« March 2007 | Main | August 2007 »

April 22, 2007

Is the DMZ losing relevance?

This is an idea that has come up in conversation a few times lately so I wanted to put it out there and see what everyone else thinks. I know it's a little bit on the crazy side, but the idea goes like this:

The practice of creating a De-Militarized Zone (DMZ - a network separating the Internet from the corporate LAN) is anachronistic. DMZ's started when computing was comparatively stationary. Computers were big boxes that sat on or under a worker's desk and were physically wired to the network. Physical location provided a good measure of security, because in order to get onto the corporate network you had to have a computer that was plugged into the office wall.

No longer. These days, ubiquitous wireless laptops follow users in and out of the office. Users run their applications from anywere, including the office, home or Wi-Fi hot spots.

To deliver those applications to remote users, network managers increasingly find themselves poking holes or adding NAT rules on the firewall that separates the DMZ from the corporate LAN. And the firewall rules that allow traffic into the LAN are typically exceptions granting access to the most trusted resources: domain controllers, web servers, application servers, SQL databases and the like. The CSO never wants to put another rule on that firewall, but application access trumps firewall configuration every time. Eventually, the inner firewall begins to resemble swiss cheese.

Furthermore, increased user mobility adds to the risk of an infected machine walking in through the front door under the arm of a trusted employee. The DMZ offers no protection here. IT groups respond by adding layers of anti-virus protection on all managed PC's and patching internal servers as though they were bastion hosts. Anti-X protection is everywhere: on the endpoints, on the servers and on the network.

Why then should we continue to spend time and money creating and maintaining a separate DMZ network? If the premise is that the DMZ subnet might become fully compromised and the attacker's access level should be restricted at that point by routing and firewall policies, then surely it is a false sense of security when access to sensitive back-end data is inevitably permitted in the name of application access.

Citrix is part of this question - we provide solutions that enable secure remote access to all types of applications (Access Gateway) and solutions that protect web applications where they are vulnerable: at the application layer (NetScaler and Application Firewall). In a typical deployment, the Access Gateway, NetScaler or App Firewall will be placed in the DMZ and then the poor network admin has to go and create firewall rules for everything that the Citrix devices will ever connect to on the LAN. A couple customers lately (who I would consider in the vanguard) have abandoned the practice of maintaining a firewall between their SSL VPN server and their internal LAN. It sure makes deployment and upkeep easier as new applications are added.

Of course, I don't expect many companies will walk away from the DMZ topology any time soon. The more paranoid use a dual-stage DMZ, which creates double challenges for enabling application access.

To put this in context I have been running a DMZ on my home network for the past year or so, and I have found it adds very little safeguard but makes day-to-day tasks more complicated than I care for. I'm just about ready to go back to a flat subnet protected by a good external firewall.

April 02, 2007


Last week, Citrix posted the version 8.0 firmware for Access Gateway Enterprise Edition, referred to internally as Project Timpanogos. You can find it by logging onto citrix.com and looking in the Downloads > Product Software section. Access Gateway Enterprise Edition is the SSL VPN edition which runs on the NetScaler platform, sharing the same hardware and OS technology on which the Citrix NetScaler Application Switch is based. You’ll need a NetScaler appliance to run the firmware.

This is not the first release of the Enterprise Edition gateway, but it’s the first release to include the same ICA proxy capabilities as the Standard and Advanced editions of Access Gateway. This allows remote users to traverse the DMZ and access applications hosted on Citrix Presentation Servers without requiring any sort of VPN client. Citrix has been selling the Access Gateway Standard and Advanced Editions for the past couple years as a replacement for the Windows-based Secure Gateway component, allowing you to get those Windows servers out of your DMZ and replace them with hardened security appliances. Now Enterprise Edition is also on the table as an option to consider for SG Replacement.

If you’re looking to replace your Secure Gateway servers with an Access Gateway appliance, the most important difference Enterprise Edition 8.0 brings to the table is scalability. The Standard Edition Model 2000 appliance (or “Baby CAG” as some have called it) can host a maximum of 2000 concurrent ICA sessions, and that is when it does nothing but ICA. For Enterprise Edition, there are three appliance models to choose from, supporting up to 10,000 sessions per appliance:

  • Model 7000 – 2,500 concurrent sessions

  • Model 9000 – 5,000 concurrent sessions

  • Model 10000 – 10,000 concurrent sessions

I won’t bore you with a full feature list but there are a few interesting things that stick out in terms of features only available on the Enterprise Edition:

  • Client Certificate Authentication – Users can establish a VPN connection by presenting a smart card or soft certificate in lieu of a username and password.

  • Multiple virtual servers – You can host as many “virtual” SSL VPNs as you want on a single physical appliance. Each SSL VPN virtual server can have its own IP address, its own certificate and its own set of policies.

  • VPN traffic compression – Leveraging the NetScaler compression technology, you can have all user traffic within the VPN tunnel compressed to reduce bandwidth.

  • Built-in high availability – You can deploy two appliances in an active/passive pair and all VPN session information is shared between the two. If the primary gateway fails, the secondary gateway takes over without requiring users to log back in.

Like the Advanced Edition, you also get "SmartAccess for Presentation Server" – that is, you can filter published applications and CPS policies in response to endpoint analysis. For example, hide some sensitive app icons and turn off client drive mapping when the user is connecting from an unmanaged endpoint. I posted an article on this concept a while back.

Unlike the Advanced Edition which consists of an appliance plus one or more Windows servers, the Enterprise edition is a standalone box – there’s no AAC server farm to install and configure.

Sadly though, the Enterprise Edition still has some things it won’t do, things which we offer today in the Advanced Edition. The Advanced Edition is nowhere near as scalable as the Enterprise edition, but it’s still the only edition right now that can do these things:

  • Clientless access to internal web sites (web proxy) – the Enterprise edition requires a VPN client to reach web servers on the LAN.
  • File Type Association– the ability to declare in a policy that certain documents must only be accessed via Presentation Server, not downloaded to the user’s device. (Though I suppose you could arrange your authorization policies to make this the case in Enterprise Edition, by denying direct access to the web servers or file servers.)
  • HTML Preview – This is really a Windows function and I’m not sure it could be done effectively without requiring a Windows server.

So don’t assume that Enterprise Edition will be able to do absolutely everything that the Standard and Advanced editions can do at this point. Depending on what your needs are, the Advanced Edition might be a better fit, especially if you don’t need to support more than about 500 concurrent users. But if you really want high user density and connectivity to Presentation Server applications without tons of Windows servers in your DMZ, it’s time to take a look at Access Gateway Enterprise Edition. And you can rest assured that Citrix is working to close that feature gap as quickly as possible.

So is it a NetScaler?

In talking to people about this release, there seems to be a lot of confusion out there about how the Access Gateway Enterprise Edition lines up with Citrix NetScaler. Let me see if I can explain it:

  • Access Gateway Enterprise Edition is sold as a standalone SSL VPN product. It shares the same core OS (derived from FreeBSD) and the same hardware platforms as the Citrix NetScaler, which is sold as a load balancer and application switch. But when you buy an Access Gateway, you cannot use it as a load balancer too.

  • However – Access Gateway licenses can be added to a Citrix NetScaler load balancer, resulting in a single appliance that is both a load balancer and an SSL VPN. You can only add AG user licenses to the Enterprise or Platinum editions of the Citrix NetScaler.

Clear as mud?