11-06-2006 02:37 PM - edited 03-09-2019 04:47 PM
If I open the ports for Citrix traffic to flow between two firewalls over the Internet, do I need to be concerned about being scanned for open ports? Another engineer is telling me that it still can't be scanned due to the nature of the PIX but I can't find any reference to this anti-scanning feature.
11-10-2006 11:33 AM
About Citirix:
Citrix's Internet technology allows users to run WinFrame sessions over the Internet. This poses a challenge for maintaining Internet security because Citrix's Intelligent Console Architecture (ICA) protocol is a relatively new networking protocol that runs over TCP/IP using registered port 1494.Firewalls do not understand ICA because it is not a "well known" networking protocol.
Therefore, allowing the ICA protocol to pass through the firewall becomes a configuration challenge. Some types of firewalls can be configured to pass ICA, while others cannot. ICA uses dynamic port allocation much like the FTP protocol.
The initial synchronization between the WINFRAME client and the WINFRAME server occurs over port 1494, but the actual WINFRAME session occurs over a dynamically allocated port. For this reason, it might be necessary to allow connections over a range of TCP/IP ports through the given firewall. If required, these connections should only be allowed between the client and the server.
Try this link:
http://www.cisco.com/en/US/products/products_security_advisory09186a008009fafa.shtml
11-10-2006 03:43 PM
That's a pretty basic feature of a firewall.
If your rules only allow specific src/dst ip addresses and port(s), then a scan from another IP address won't produce useful results.
11-10-2006 08:05 PM
You spoof the source and that's a pretty basic feature of a hacker. I guess my point is that it would be safer to use VPN tunnels unless there is some sort of issue with performance for Citrix servers and clients over network based VPNs. Thoughts?
11-10-2006 11:04 PM
Hi,
I agree to your point . Either you can go with mpls based vpn , where your traffic is secure without doing ipsec or you need to go as you have mentioned , End to end ipsec between ur firewall
regards
vanesh k
11-11-2006 03:56 PM
Using a VPN tunnel requires opening up protocols and ports from a source IP to a destination IP. It's not a whole lot different from a scanning perspective.
Even if the hacker new the correct source IP address to spoof (unlikely), spoofing the source doesn't do much for an attacker because they won't see the reply packet. Unless it's a really old implementation of Citrix, it's probably already using 128 bit encryption. Adding a VPN tunnel does not add a lot of value and will certainly add overhead.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide