Solutions Brief

Download the solutions brief - 510 KB, 7 pages

Overview
SafeWord for Citrix is a strong authentication system designed specifically for Citrix environments, and designed specifically for Citrix administrators to manage. This paper discusses the risks of passwords, how SafeWord for Citrix protects against those risks, and the unique features and benefits of SafeWord for Citrix that make it easy and cost-effective for Citrix administrators to manage.

What is Citrix?
Citrix is a popular method for providing organizations with remote access to applications. There are many advantages to using Citrix for remote access. After simply downloading and installing a Citrix ICA client on any computer—PCs, Macs, even PDAs—users can access the organization's published applications over the Web. Citrix solutions embrace a concept called "workforce mobility": the ability to access needed information from anywhere.

As part of their offering, Citrix uses a technology called the secure gateway, which eliminates man-in-the-middle attacks, so that packets cannot be snooped or sniffed. This is not only an essential element of security, but it also has made many organizations comfortable with rolling Citrix solutions out to their user populations for remote network access.

The password risk
Although the Citrix secure gateway has increased security significantly, most organizations still rely on simple usernames and passwords to access their Citrix-published applications. So, while Citrix has created essentially a secure tunnel from a user's PC to the trusted network, the entrance to that tunnel is guarded with a very weak system.

Passwords are a very weak way to guard the entrance to your trusted systems, applications, and networks. In a variety of security studies, many users choose passwords that are very easy to guess, attack, or break.

Three to four percent of users choose extremely weak passwords—either the password is the same as the username, is the user's first name, or is the word "password." (Gosh, how clever; it's like hiding in plain sight!)

An additional 2 percent of users choose the "vanity passwords" of "stud" or "goddess"— and many more choose other easily guessable vanity passwords like "cutiepie," "hunk," and similar words.

A much larger percentage of people—35 percent or more, depending on the study—choose passwords that can be found in their work area. The name of a child or spouse, a favorite rock band, classical composer, vacation spot, or car model can often be found on an employee's desk or hanging on the wall of a cubicle or office. Additionally, personal information such as this can be easily gleaned by a smart attacker in a two-minute "friendly conversation" in the elevator.

Do stronger password policies really help?
Some security pundits recommend implementing the following policies to protect passwords against these attacks: mandating passwords of at least six characters; forcing users to change their passwords every 30 days; not allowing users to "replay" a previously used password; no dictionary, slang, or industry words; requiring at least one uppercase letter, one lowercase letter, one numeric, and one symbol; no birthdays or social security numbers; no proper names—the list goes on and on. Some experts even recommend that users develop complex schemes, including learning a mnemonic alphabet or secret codes. This leads to passwords like G1w$#Ih5W.

There are two problems with implementing password policies. The first is that the more of these password policies you implement, the harder it becomes for users to remember their passwords. Forgotten passwords are the number one type of help-desk call—and the average help-desk call costs $50-$150 in resources and lost productivity.

The second problem is that the organization's security risk can actually increase. Users in organizations with complex policies may spend their time trying to circumvent their company's password policies. The easiest way to circumvent a complex password policy is to simply write the password down and tape it underneath the keyboard or to the workstation's monitor.

Stronger password policies also cannot defend against the weakest link: the end user.

Of 150 office workers surveyed in 2002, the majority of them would give their password to a co-worker or colleague, and two-thirds of them gave their network password to the survey taker! A British survey found that over 90% of people would reveal their network password for a free pen. (And that's a cheap ballpoint, not even an expensive fountain pen.)

Organizations lose hundreds of millions of dollars every year because of password breaches. An identity theft ring was uncovered in early 2003 after a help-desk employee was found to be stealing credit companies' passwords. The victims numbered in the dozens, and lost more than $30 million. This attack could not have been defended against with a stronger password policy.

Clearly, organizations with valuable information must choose something stronger than passwords to protect their resources.

The answer is strong authentication
Strong authentication refers to systems that require multiple factors for authentication and use advanced technology, such as secret keys and encryption, to verify a user's identity. The simplest example of strong authentication is your ATM card. This requires something you have (your card), and something you know (your PIN). Most people wouldn't want their bank to allow access to their checking account with just one factor. Yet many organizations allow entrance to their valuable Citrix resources (often much more valuable than a single personal checking account) with only one factor—a weak password!

How SafeWord for Citrix provides strong authentication
SafeWord for Citrix delivers security through hardware tokens that generate one-time passcodes, used in combination with a user's PIN.

Figure 1: SafeWord for Citrix hardware token

When a Citrix user pushes the button on the SafeWord token, it immediately generates and displays a single-use passcode (via a unique secret key and an advanced encryption algorithm that is contained inside). The user enters the passcode, followed by the user's unique PIN, to gain access. The SafeWord server, with each user's token and PIN on file, can confirm the authenticity of each passcode presented by each user. After one use, the passcode is thrown away by the system. If someone attempts to re-use a passcode, access is denied by the authentication server.

Each Citrix user must have the SafeWord token in their possession (much like the ATM card) and know the PIN. This is true two-factor authentication, and it eliminates the risks of stolen or compromised passwords.

What does SafeWord for Citrix protect?
SafeWord for Citrix is designed to strongly authenticate remote Web access to Citrix applications.

SafeWord for Citrix protects Citrix environments using the Presentation Server and Citrix Web Interface (formerly NFuse Classic), with the users stored in Active Directory. The Citrix secure gateway is strongly recommended but not required.

Additionally, SafeWord for Citrix protects Citrix Advanced Access Control (formerly Metaframe Secure Access Manager). The Citrix secure gateway is required for use with Citrix Advanced Access Control. Active Directory is required for the user repository.

SafeWord for Citrix can also protect logins to the Citrix Secure Gateway via Radius and the IAS agent when used without Citrix Advanced Access Control. Microsoft Internet Authentication Server and SafeWord IAS agent are required.

SafeWord for Citrix is also designed to protect non-Citrix resources (such as VPNs, appliance console access, or other software when used in conjunction with the SafeWord IAS Radius agent).

Secure Computing offers its flagship strong authentication product, SafeWord® PremierAccess®, to protect VPN, Web sites, and many other resources (including Citrix environments using the Citrix Web interface, Citrix Advanced Access Control, or Citrix Secure Gateway).

What's unique about SafeWord for Citrix?
As mentioned earlier, SafeWord for Citrix is designed to be easily and cost-effectively managed by Citrix administrators.

Many people view strong authentication as a complex, mammoth undertaking-and may feel the undertaking is not worth the time and expense (even though weak passwords are leaving them vulnerable). Some feel that it's not designed for the small or medium-sized business.

SafeWord for Citrix is designed to change all that. It installs quickly and easily. It automatically configures itself into a Citrix environment quickly and easily. Tokens can be distributed quickly and easily. And it's tied directly to Active Directory, so managing tokens can be done—you guessed it—quickly and easily.

1. Installation is lightning-fast. Competing solutions can take hours or days to install and configure properly. Often, systems engineers must be scheduled from the vendor to install the software correctly. Security policies must be mapped out. Ports must be opened, or closed, or both. But it's easy with SafeWord for Citrix: Pop in the CD. The wizard-driven installation leads you through the process in less than 10 minutes.

   Click image to enlarge

   
   Figure 2: Installing SafeWord for Citrix is quick and easy

2. No separate machine needed. Competing solutions require the software to be loaded on a separate server. A server with the minimum requirements costs about $3,800. But SafeWord for Citrix installs directly on your Active Directory box, saving thousands of dollars (and the hassle of a purchase requisition).
3. Manage everything from Active Directory. Other solutions use a proprietary user database which must be managed separately. With SafeWord for Citrix, plug-ins to the Microsoft Management Console in Active Directory tie the SafeWord tokens directly to your Active Directory users, so there's just one place to manage users and tokens.

   Click image to enlarge

   
   Figure 3: The SafeWord plug-in to Active Directory

4. Deliver tokens to end users in a quarter of the time, with a quarter of the expense. With traditional token deployment, administrators must create user accounts, import user records, test tokens and assign them to each user, label and process each token for delivery, find each user, and deliver the correct token. This takes about 30 minutes per user, which can add up very quickly. But SafeWord for Citrix includes a user self-enrollment capability (offered only by Secure Computing with all SafeWord products). With user self-enrollment, administrators don't have to match each user to their correct token or assign tokens—users can enroll themselves. Setup takes an administrator about a half hour, and the per-user time drops from 30 minutes to less than 5. (You'll save time if you have more than 2 users!) Even if you just have 25 users, you'll save over a day of work using SafeWord for Citrix's user self-enrollment.

   Click image to enlarge

   
   Figure 4: Users can enroll themselves with the SafeWord User Center

5. Never buy another replacement token. Some competing solutions require you to repurchase tokens every 2, 3, or 4 years—their tokens are programmed to expire at the end of that time period. But with SafeWord for Citrix, simply return any nonfunctioning token to us and we'll replace it for free, no questions asked. Our tokens are not programmed to expire, and if one fails for any reason (you dropped it into a running garbage disposal, your dog chewed it up, you ran over it with a steamroller, or if it simply has a dead battery in 10 years), we'll replace it free of charge. All that's required is that your organization has a valid, up-to-date support contract with us.
6. All of this at half the price. Competing solutions for 100 users list for $200 or more per user. SafeWord for Citrix is less than half the initial cost.