Citrix Access Gateway with Advanced Access Control 4'2 Technical Overview

1
Citrix Access Gateway with Advanced Access
Control 4.2Technical Overview
2
Agenda
3
Citrix Delivers Access Security

• Perimeter Security Establishes a barrier to keep
  malicious attacks from affecting the productivity
  of the organization

Access Security Provides regulated access to the
business resources users need to perform their
duties
4
Secure Access Challenges

• Anywhere access to business applications and data
• Expanding access to more users and device types
  cost-effectively
• Prevent downtime and business loss from security
  breaches
• Meet or exceed security, privacy and regulatory
  concerns

5
The Customer Problems
Consistent user experience
Cannot access from behind firewalls
CPS Applications
Access from widely varying devices
Corporate Laptop
Local Users
Advanced Access Control
Access Gateway
Email Servers
Need access to all internal IT resources
Mobile PDA
Firewall
Firewall
Web or App Servers
Internet
Minimize re-authentication on re-connect
Home Computer
File Servers

• Bandwidth
• Latency
• Deviceidiosyncrasies

Desktops Phones
Partners
Control over how information and applications can
be used
Endpoint security, identification, and integrity
validation
Centralized access control to all IT resources
Hardened Appliance
Consistent user experience
6
Agenda
7
Citrix Access Strategy
IntegratedApproach
Piece-Part Approach
EnterpriseSingleSign-On
Access Rights Management
UserAssistance
Real-TimeCollaboration
User Assistance
EnterpriseSingleSign-On
Application Delivery
SSL VPN
Access Rights Management
SSL VPN
Application Delivery
End-PointSecurity
End-PointSecurity
Visibility Reporting
Real-TimeCollaboration
Security, Interoperability Management Gaps
Secure, Integrated, Flexible Extensible
8
Product Components

Access Gateway
Advanced Access Control

• Deployed in a secured network
• Deployed on Windows Server platform
• Centralizes administration, management policy
  based access control
• Centralized reporting and auditing
• Manages endpoint analysis and client delivery
• Extends access to more devices and scenarios
• Advanced policy engine with action control

• Access Gateway hardened appliance in DMZ
• Enables end-to-end secure communication via SSL
• Authentication point
• Enforces policies generated by Advanced Access
  Control

9
Agenda
10
Advanced Access ControlFeatures Benefits
11
SmartAccess Technology

• Extensive policy-based sense and response
  
  
• Automatically reconfigures the appropriate level
  of access as users roam between devices,
  locations and connections
• Advanced, extensible end-point security policies
  and analysis
• Action control defines what the user can access,
  and what actions they can take

12
SmartAccess Overview

• Analyze Access Scenario
• Analyze endpoint to ensure connections are
• Safe ensure connection will not harm corporate
  infrastructure
• Trusted analyze user, machine, and network
  identity to ensure the connection is being made
  as claimed
• Secure ensure malicious parties cannot attack
  corporate infrastructure from connecting devices
• Provide an extensible architecture (via SDK) to
  allow customers and 3rd parties to easily create
  custom scans

Analyze Access Scenario

• Machine Identity
• NetBIOS name
• Domain Membership
• MAC address
• Machine Configuration
• Operating System
• Anti-Virus System
• Personal Firewall
• Browser
• Network Zone
• Login Agent
• Authentication Method
• Custom Endpoint Scans

13
SmartAccess Overview

• Policy Based Access Control
• Situational or contextual access control based on
  user membership, authentication strength, device
  and connection to ensure IT resources are not
  exposed to unwarranted risk

Analyze Endpoint Connection
Implement Access Control

• CPS applications
• File network shares (UNCs)
• Web based email
• Web sites (URLs)
• Web applications
• Email application synchronization

• Machine Identity
• NetBIOS name
• Domain Membership
• MAC address
• Machine Configuration
• Operating System
• Anti-Virus System
• Personal Firewall
• Browser
• Network Zone
• Login Agent
• Authentication Method
• Client Certificate Queries
• Custom Endpoint Scans

14
SmartAccess Overview

• Intellectual Property Control
• Manage the use of sensitive information by
• controlling how information is accessed and
  used(CPS, HTML Preview, LiveEdit etc.)
• controlling what can be done with that
  information(download, print, save, copy, etc.)
• ensuring no data is left on the local machine
• Enable companies to log all access

SSL-VPNs
Analyze Endpoint Connection
Implement Access Control
Implement Resource Usage Control

• Full download of documents
• LiveEdit
• Edit locally
• Save back to server
• Retain in memory during edit
• Avoid data leakage on client
• Preview documents with HTML
• Access from PDAs
• View without application on client
• Attach to email
• Avoid data transmission to client
• CPS Applications
• Control available applications
• Limit local mapped drives printing

• CPS applications
• File network shares (UNCs)
• Web based email
• Web sites (URLs)
• Web applications
• Email application synchronization

• Machine Identity
• NetBIOS name
• Domain Membership
• MAC address
• Machine Configuration
• Operating System
• Anti-Virus System
• Personal Firewall
• Browser
• Network Zone
• Login Agent
• Authentication Method
• Custom Endpoint Scans

15
Access ScenarioCorporate Users from a Hotel
CPS Applications
Corporate Laptop
Access Gateway
Advanced Access Control
Email Servers
Mobile PDA
Firewall
Firewall
Web or App Servers
Internet

• Download and Access Information
• Full download
• Download to memory only
• Access via CPS only
• Preview in HTML only
• Edit and Save Changes
• Save locally
• Save only to network
• Save disabled
• Print
• Print locally
• Print to selected printers only
• Printing disabled
• CPS Applications

Home Computer
File Servers
Desktops Phones
Partner Machine
16
Access ScenarioCorporate Users from Home
CPS Applications
Corporate Laptop
Access Gateway
Advanced Access Control
Email Servers
Mobile PDA
Firewall
Firewall
Web or App Servers
Internet

• Download and Access Information
• Full download
• Download to memory only
• Access via CPS only
• Preview in HTML only
• Edit and Save Changes
• Save locally
• Save only to network
• Save disabled
• Print
• Print locally
• Print to selected printers only
• Printing disabled
• CPS Applications

Home Computer
File Servers
Desktops Phones
Partner Machine
17
Granular Access Controls

• File Download
• Local Edit and Save
• File Upload

• E-mail Sync
• Web E-mail
• Full Presentation Server Access
• Full Presentation Server App Set

• Edit in Memory
• Limited Presentation Server access (read-only
  local drive mapping)
• Limited Presentation Server application set
• File Preview
• File Upload
• E-mail Sync
• Web E-mail

• File Preview
• Web E-mail
• Controlled Presentation Server Access

18
Phased Policy Rollout

• Define a group of trust remote users
• Grant full network access by giving access to the
  Entire Network
• Restrict full access with end-point scans (if
  desired)
• Prepare granular policies and roll-out to select
  users as desired

19
Methodology for Defining Access Policies

• Inventory all IT resources
• Group resources into levels of sensitivity
• Define end user access scenarios
• Associate end user access scenarios with levels
  of sensitivity
• Validate the policies with a select group using
  event logging
• Roll policies into full production

20
Actions Control Overview

• Designed to prevent inadvertent leakage of
  information normally associated with user error.

Example Users forget it is against company
policy to access sensitive information from home
or a kiosk.
21
Endpoint AnalysisOverview
Analyze the client machine to identify the device
and determine if it is secured.

• Endpoint Analysis Clients
• ActiveX client for IE browsers (requires Admin or
  Power user privileges)
• Win32 install (via MSI)
• Netscape plug-in for Netscape and Mozilla
  browsers
• 3rd party product integration (AV, Personal
  Firewall)
• Symantec/Norton, McAfee, TrendMicro, Microsoft,
  WholeSecurity, Check Point ICS, etc.
• Fully customizable via Citrixs EPA SDK
• SDK available on Citrix Developers Network
• SDK is well-integrated with Visual Studio.NET

22
Extending Web Interface
Local Users
Advanced Access Control
Web Interface
Firewall
Firewall
Corporate Laptop
Internet
Citrix Presentation Server Farm
Provide users with the best possible Presentation
Server experience
Provide administrators with the strongest level
of control
23
Upgrade to Advanced Access Control
Local Users
CPS Applications
Corporate Laptop
Access Gateway
Email Servers
Mobile PDA
Firewall
Firewall
Web or App Servers
Internet
Home Computer
Management Console
File Servers
Desktops Phones
Partner Machine
24
Access Gateway and Advanced Access Control 4.2

Access Gateway
Advanced Access Control
Defining a new level of control and access!
25
(No Transcript)