Skip to main content

Architecting a Citrix Virtualization solution-Assessment:Security and operation

Lets refresh where we are! We are discussing  about architecting a Citrix environment from Architects perspective. There are 2 parts to it:
  1)    Assessment
  2)    Design

Assessment is further divided into
·   Security and personalization
·   Operation and Support
·   Conceptual Architecture

In this blog, we will discuss assessment of security and operation. Each topic will be covered in separate blog.

Most organizations spend significant amounts of money for security. When assessing enterprise security, an architect should gather information about the environment in regard to physical security including restrictions, permissions, the management of systems and personalization settings implemented through profiles and policies.
Enterprise Security
Security concerns with desktops include viruses and malware, persistent cache and employees sending confidential information by way of the backend infrastructure. Assessing security in an virtualization environment is essential to ensure that the environment is as secure is possible.
During the security assessment, an architect should also inspect the following topics in an environment:
  • Administrator access
  • Application and server security
  • Network security
  • Remote access security
  • Password change policies
  • Password security issues
  • Antivirus security
  • Service pack updates
  • Server certificates
  • Event logs
A best practice is to never grant anonymous access unless absolutely necessary, require authentication to the desktop and require application-level passwords.

Security Assessment
Architects should ask the following questions:
  • For existing XenApp environments, is ICA encryption used?
  • How do external users access their desktop data?
  • Is there a dedicated security team?
  • If Web Interface is implemented, are security certificates installed on the Web Interface servers?
If not, passwords are transmitted in plain text and can be easily accessed by an internal administrator.
  • Are internal or third-party certificates being used?
  • Are endpoint analysis scans being run or is the organization performing any other type of endpoint analysis?
Endpoint analysis should be performed in most environments, even if the organization is running a non-Citrix appliance, such as Cisco or Juniper.
  • Do users have the ability to perform all of their required tasks?
  • Does any sensitive data leave the network?
  • Is accessing applications and resources safe?
  • Do any security measures negatively affect performance?
  • Is VPN access from a PC allowed?
  • Can users access mapped drives through a VPN?
  • Is Single Sign-on being used?
  • What are the audit policies?
  • Are there security considerations between internal and external networks?
  • What are the enterprise-wide password policies?
  • Are Service Pack updates performed? What is the process?
  • Are server security logs monitored by administrators?
  • How much retention exists in the security logs?
Assessing each area of security is helpful to the architect during the design phase, in order to recommend a solution that is secure for the organization and its users.
Browsers and Encryption
During the security portion of the assessment, architects also gather information related to browsers and encryption levels.
Architects should ask the following questions:
  • Which browsers are supported by the organization?
  • What are the browser security settings?
  • Are any applets, such as ActiveX or Java, blocked?
  • Which encryption level does the business require?
General recommendations include the following:
  • Standardize on a supported browser that meets the business requirements. Using multiple browser types can result in inconsistent access between devices.
  • Ensure that browser settings do not block Java applets. Strict security settings might result in launch failures.
  • Ensure that encryption standards can be met by all supported client devices. Not using encryption is a security risk.
User Authentication and Authorization
An architect should examine the user authentication process during the assessment. Authentication is usually based on one of the following:
  • Explicit
  • Pass-through
  • Smart Card
  • Pass-through with Smart Card
For example, if explicit authentication is used for accessing desktops and local applications, an architect must determine whether that process is ideal or recommend an alternate type of authentication in the design.
Explicit authentication is usually recommended in Citrix environments.
User authentication also incorporates access to subsequent resources. For example, if Smart Card authentication is used for the desktop, access to an application may or may not support that type of authentication. In addition, an authentication tool such as Citrix Single Sign-on (formerly Password Manager) may be used to address subsequent authentication requirements.
User authorization involves assessing the permission levels for the categorized user types. Architects should ask the following questions:
  • Which user types are power users?
  • Which user types are allowed to install their own applications?
  • Do users have administrator status on their local desktops?
  • Are any users using Single Sign-On?
  • What are the user permissions on the XenApp servers, if applicable?
  • Are there any applications that require less restrictive or modifying the registry?
An understanding of user authorization in the environment will help the architect determine if any special security templates or modifications will need to be made in the design phase.
External Access Scenarios
To appropriately design a secure access solution for external users, architects must identify the various external access scenarios either currently used or required. These scenarios describe which users will be connecting to the environment externally and which resources those users will be able to access. For example, employees connecting externally to the environment from managed laptops might be granted full VPN access, which provides access to all the same resources those employees get when connecting from within the office. However, contractors might be granted limited VPN access or access only to published applications available through Web Interface. When identifying an organization's access scenarios, architects should answer the following types of questions:
  • Is external access currently provided for any users?
  • Who are the external users? Are they employees, contractors or vendors?
  • Are the client devices used for external access managed or unmanaged? Are they laptops or desktops?
  • How are ICA connections from external users secured? Does the organization currently have an SSL VPN solution such as Access Gateway or Secure Gateway?
  • How are users authenticated? Is Active Directory or two-factor authentication required?
    • Is Windows single sign-on to the Access Gateway plug-in required?
    • Is automatic single sign-on to web applications required?
  • Do any users require full SSL VPN access into the environment or can secure access be limited to XenDesktop and XenApp resources?
  • Are endpoint analysis scans (EPAs) needed to verify client device requirements, such as the anti-virus version, a Registry setting or the presence of an internal certificate? Will users that fail the endpoint analysis scans be quarantined or provided with limited access?
Policy Management
Policy management is important to assess in a virtualization environment.
Architects should ask the following questions:
  • What are the organization's policy settings?
  • Which resultant policies have been implemented?
  • Which group policies exist?
  • Which Citrix-specific policies have ben implemented, if applicable?
  • How are policies generally applied in the environment?
In an environment containing Citrix XenApp or XenDesktop, there are a number of ways to apply a configuration or security setting onto a group of servers. Policies can be applied through numerous methods and impact different aspects of the environment.
For more information, see the Citrix Consulting white paper "How Policies Impact XenApp Environments" on the web site.


Popular posts from this blog

Data Center Migration

Note: This blog is written with the help of my friend Rajanikanth
Data Center Migrations / Data Center Consolidations
Data Center Consolidations, Migrations are complex projects which impact entire orgnization they support. They usually dont happen daily but once in a decade or two. It is imperative to plan carefully, leverage technology improvements, virtualization, optimizations.
The single most important factor for any migration project is to have high caliber, high performing, experienced technical team in place. You are migrating business applications from one data center to another and there is no scope for failure or broken application during migration. So testing startegy should be in place for enterprise business applications to be migrated.
Typical DCC and Migrations business objectives
Business Drivers
·Improve utilization of IT assets ·DC space & power peaked out - business growth impacted ·Improve service levels and responsiveness to new applications ·Reduce support complexi…

HP CSA Implementation

I know the above picture is little confusing but don’t worry I break it down and explain in detail. By the time I am done explaining you all will be happy. HARDWARE AND SOFTWARE REQUIREMENTS 1.VMware vSphere infrastructure / Microsoft Hyper V: For the sake of Simplicity we will use VMware vSphere. We Need vSphere 4.0 /5/5.5 and above and vCenter 4.0 and above ready and installed. This is the first step. 2.We need Software medias for HP Cloud Service Automation, 2.00, HP Server Automation, 9.02, HP Operations Orchestration (OO)9.00.04, HP Universal CMDB 9.00.02, HP Software Site Scope, 11.01,HP Insight Software6.2 Update 1 3.DNS, DHCP and NTP systems are already installed and configured. NTP information should be part of VM templates 4.SQL Server 2005 or Microsoft® SQL Server 2008 or Microsoft® SQL Server 2012 , Oracle 11g, both 32-bit and 64-bit versions may be used for CSA database.
5.We will install  HP Cloud Service Automation, 2.00, HP Server Automation, 9.02, HP Operations Orchestra…

Openstack- Its importance in Cloud. The HP Helion Boost

Every enterprise expects few things from cloud computing, mainly:

· Auto scaling: The workload should increase and decrease as needed by the IT environment.

· Automatic repair: If there is any fault or crash of the application or the server, it automatically fix it

· Fault tolerant: The application or underlying technology is intelligent enough to make itself fault torrent

· Integrated lifecycle: It should have integrated lifecycle

· Unified management: Its easy to manage all different aspects of technology

· Less cost

· Speed

Its year 2014. till now only 5% to 7% enterprises are using cloud computing. Such a small number. Its a huge opportunity and a vast majority for anyone who is interested in providing cloud computing services.
Current IT environment is very complex. You just cant solve all your problems with cloud computing.
There are legacy systems, databases, data processors, different hardware and software. You name it , there are so many technology available in just o…