citrix extranet 2.0
DESCRIPTION
Product Overview. Citrix Extranet 2.0. Agenda. What is Citrix Extranet 2.0? Architecture System Requirements Citrix Extranet Features Access Control Identification & Authentication Encryption On-line Registration Citrix Extranet Admin Event Logging Citrix Extranet Advantages - PowerPoint PPT PresentationTRANSCRIPT
Citrix Extranet 2.0Product Overview
Agenda
What is Citrix Extranet 2.0? Architecture System Requirements
Citrix Extranet Features Access Control Identification & Authentication Encryption On-line Registration Citrix Extranet Admin Event Logging
Citrix Extranet Advantages
Commonly Used Terms
What Is Citrix Extranet 2.0?
Citrix Extranet provides a virtual private network (VPN) which allows you to securely deploy the latest business-
critical applications to users around the world, via the Internet – all while maintaining the manageability,
scalability, reliability and control you’ve grown to expect from Citrix.
Citrix Extranet Architecture
Leverage your existing network design
Citrix Extranet System Specifications
Windows NT Microsoft Windows NT
Server operating system 4.0, service pack 5 or 6a
Pentium II processor at 350 MHz
2 or more network adapter cards
64 MB of RAM 10 MB of free hard disk
space
Sun SPARC Sun Solaris 2.6, 7, or 8 20 MB minimum of free hard
disk space All required software
packages 2 or more network adapter
cards
Client Specifications
All Users Internet access Connection to a network using TCP/IP protocol The Citrix Extranet Client software
PC Users Microsoft Windows 95 osr2, 95b, 98, 98 SE, or Windows
NT Workstation 4.0, with service pack 5 or 6a or Windows 2000 SP1(proxy mode only)
2 MB free hard disk space Microsoft Internet Explorer 4.0x, 5.0, or 5.01, or Netscape
Navigator 4.5, 4.5.1, 4.6, 4.61, 4.7, 4.71, 4.72, or 4.73
Client Specifications
Macintosh Users Apple or other Macintosh OS–compatible Power PC
computer 1 MB free disk space Macintosh OS Version 8.1 or later (8.5 or later
recommended) Open Transport 1.3 or later (2.0 or later recommended) Netscape Navigator 4.x or Microsoft Internet Explorer 4.x,
or 5.0
UNIX Users A computer with Sun SPARC Systems running Solaris
2.6 or later 5 MB minimum of free hard disk space A suitable UNIX Web browser (must support forms)
Client Specifications
Windows CE/PocketPC Users CE Devices
Handheld PC (SH3 and MIPS) Handheld PC Professional Edition (SH3, SH4, MIPS,
ARM, and StrongARM) Palm-size PC (SH3 and MIPS)
Citrix Extranet 2.0 Features
Citrix Extranet Features
Encryption
Access Control
EventLogging
On-Line Registration (OLR)
Citrix Extranet
Admin
Identification andAuthentication
Access Control
TCP-based access permissions are defined for individuals or groups
Access Control
Permissions are identified by host name/IP address and the port
TCP – FTP, Telnet, POP3, etc… Web – server and port
Access Control
User-based policy management ensures secure application access
Access Control
Access permissions are received: At the time the Citrix Extranet Client initiates At regular user-defined intervals
Permission sources: User Users’ group “All” users
*Assigning permissions to groups avoids unnecessary duplication and is more efficient than assigning permissions to individual users.
Access Control
Dynamic Configuration
1. Prompts user for Access Code
2. User’s authentication key(s) accessed
3. Citrix Extranet Client contacts every Citrix Extranet Server for which the user has an authentication key and requests the user’s current access permissions
5. User’s access permissions are dynamically updated at startup and at regular intervals as defined by the end user Citrix Extranet Server
w/Dynamic Configuration (DC) Server Or DC Server on a separate machine4. User’s TCP access permissions are read from
sgate.acl and their Web permissions from sweb.acl; the current permissions are then sent to Citrix Extranet Client
NOTE: The Dynamic Configuration Agent always resides on the Citrix Extranet Server
Identification and Authentication
Citrix Extranet Server is the final authority when authenticating session requests:
User authentication Access Management User and group additions
Identification and Authentication
Key exchange methods are flexible for the Administrator
Tokens FIPS token (FIPS 140-1
compliant) VCAT token RADIUS SecurID Entrust/Netrust
Physical Smart Cards MCOS MCOS-B STARCOS 2.1
Smart Card ReadersPCAT Smarty CHIPDRIVE external
PKI (X.509) Certificates
Baltimore Entrust Microsoft Netscape VeriSign
Identification and Authentication
Citrix Extranet uses two authentication factors Access code Token
URL request sent to Server
Identification and Authentication
The session is initiated
Each Client TCP connection uses a unique session key
Shared Secret Key is combination of 1/2 shared secret key generated by client & 1/2 shared secret key generated by server
Encryption
The ticket contents are encrypted Initialization Vector (IVEC) User ID Ticket time/TTL Encryption algorithm Session key Destination MD5
On-line Registration (OLR)
Automated registration of the Citrix Extranet Client is via the Internet
User registers IDs automatically
generated Flexible UID server
assignments
On-line Registration (OLR)
Seamless registration process
Shared Secret Key is combination of 1/2 shared secret key generated by client & 1/2 shared secret key generated by server
Citrix Extranet Admin
Manage individual or groups of servers and users
Assigns Web and TCP permissions
Configures OLR Web form
Specifies management levels
Utilizes database functions like sort, filter and find
Event Logging
Allows for easy troubleshooting by logging critical information
Session start/end User added/deleted User enabled/disabled User key changed Successful/ unsuccessful user login Server up/down
Citrix Extranet 2.0 Advantages
Citrix Extranet Advantages
Flexible system integration
Rapid deployment
Centralized management
Simplicity and ease of use
Cost-effectiveness
Flexible System Integration
Network Connections
Public Network LAN/WAN Corporate
Intranet/Extranet Internet
Client Support
Windows 95/98/NT/2000
Macintosh Solaris Linux Windows CE Windows PocketPC
Token Support
Hard Drive Floppy (FIPS 140-1 or
VCAT) Smart Card Netrust/Entrust/X.509
digital certificate SecurID Radius
MetaFrame servers
Citrix ExtranetInternet
Clients
VPN
Flexible System Integration
Allows ICA Protocol to securely pass through both ends of a connection
When ICA passes through the Client to the Server, Citrix Extranet proxy intercepts the calls
The Client believes the servers are on the same network
Citrix Extranet Client uses TCP traffic on port 443
Flexible System Integration
Export ready for use at any available strength encryption
Triple DES (168-bit) RC4 DES (56-bit)
*Embargoed countries are Cuba, Libya, North Korea, Syria, Sudan, Iran, Iraq
Rapid Deployment
Easy deployment and token enrollment of large user bases via On-line Registration (OLR)
Centralized Management
Powerful GUI allows for local or remote administrator management
Remotely using the Citrix Extranet Client Locally on a Windows NT platform
Ease of Use
Simple 2-step client activation Install Citrix Extranet client software Register online
221 1
Cost-effectiveness
Leverage existing systems
No costly leased lines or modem banks
Minimal client management and user support costs
Connect Business Securely
Permit secure online information exchange via the Internet
Mobile users Suppliers Business partners End-customers Branch and international offices
Citrix Extranet 2.0
Powerful
End-to-end security
Centralized management
Commonly Used Terms
3DES: Cipher that applies the DES cipher three times with either two or three different DES keys. The Citrix Extranet implementation uses three DES keys (2168 combinations).
Access Code: The secret code, similar to a PIN on an ATM card—required to unlock the authentication key stored on the user’s token each time the user accesses a secure service. This code, defined by the user during registration, must be at least four characters in length with a maximum of 16, and can be any combination of letters and numbers.
Access Control: Allowing or denying connections through the use of access permissions.
Access Permissions: The associations between users and connections, as defined by a User ID, group name, service (TCP or Web), or destination. Citrix Extranet access permissions can be either individual user permissions or group permissions.
Authentication: The process of determining the identity of a user attempting to access a system.
Commonly Used Terms
Authentication Key: The key is a 32-character hexadecimal key assigned to a user during installation by the registration server administrator, consisting of the numbers 0 to 9 and letters A to F.
The Citrix Extranet authentication system supports virtual smart cards and ISO-standard smart cards for both authentication and stored data. A user with a physical smart card must use a smart card reader connected to their PC. Virtual smart card information (FIPS or VCAT token) may be stored on either the PC hard drive or a removable (floppy) disk.
The user’s Citrix Extranet authentication key is stored on the smart card, whether physical or virtual. This information is shared with the Citrix Extranet Server, where it is stored in the Citrix Extranet Server’s user database.
Authentication Token: A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques.
Commonly Used Terms
Authenticator: The name assigned to a Citrix Extranet Server through which users can access a particular service. This name can be up to 14 alphanumeric characters in length and it is recommended that it be a derivative of your Citrix Extranet Server hostname.
Domain Name: Identifies a ‘location’ on the Internet (e.g., citrix.com) that has been registered with the Internet Network Information Center (InterNIC). Currently the domain name is limited to 47 characters. Through the use of aliases, however, it is possible to accommodate longer names.
DES: Data Encryption Standard is a NIST-standard encryption algorithm for secure data protection. A binary number is used as an encryption key with 720 quadrillion possible combinations (256). The key is randomly generated for each session (TCP connection).
FIPS Token: (Virtual Smart Card or Soft Token) A software emulation of a hardware authentication token that is in compliance with the FIPS140–1 coding standards. It stores your private information (authentication key) in an single encrypted file, either on a floppy disk or on your hard drive. FIPS Token is the default authentication method.
Commonly Used Terms
OLR: Citrix Extranet provides On-Line Registration (OLR) services which you may wish to implement depending on your system configuration and the functional requirements of your organization.
RC4: Is a stream cipher developed by RSA Data Security, Inc. This variable key-size stream cipher uses byte-oriented operations to perform random permutations. The typical cipher period is greater than 10100. Since eight to sixteen machine operations are required per output byte, the cipher runs very quickly in software. It is commonly used for secure communications, such as encrypting secure web site traffic using the SSL protocol.
VCAT Token: Identical to the FIPS Token, except that it stores your private information (authentication key) in an encrypted file system, rather than a single file.
Virtual Private Network (VPN): A private network created over a public network (e.g., the Internet) by using encryption, where exclusive client and host communications can occur.