Security Standards and Deployment Scenarios

XenApp 6 Security Standards and Deployment Scenarios© 2011 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy StatementContentsXenApp 6 Security Standards and Deployment Scenarios4 XenApp 6 Security Standards and Deployment Scenarios5 Security Considerations in a XenApp Deployment6 Country-Specific Government Information7FIPS 140 and XenApp8TLS/SSL Protocols10Government Ciphersuites11IP Security12Citrix Single Sign-on13Smart Cards14Kerberos Authentication15Citrix Plug-ins16 Standards Summary17 Virtual Channels19Additional XenApp Security Features20 Deployment Samples21 Sample A – Using the SSL Relay22 How the Components in Sample Deployment A Interact23Security Considerations in Sample Deployment A24 Sample B – Using Secure Gateway (Single-Hop)26 How the Components in Sample Deployment B Interact28Security Considerations for Sample Deployment B30 Sample C – Using Secure Gateway (Double-Hop)32 How the Components in Sample Deployment C Interact34Security Considerations in Sample Deployment C35 Sample D – Using the SSL Relay and the Web Interface37 How the Components in Sample Deployment D Interact39Security Considerations for Sample Deployment D40 Sample E – Using Citrix Single Sign-on and Secure Gateway (Single-Hop)42How the Components in Sample Deployment E Interact44 Security Considerations for Deployment Sample E45XenApp 6 Security Standards and Deployment ScenariosCitrix products offer the security specialist a wide range of features for securing a XenAppsystem according to officially recognized standards.Security standards as they apply to Citrix XenApp 6.0 for Microsoft Windows Server 2008 R2are discussed here. These topics provide an overview of the standards that apply to XenAppdeployments and describe the issues involved in securing communications across a set ofsample XenApp deployments. For more information about the details of the individualsecurity features, refer to the relevant product or component documentation.When deploying XenApp within large organizations, particularly in governmentenvironments, security standards are an important consideration. For example, manygovernment bodies in the United States and elsewhere specify a preference or requirementfor applications to be compliant with FIPS 140. These topics address common issues relatedto such environments.These topics are designed for security specialists, systems integrators, and consultants,particularly those working with government organizations worldwide.DeploymentXenApp provides server-based computing to local and remote users through theIndependent Computing Architecture (ICA) protocol developed by Citrix.ICA is the communication protocol by which servers and client devices exchange data in aXenApp environment. ICA is optimized to enhance the delivery and performance of thisexchange, even on low bandwidth connections.As an application runs on the server, XenApp intercepts the application’s display data anduses the ICA protocol to send this data (on standard network protocols) to the pluginsoftware running on the user’s client device. When the user types on the keyboard or movesand clicks the mouse, the plugin software sends the data generated for processing by theapplication running on the server.ICA requires minimal client workstation capabilities and includes error detection andrecovery, encryption, and data compression.A server farm is a collection of XenApp servers that you can manage (from the DeliveryServices Console) as a single entity. A server can belong to only one farm, but a farm caninclude servers from more than one domain. The design of server farms has to balance thegoal of providing users with the fastest possible application access with that of achievingthe required degree of centralized administration and network security.Note that in XenApp deployments that include the Web Interface, communication betweenthe server running the Web Interface and client devices running Web browsers (and pluginsoftware) takes place using HTTP.In a XenApp deployment, administrators can configure encryption using either of thefollowing:q SSL Relay, a component that is integrated into XenAppq Secure Gateway, a separate component provided on the XenApp installation mediaDeploymentXenApp provides server-based computing to local and remote users through theIndependent Computing Architecture (ICA) protocol developed by Citrix.ICA is the communication protocol by which servers and client devices exchange data in aXenApp environment. ICA is optimized to enhance the delivery and performance of thisexchange, even on low bandwidth connections.As an application runs on the server, XenApp intercepts the application’s display data anduses the ICA protocol to send this data (on standard network protocols) to the pluginsoftware running on the user’s client device. When the user types on the keyboard or movesand clicks the mouse, the plugin software sends the data generated for processing by theapplication running on the server.ICA requires minimal client workstation capabilities and includes error detection andrecovery, encryption, and data compression.A server farm is a collection of XenApp servers that you can manage (from the DeliveryServices Console) as a single entity. A server can belong to only one farm, but a farm caninclude servers from more than one domain. The design of server farms has to balance thegoal of providing users with the fastest possible application access with that of achievingthe required degree of centralized administration and network security.Note that in XenApp deployments that include the Web Interface, communication betweenthe server running the Web Interface and client devices running Web browsers (and pluginsoftware) takes place using HTTP.In a XenApp deployment, administrators can configure encryption using either of thefollowing:q SSL Relay, a component that is integrated into XenAppq Secure Gateway, a separate component provided on the XenApp installation mediaCountry-Specific Government Information The following topics are of particular relevance to XenApp installations in Australia, theUnited Kingdom, and the United States:q FIPS 140 and XenAppq TLS/SSL Protocolsq Smart Cardsq Kerberos AuthenticationIn addition, for information on Common Access Cards (of particular relevance toinstallations in the United States), see Smart Cards.For more information about issues specific to your country, contact your local Citrixrepresentative.FIPS 140 and XenAppFederal Information Processing Standard 140 (FIPS 140) is a U.S. Federal Governmentstandard that specifies a benchmark for implementing cryptographic software. It providesbest practices for using cryptographic algorithms, managing key elements and data buffers,and interacting with the operating system. An evaluation process that is administered bythe National Institute of Standards and Technology (NIST) National Voluntary LaboratoryAccreditation Program (NVLAP) allows encryption product vendors to demonstrate theextent to which they comply with the standard and, thus, the trustworthiness of theirimplementation.FIPS 140-1, published in 1994, established requirements for cryptographic modules toprovide four security levels that allowed cost-effective solutions appropriate for differentdegrees of data sensitivity and different application environments. FIPS 140-2, whichsuperceded FIPS 140-1 in 2002, incorporated changes in standards and technology since1994. FIPS 140-3, which is still in draft, adds an additional security level and incorporatesnew security features that reflect recent advances in technology.Some U.S. Government organizations restrict purchases of products that containcryptography to those that use FIPS 140-validated modules.In the U.K., guidance published by the Communications-Electronics Security Group (CESG)recommends the use of FIPS 140-approved products where the required use for informationis below the RESTRICTED classification, but is still sensitive (that is, data classifiedPRIVATE).The security community at large values products that follow the guidelines detailed in FIPS140 and the use of FIPS 140-validated cryptographic modules.To implement secure access to application servers and to meet the FIPS 140 requirements,Citrix products can use cryptographic modules that are FIPS 140 validated in Windowsimplementations of secure TLS or SSL connections.The following XenApp components can use cryptographic modules that are FIPS 140validated:q XenAppq Citrix online plug-in (inlcuding the Citrix online plug-in and citrix online plug-in Web)q Web Interfaceq SSL Relayq Secure Gateway for Windowsq Single sign-onq Offline applications (streaming)q SmartAuditorFIPS 140 and XenAppq Power and Capacity ManagementWhere the client and server components (listed above) communicate with the TLS or SSLconnection enabled, the cryptographic modules that are used are provided by the MicrosoftWindows operating system. These modules use the Microsoft Cryptography ApplicationProgramming Interface (CryptoAPI) and are FIPS 140 validated.The ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, first defined in Internet RFC 2246(/rfc/rfc2246.txt), uses RSA key exchange and TripleDES encryption.This is achieved as follows:q According to the Microsoft documentation(/en-us/library/cc750357.aspx), FIPS-compliant systemsthat use FIPS 140-certified cryptomodules can be deployed by following a prescribed setof steps. These steps include setting a particular FIPS local policy flag.q As noted in the Microsoft documentation referenced above, not all Microsoftcomponents and products check the FIPS local policy flag. Refer to the Microsoftdocumentation for instructions on how to configure these components and products tobehave in a FIPS-compliant manner.q Similarly, Citrix components do not check the FIPS local policy flag. Instead, these components must be configured to behave in a FIPS-compliant manner.q Specifically, Citrix components that use TLS must be configured to use government ciphersuites. This will cause the component to select one of the following ciphersuites:q RSA_WITH_3DES_EDE_CBC_SHA [RFC 2246]q RSA_WITH_AES_128_CBC_SHA [FIPS 197, RFC 3268]q RSA_WITH_AES_256_CBC_SHA [FIPS 197, RFC 3268]Given the accuracy of the above statements, and assuming that all these steps arefollowed, the resulting XenApp configuration will use FIPS 140 cryptomodules in aFIPS-compliant manner.For a list of currently validated FIPS 140 modules, see/cryptval/140-1/1401val.htm.For more information about FIPS 140 and NIST, visit the NIST Web site at/cryptval/.TLS/SSL ProtocolsYou can secure communications between client devices and servers using either theTransport Layer Security (TLS) 1.0 or Secure Sockets Layer (SSL) 3.0 protocols. Theseprotocols are collectively referred to TLS/SSL.Both TLS and SSL are open protocols that provide data encryption, server authentication,message integrity, and optional client authentication for a TCP/IP connection. Note thatboth the SSL Relay and Secure Gateway support TLS and SSL.SSL is an open, nonproprietary security protocol for TCP/IP connections. If you want to usethe SSL Relay to secure communications between client devices and servers within theserver farm, you must install the SSL Relay on each server in the farm. Alternatively, youcan use Secure Gateway. Both the SSL Relay and Secure Gateway implementations arediscussed in this documentation.TLS, which is also an open standard, is the latest, standardized version of the SSL protocol.The SSL Relay also supports TLS; you can configure the SSL Relay, Secure Gateway, and theWeb Interface to use TLS. Support for TLS Version 1.0 is included in XenApp 6.0 and Singlesign-on 4.8.Because there are only minor differences between TLS and SSL, the server certificates inyour installation can be used for both TLS and SSL implementations.Government CiphersuitesYou can configure XenApp, the Web Interface, and Secure Gateway to usegovernment-approved cryptography to protect “sensitive but unclassified” data.For RSA key exchange and TripleDES encryption, the government ciphersuite isRSA_WITH_3DES_EDE_CBC_SHA.Alternatively, for TLS connections, you can use Advanced Encryption Standard (AES) asdefined in FIPS 197. The government ciphersuites are RSA_WITH_AES_128_CBC_SHA for128-bit keys and RSA_WITH_AES_256_CBC_SHA for 256-bit keys.IP SecurityIP Security (IPSec) is a set of standard extensions to the Internet Protocol (IP) that providesauthenticated and encrypted communications with data integrity and replay protection.IPSec is a network-layer protocol set, so higher level protocols such as Citrix ICA can use itwithout modification.Although such sample deployments are outside the scope of this document, you can useIPSec to secure a XenApp deployment within a virtual private network (VPN) environment.IPSec is described in Internet RFC 2401.Microsoft Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2, Windows Server2008, and Windows Server 2003 have built-in support for IPSec.Citrix Single Sign-onCitrix Single sign-on increases application security for all XenApp applications, allowingorganizations to centralize password management while providing users with fast sign-onaccess to Web, Windows, and host-based applications.Smart CardsYou can use smart cards with XenApp, supported XenApp plug-ins, the Web Interface, andSingle sign-on to provide secure access to applications and data. Using smart cardssimplifies the authentication process while enhancing logon security. XenApp supportssmart card authentication to published applications, including “smart card-enabled”applications such as Microsoft Outlook.In a business network, smart cards are an effective implementation of public keytechnology and can be used for the following purposes:q Authenticating users to networks and computersq Securing channel communications over a networkq Securing content using digital signaturesIf you are using smart cards for secure network authentication, your users can authenticateto applications and content published on your server farms. In addition, smart cardfunctionality within these published applications is also supported.For example, a published Microsoft Outlook application can be configured to require thatusers insert a smart card into a smart card reader attached to the client device in order tolog on to a XenApp server. After users are authenticated to the application, they candigitally sign email using certificates stored on their smart cards.Citrix supports the use of Personal Computer Smart Card (PC/SC)-based cryptographic smartcards. These cards include support for cryptographic operations such as digital signaturesand encryption. Cryptographic cards are designed to allow secure storage of private keyssuch as those used in Public Key Infrastructure (PKI) security systems. These cards performthe actual cryptographic functions on the smart card itself, meaning that the private keyand digital certificates never leave the card. In addition, you can use two-factorauthentication for increased security. Instead of merely presenting the smart card (onefactor) to conduct a transaction, a user-defined PIN (a second factor) known only to theuser, is used to prove that the cardholder is the rightful owner of the smart card.Smart Card SupportCitrix continues testing various smart cards to address smart card usage and compatibilityissues with XenApp.XenApp supports the Common Access Card in a deployment that includes the Citrix onlineplug-in for Windows. Contact your Common Access Card vendor or Citrix representative formore information about supported versions of Common Access Card hardware and software.Citrix tests smart cards using certificates from common certificate authorities such as thosesupported by Microsoft. If you have any concerns regarding your certificate authority andcompatibility with XenApp, contact your local Citrix representative.Kerberos AuthenticationKerberos is an authentication protocol. Version 5 of this protocol is standardized as InternetRFC 1510. Many operating systems, including Microsoft Windows 2000 and later, supportKerberos as a standard feature.XenApp extends the use of Kerberos. When users log on to a client device, they can connectto XenApp without needing to authenticate again. The user’s password is not transmitted toXenApp; instead, authentication tokens are exchanged using the Generic Security ServicesAPI (GSSAPI) standardized in Internet RFC 1509.This authentication exchange is performed within an ICA virtual channel and does notrequire any additional protocols or ports. The authentication exchange is independent ofthe logon method, so it can be used with passwords, smart cards, or biometrics.To use Kerberos authentication with XenApp, both the client and server must beappropriately configured. You can also use Microsoft Active Directory Group Policyselectively to disable Kerberos authentication for specific users and servers.Citrix Plug-insWith the Citrix online plug-in installed on their client devices, users can work withapplications running on XenApp servers. Users can access these applications from virtuallyany type of client device over many types of network connection, including LAN, WAN,dial-up, and direct asynchronous connections. Because the applications are not downloadedto the client devices (as with the more traditional network architecture), applicationperformance is not limited by bandwidth or device performance.Citrix plug-ins are available for Windows, Macintosh, Linux, UNIX, and Windows CEoperating systems, and the Java Runtime Environment. Additionally, you can use the Citrixonline plug-in Web with Web browsers that support ActiveX controls or Netscape plug-ins.Citrix plug-ins for Windows use cryptographic modules provided by the operating system.Other plug-ins, including the Client for Java, contain their own cryptographic modules. TheClient for Java can, therefore, be used on older Windows operating systems that do notsupport strong encryption.The Standards Summary table lists the latest versions of the available plug-ins. The tablespecifies whether each plug-in is FIPS 140 compliant, supports TLS, includes smart cardsupport, uses government ciphersuites, supports certificate revocation checking, andsupports Kerberos authentication. Note that certificate revocation checking is applicable toplug-ins running on Windows XP, Windows Vista, and Windows 7 only. Where the latestversion of a plug-in does not completely supersede a previous version (for example, aparticular operating system may be supported only by an earlier plug-in version), the earlierversion of the plug-in is also listed.Standards SummaryThe following table summarizes the standards relevant to the various Citrix plug-ins:Plug-in type FIPS140TLS TripleDES AES CRLcheckSmartcardKerberosCitrix online plug-in 12.x*¹******Citrix online plug-in Web12.x*¹******Client for Windows CEfor Windows-BasedTerminals 10.x*²** *Client for Windows CEfor Handheld and PocketPCs 10.x*²** *Client for Macintosh 10.x *** **Client for Linux 10.x ** *Client for Java 9.x **** *³Client for Sun Solaris 8.x ** *Notes:¹ These plug-ins inherit FIPS 140 compliance from the base operating system, Windows.² These plug-ins inherit FIPS 140 compliance from the base operating system, Windows CE.³ Kerberos authentication is not supported when the Client for Java is running on Mac OS X client devices.The table below shows the certificate source for plug-ins that support at least one of the security features listed in the table above. Plug-ins marked “OS” use certificates stored in the operating system certificate store, those marked “Plug-in” use certificates bundled with the plug-in, and plug-ins marked “JRE” use certificates stored in the Java keystore.Plug-in type Root certificate sourceCitrix online plug-in 12.x OSCitrix online plug-in Web 12.x OSClient for Windows CE for Windows-BasedTerminals 10.xOSClient for Windows CE for Handheld andPocket PCs 10.xOSClient for Macintosh 10.x OSStandards SummaryClient for Linux 10.x Plug-inClient for Java 9.x JRE (Java 1.4.x)JRE or OS (Java 1.5.x or later) Client for Sun Solaris 8.x Plug-inVirtual ChannelsThe following table shows which ICA virtual channels (or combination of virtual channels)can be used with XenApp for authentication and application signing or for encryptionmethods.Smart cardvirtual channel Kerberos virtualchannelCore ICA protocol (novirtual channel)Smart cardauthentication**Biometric¹authentication*Passwordauthentication**Applicationsigning/encryption* ¹ Third-party equipment is required for biometric authentication.Additional XenApp Security Features The following products can be used with XenApp to provide additional security. Theseadditional security measures are not included in the sample deployments.ICA Encryption Using SecureICAICA encryption with SecureICA is integrated into XenApp. With SecureICA, you can use up to128-bit encryption to protect the information sent between a XenApp server and users’client devices. However, it is important to note that SecureICA does not use FIPS140-compliant algorithms. If this is an issue, you can configure XenApp servers and plug-insto avoid using SecureICA.Authentication for the Web Interface Using RSA SecurIDYou can use the third-party product RSA SecurID as an authentication method for the WebInterface running on Internet Information Services. If RSA SecurID is enabled, users must logon using their credentials (user name, password, and domain) plus their SecurID PASSCODE.The PASSCODE is made up of a PIN followed by a tokencode (the number displayed on theuser’s RSA SecurID token).RSA SecurID supports authentication on both XenApp and Single sign-on. Authentication for the Web Interface Using SafeWordYou can use the third-party product Aladdin SafeWord as an authentication method for theWeb Interface running on Internet Information Services. If SafeWord is enabled, users mustlog on using their credentials (user name, password, and domain) plus their SafeWordpasscode. The passcode is made up of the code displayed on the user’s SafeWord token,optionally followed by a PIN.SafeWord supports authentication on XenApp, but not on Single sign-on.Deployment SamplesTo make a XenApp deployment FIPS 140 compliant, you need to consider eachcommunication channel within the installation. The following deployment samples showhow users can connect to XenApp servers with different configurations of components andfirewalls. In particular, the samples provide general guidance on how to make eachcommunication channel secure using TLS/SSL so that the system as a whole is FIPS 140compliant.Sample A – Using the SSL RelayThis deployment uses the SSL Relay to provide end-to-end TLS/SSL encryption between theXenApp server and the plugin.This diagram shows sample deployment A, which uses the SSL Relay.The deployment uses a server farm comprising XenApp 6 servers. Users run the Citrix onlineplug-in 12.x on their client devices.How the Components in Sample Deployment A InteractUse TLS/SSL to secure the connections between client devices and the XenApp servers. Todo this, deploy TLS/SSL-enabled plug-ins to users and configure the SSL Relay on theXenApp servers.This deployment provides end-to-end encryption of the communication between the clientdevice and the XenApp servers. Both the SSL Relay and the appropriate server certificatemust be installed and configured on each server in the farm.The SSL Relay operates as an intermediary in communication between client devices andthe XML Service on each server. Each client device authenticates the SSL Relay by checkingthe SSL Relay’s server certificate against a list of trusted certificate authorities. After thisauthentication, the client device and the SSL Relay negotiate requests in encrypted form.The SSL Relay decrypts the requests and passes them to the XenApp servers. All informationsent to the client device from the servers passes through the SSL Relay, which encrypts thedata and forwards it to the client device to be decrypted. Message integrity checks verifythat each communication has not been tampered with.This diagram shows a detailed view of sample deployment A.Security Considerations in Sample Deployment AFIPS 140 Validation in Sample Deployment AIn this deployment, the SSL Relay uses the Microsoft cryptographic service providers (CSPs)and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI toencrypt and decrypt communication between client devices and servers. For moreinformation about the FIPS 140 validation of the CSPs, see the Microsoft documentation.For Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2 (in a XenApp 6 farm),Windows Server 2008 (in a XenApp 5 farm), and Windows Server 2003 (in a XenApp 5 farm),TLS/SSL support and the supported ciphersuites can also be controlled using the followingMicrosoft security option:System cryptography: Use FIPS compliant algorithms for encryption, hashing, andsigningFor more information, see the documentation for your operating system.TLS/SSL Support in Sample Deployment AYou can configure XenApp to use either the Transport Layer Security 1.0 protocol or theSecure Sockets Layer 3.0 protocol. In sample deployment A, the components are configuredfor TLS.When using the SSL Relay Configuration Tool, ensure that TLS is selected on theConnection tab.Supported Ciphersuites for Sample Deployment A In this deployment, XenApp can be configured to use government-approved cryptography,such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect “sensitive butunclassified” data.When using the SSL Relay Configuration Tool, ensure that only GOV is selected on theCiphersuite tab.Alternatively, for TLS connections, you can use AES as defined in FIPS 197. The governmentciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys andRSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC 3268/rfc/rfc3268.txt, these ciphersuites use RSA key exchange and AESencryption. For more information about AES, see /cryptval/des.htm.Security Considerations in Sample Deployment ACertificates and Certificate Authorities in Sample Deployment ACitrix products use standard Public Key Infrastructure (PKI) as a framework and trustinfrastructure. In sample deployment A, a separate server certificate is configured for eachXenApp server on which the SSL Relay is used. A root certificate is required for each clientdevice.Smart Card Support in Sample Deployment AIn this deployment, you can configure XenApp to provide smart card authentication. To dothis, you must configure authentication with Microsoft Active Directory and use theMicrosoft Certificate Authority.Plug-ins Used in Sample Deployment AIn this deployment, users access their applications using the Citrix plug-in. For moreinformation about the security features and capabilities of Citrix plug-ins, see CitrixPlug-ins.。