0, with service pack 5 or 6a or
Windows 2000 SP1(proxy mode only)
2 MB free hard disk space
Microsoft Internet Explorer 4.0x, 5.0, or 5.01, or Netscape
Navigator 4.5, 4.5.1, 4.6, 4.61, 4.7, 4.71, 4.72, or 4.73
Client Specifications
Macintosh Users
Apple or other Macintosh OS–compatible Power PC
computer
1 MB free disk space
Macintosh OS Version 8.1 or later (8.5 or later
recommended)
Open Transport 1.3 or later (2.0 or later recommended)
Netscape Navigator 4.x or Microsoft Internet Explorer 4.x,
or 5.0
UNIX Users
A computer with Sun SPARC Systems running Solaris
2.6 or later
5 MB minimum of free hard disk space
A suitable UNIX Web browser (must support forms)
Client Specifications
Windows CE/PocketPC Users
CE Devices
Handheld PC (SH3 and MIPS)
Handheld PC Professional Edition (SH3, SH4, MIPS,
ARM, and StrongARM)
Palm-size PC (SH3 and MIPS)
Citrix Extranet 2.0
Features
Citrix Extranet Features
Access Control
Identification and
Authentication
Event
Logging
Encryption
Citrix Extranet
Admin
On-Line Registration (OLR)
Access Control
TCP-based access permissions are
defined for individuals or groups
Access Control
Permissions are identified by host name/IP
address and the port
TCP – FTP, Telnet, POP3, etc…
Web – server and port
Access Control
User-based policy management ensures
secure application access
Access Control
Access permissions are received:
At the time the Citrix Extranet Client initiates
At regular user-defined intervals
Permission sources:
User
Users’ group
“All” users
*Assigning permissions to groups avoids unnecessary duplication and is more efficient than
assigning permissions to individual users.
Access Control
Dynamic Configuration
3. Citrix Extranet Client contacts every
Citrix Extranet Server for which the user
has an authentication key and requests
the user’s current access permissions
1. Prompts user
for Access Code
2. User’s authentication
key(s) accessed
5. User’s access permissions
are dynamically updated at
startup and at regular intervals
as defined by the end user
4. User’s TCP access permissions are read from
sgate.acl and their Web permissions from sweb.acl;
the current permissions are then sent to Citrix
Extranet Client
Citrix Extranet Server
w/Dynamic Configuration (DC)
Server Or DC Server on a
separate machine
NOTE: The Dynamic Configuration Agent always
resides on the Citrix Extranet Server
Identification and Authentication
Citrix Extranet Server is the final authority
when authenticating session requests:
User authentication
Access Management
User and group additions
Identification and Authentication
Key exchange methods are flexible for the
Administrator
Tokens
FIPS token (FIPS 140-1
compliant)
Physical Smart
Cards
MCOS
VCAT token
MCOS-B
RADIUS
STARCOS 2.1
SecurID
Entrust/Netrust
Smart Card Readers
PCAT
Smarty
CHIPDRIVE external
PKI (X.509)
Certificates
Baltimore
Entrust
Microsoft
Netscape
VeriSign
Identification and Authentication
Citrix Extranet uses two authentication
factors
Access code
Token
URL request sent
to Server
Identification and Authentication
The session is initiated
Each Client TCP connection uses a unique
session key
Shared Secret Key is combination of
1/2 shared secret key generated by client &
1/2 shared secret key generated by server
Encryption
The ticket contents are encrypted
Initialization Vector (IVEC)
User ID
Ticket time/TTL
Encryption algorithm
Session key
Destination
MD5
On-line Registration (OLR)
Automated registration of the Citrix
Extranet Client is via the Internet
User registers
IDs automatically
generated
Flexible UID server
assignments
On-line Registration (OLR)
Seamless registration process
Shared Secret Key is combination of
1/2 shared secret key generated by client &
1/2 shared secret key generated by server
Citrix Extranet Admin
Manage individual or groups of servers
and users
Assigns Web and
TCP permissions
Configures OLR
Web form
Specifies
management
levels
Utilizes database
functions like
sort, filter
and find
Event Logging
Allows for easy troubleshooting by logging
critical information
Session start/end
User added/deleted
User enabled/disabled
User key changed
Successful/ unsuccessful user login
Server up/down
Citrix Extranet 2.0
Advantages
Citrix Extranet Advantages
Flexible system integration
Rapid deployment
Centralized management
Simplicity and ease of use
Cost-effectiveness
Flexible System Integration
Network Connections
Token Support
Public Network
LAN/WAN
Corporate
Intranet/Extranet
Internet
Client Support
Windows
95/98/NT/2000
Macintosh
Solaris
Linux
Windows CE
Windows PocketPC
Hard Drive
Floppy (FIPS 140-1 or
VCAT)
Smart Card
Netrust/Entrust/X.509
digital certificate
SecurID
Radius
Citrix Extranet
Flexible System Integration
Allows ICA Protocol to securely pass
through both ends of a connection
Citrix Extranet
Client uses TCP
traffic on port 443
The Client
believes the
servers are on
the same
network
When ICA passes through the Client
to the Server, Citrix Extranet proxy
intercepts the calls
Flexible System Integration
Export ready for use at any available
strength encryption
Triple DES (168-bit)
RC4
DES (56-bit)
*Embargoed countries are Cuba, Libya,
North Korea, Syria, Sudan, Iran, Iraq
Rapid Deployment
Easy deployment and token enrollment of
large user bases via On-line Registration
(OLR)
Centralized Management
Powerful GUI allows for local or remote
administrator management
Remotely using the Citrix Extranet Client
Locally on a Windows NT platform
Ease of Use
Simple 2-step client activation
Install Citrix Extranet client software
Register online
1
2
Cost-effectiveness
Leverage existing systems
No costly leased lines or modem banks
Minimal client management and user
support costs
Connect Business Securely
Permit secure online information
exchange via the Internet
Mobile users
Suppliers
Business partners
End-customers
Branch and international offices
Citrix Extranet 2.0
Powerful
End-to-end security
Centralized management
Commonly Used Terms
3DES: Cipher that applies the DES cipher three times with either
two or three different DES keys. The Citrix Extranet
implementation uses three DES keys (2168 combinations).
Access Code: The secret code, similar to a PIN on an ATM
card—required to unlock the authentication key stored on the
user’s token each time the user accesses a secure service. This
code, defined by the user during registration, must be at least four
characters in length with a maximum of 16, and can be any
combination of letters and numbers.
Access Control: Allowing or denying connections through the
use of access permissions.
Access Permissions: The associations between users and
connections, as defined by a User ID, group name, service (TCP
or Web), or destination. Citrix Extranet access permissions can be
either individual user permissions or group permissions.
Authentication: The process of determining the identity of a
user attempting to access a system.
Commonly Used Terms
Authentication Key: The key is a 32-character hexadecimal key
assigned to a user during installation by the registration server
administrator, consisting of the numbers 0 to 9 and letters A to F.
The Citrix Extranet authentication system supports virtual smart
cards and ISO-standard smart cards for both authentication and
stored data. A user with a physical smart card must use a smart
card reader connected to their PC. Virtual smart card
information (FIPS or VCAT token) may be stored on either the
PC hard drive or a removable (floppy) disk.
The user’s Citrix Extranet authentication key is stored on the
smart card, whether physical or virtual. This information is
shared with the Citrix Extranet Server, where it is stored in the
Citrix Extranet Server’s user database.
Authentication Token: A portable device used for
authenticating a user. Authentication tokens operate by
challenge/response, time-based code sequences, or other
techniques.
Commonly Used Terms
Authenticator: The name assigned to a Citrix Extranet Server
through which users can access a particular service. This name
can be up to 14 alphanumeric characters in length and it is
recommended that it be a derivative of your Citrix Extranet Server
hostname.
Domain Name: Identifies a ‘location’ on the Internet (e.g.,
citrix.com) that has been registered with the Internet Network
Information Center (InterNIC). Currently the domain name is
limited to 47 characters. Through the use of aliases, however, it is
possible to accommodate longer names.
DES: Data Encryption Standard is a NIST-standard encryption
algorithm for secure data protection. A binary number is used as
an encryption key with 720 quadrillion possible combinations
(256). The key is randomly generated for each session (TCP
connection).
FIPS Token: (Virtual Smart Card or Soft Token) A software
emulation of a hardware authentication token that is in
compliance with the FIPS140–1 coding standards. It stores your
private information (authentication key) in an single encrypted file,
either on a floppy disk or on your hard drive. FIPS Token is the
default authentication method.
Commonly Used Terms
OLR: Citrix Extranet provides On-Line Registration (OLR)
services which you may wish to implement depending on your
system configuration and the functional requirements of your
organization.
RC4: Is a stream cipher developed by RSA Data Security, Inc.
This variable key-size stream cipher uses byte-oriented
operations to perform random permutations. The typical cipher
period is greater than 10100. Since eight to sixteen machine
operations are required per output byte, the cipher runs very
quickly in software. It is commonly used for secure
communications, such as encrypting secure web site traffic using
the SSL protocol.
VCAT Token: Identical to the FIPS Token, except that it stores
your private information (authentication key) in an encrypted file
system, rather than a single file.
Virtual Private Network (VPN): A private network created
over a public network (e.g., the Internet) by using encryption,
where exclusive client and host communications can occur.