Security Mistake #4: Assuming Citrix & MS Terminal Server Eliminate the Need for Endpoint Security

The assumption that endpoint security is unnecessary when you have a Citrix or Microsoft Terminal Server deployed for remote access is another mistake commonly found in enterprises. Data is transferred, even if only in graphical format, to the end user's insecure PC. Moreover, file sharing and printer sharing are frequently-used capabilities, which also open up additional pipelines for viruses and worms to propagate onto a corporate network. If someone can connect directly into a server, they can run exploits against your server, take guesses at users' corporate passwords, and easily direct a Denial-of-Service attack at the server. Here is a fact: A new Citrix exploit is discovered every few months (including remote overflows and arbitrary command execution vulnerabilities). Source: Open Source Vulnerability Database (www.osvdb.org)

Most end users aren't malicious or trying to steal data from a Terminal Server. Instead, inadvertent leakage of information is caused by the end user, and the then intentional data theft happens even without the user's knowledge. Most VPNs are carefully encrypted tunnels leading to a totally untrusted, insecure endpoint. In this case, the endpoint is a thin client and the tunnel is at best, an SSL connection to a Citrix NFuse interface or direct connection to the Terminal Server.

Case Study

Olathe Medical Center deploys Cerner software via a Citrx server on their LAN. Cerner is the leading provider of health management software. The Cerner software runs everything in a hospital from patient records and x-rays to scheduling and order management. Furthermore, because of the large database size, it's frequently implemented at a hospital using Citrix servers. Until Olathe Medical Center found the Positive Networks VPN service, they had no way of allowing doctors, nurses, or IT staff at off-site clinics or home offices to access the Cerner application, because there was no way to be in compliance with HIPAA. Patient information being viewed on an untrusted PC violates HIPAA regulations because the PC has no guarantee that it's free of viruses, patched with critical updates, free of spyware, etc.

When an end user (e.g. a doctor) is connected with Citrix, and is looking at confidential information, there's no way to know if someone has installed a back door application that may be logging his keystrokes when he types in his hospital password. Keystroke loggers can also take frequent screen captures of the information he's viewing, or remotely control his PC with any common remote control application. Only with a single remote access solution that allows web or client-based access to Citrix, like PositivePRO, can the end user be secured before logging into the corporate network. Olathe Medical Center chose Positive Networks as their solution, and management is now completely confident in the use of Cerner with Citrix for end users.

To avoid this security mistake, IT administrators must wrap the Citrix or Terminal Server setup with a secure VPN solution that integrates seamlessly. This allows a company to pull the servers off the public Internet, the users have easy thin-client access to applications, and management can be confident in the security of each endpoint that's connecting each day.