Guys,
I am a looking at piloting a citrix access solution but in order to do so i need to create a full ADS (Accreditation document Set) and risk assessment to be approved by our security board...something that is not enjoyable and will take some time.
I am interested in any opinions as to the security of such a project.
My understanding of this is that an https connection is made to the gateway and then using one of many forms of authentication a user is then able to access published applications via a connection that is proxied through the gateway. As the gateway is located within a DMZ and as long as the security between the gateway and backend servers is strong then the connections are secure.
I have done some searching around the web and come up with some answers as to the security risks although a lot of these were a few years old.
Does anyone have any opinions as to the security of such a project and what if anything can be done to mitigate the risks? IDS will be running behind the firewall. I would also like to test the security of this and was wondering whether https tunnelling would pose a major problem this kind of connection.
My main concern is that at present we have no incoming connections straight from the internet via this link and so all my documentation will need to be spot on to pass the board.
Any thoughts welcome as got someideas just could use some educated thought from other people in the field, also any sites that show how to make citirx access secure would be good.
Thanks

Thanks for info!

I was thinking the same way just wanted to make sure i was on track. The other reason for this is that i may be able to propse it as an alternative to a client requiring IPSEC system we use that is clunky at best and also controlled by a 3rd party...something i am not very keen on..

My main concern was that i have to make sure it fullfills standards set by government and other parties that, dare i say it, take so long to ratifiy anything it is out of date by the time we are allowed to  use it to keep our accrediation for the connection. So if i can make this secure then i may be able to propose it as an alternative it i can get the right people to say it is ok.

Although not mentioned within work i can forsee a need for peole to be able to access allowed applications and the like from anywhere at anytime in case of a policy change or emergency.
I was looking to beef up the security of not only the connection but also that data passed through it using the Cisco Secure Desktop, something i have been playing around with in my 'spare time' at work. This would mean that any data used by the connections and downloaded data is removed on log out. I was then thinking about using radius/token based authentication for ths and then take them straight to the citrix log on page.
The main problem i have is the confidentiality/protective marking of the data...bane of my life..but this may overcome any problems with that aside from shoulder surfers.

See how it goes anyway....during the pilot, knowing my luck, they might say that it is not worth it. This would be a shame as i can see so much potential for it just finding it hard to put it across without mentioning the access from anywhere, which i have been 'told' should be kept quite unless asked for..... Something about not making more work for ourselves and some other not very good reasons. However i will keep trying to break them down from within..should be in place before they even know what is happening...