Over the past year or so, I have to listen to IT organizations of all shapes and sizes have focused more and more on a key concept ... SECURITY !
If your organization how many of those who we have worked with lately, you're probably who ask these knobs to turn and check boxes to choose from so that your XenMobile use is 'safe'. Or maybe you just want to know, do what other customers on that front and what you should think about.
Well, I have good news for you! These are exactly the questions that this article will attempt to answer. One thing it will not cover is, the decision making process to the placement of XMS (DMZ vs. internal) and the use of SSL-bridge against offload. This could be a good topic for a follow-up post, if there is enough interest. 😉
I know that you do not think that we, so we can get that out of the way early
[bycontributingtosafetywithoutwantedtogetDisclaimer1945007] DISCLAIMER :. This post is intended to ensure guidance on basic security considerations when XenMobile implement. It is not to be construed as an exhaustive list and does not extend to security considerations outside of the product itself. The customer should confirm carefully architectural decisions and policy configurations with their security team that they are directed to check out organization unique security and user experience requirements. Citrix assumes no responsibility for any security breaches or problems. Configurations or architectural decisions that can not perform as a result of the content in this post Some of the settings are described in this article, have a considerable impact on the user experience may not be carried out without adequate testing and validation.
On the good stuff!
Let's start with some of the most obvious things start
FIPS mode .: If your organization requires FIPS us XenMobile can be configured so that the requirement to fulfill. But it is not a one-time configuration. You need to be sure a FIPS NetScaler have set, enable FIPS install during XMS and configure its client properties. Be sure to make this decision early. That's not something we want to try / off to turn once users are logged in! Outside the public sector, which is not something we see a lot of
timeout values .: If you do not, read my other post on XenMobile timeouts and how they work, there is no time like the present :). to understand these values, CRITICAL user experience is align with safety requirements. The Post also offers some guidance on what we often see in terms of the time-out settings on our more security-conscious customers.
So why mention here? Because we have seen a few customers learn the hard way that makes timeouts too restrictive actually negative impact on the security may have. If the time-out values are so low that users can not be productive, they can see to find other less secure ways to do what they need to do to ultimately compromise your security position, instead of helping them! I can not enough to emphasize the importance of a comprehensive pilot and user acceptance testing cycle make to these values are correct
Device Code .: a device code Require is particularly critical when the use of considering iOS devices where data protection is, in many cases driven by the presence of a device code. Apple's documentation for more information on this option if you are interested, but long story short features, applications storing potentially sensitive information in the keychain. is activated with a device code, is that keychain data more secure. The presence of a device code also adds an additional layer of protection against a potential attacker even containerized (packed) enterprise applications and access data try. The vast majority of our high-security customers are in any function using a device code to force
access to the console .: This is another one that is often overlooked. The level of exposure depends a little on the version of XenMobile provide you, but you know that you set up Load Balancer for XMS / XDM access? It can also gain from outside your corporate network, are used to certain management functions to access. Most of our customers choose safe available access to the console via one of the few ways to restrict. The most common is detailed in this post by Avinash
Secure LDAP .: This should be obvious, but I still have to configure about half of our customers LDAP connections on port 389. Also, customers see bear in mind that this "safe" to do. If you go this route, passwords are sent over the internal network and possibly even by your DMZ plaintext !!! This should not even be done in a POC, if it can be avoided because in most cases, you are still the production credentials that could allow an attacker to access production systems. Take the extra time to secure and load balancing these compounds.
get the configurations usually only a lot of attention and are fairly well understood these days, so let's looking at a few others that are important as well, but often overlooked. Here are some of the big boys, we often missed see
Max login attempts .: This can actually be configured in a few different places so when it comes to XenMobile. All are important, a malicious user rotate your XenMobile provision in an avenue to prevent brute force and execute account blockage attacks. The XenMobile Lockout limit can be specified in the LDAP configuration to XMS. There is also a similar NetScaler Gateway configuration on the vServer level. To prevent the account lockout attacks XMS or NG, both should be set to one less than AD account lockout limit. be blocked in this way the user / attacker from XMS or NG before their AD account is locked. The third configuration is a hidden client property called PASSCODE_MAX_ATTEMPTS that the number of attempts that can be made against the offline version of WorxPIN or password on the device before online registration is required. The default value is 15, which is usually lowered a little more in-line with the AD account lockout limit in safe environments. Configuring an additional authentication factor (such as RADIUS) as the primary credential can also add value on this front
certificate pinning .: certificate pinning is a XenMobile function, designed to reduce the risk of MAN in-the-middle attacks. This setting is 'off' by default and must be activated via the Auto-Discovery service. This setting is to allow something that our customers safest sure. The downside is that if your certificate Tag mismanaged / compromised, there is a risk that the user might be forced to, so be sure the reprofiling that when deciding whether or not to allow certificate pinning. More details are content flow .: MDX control over the WorxHome documentation
guidelines are available on how the data flows not only (or not flow) from the container, but also how it can flow. Most companies do not seem to be as much of a security threat, to recognize, and are much stronger to prevent data leaks. Prior to such a conclusion, it is crucial how enrolled devices and wrapped applications to consider, interact with back-end components. For example WorxMail users are no mail content filtering solutions bypassing you may have provided? If so, your organization would like to consider also unwrapped Apps in wound applications prevent dataflow
Restrictions .: There are a number of restrictions available on MDM and MDX policy XenMobile, but which ones are important? This differs slightly from organization to organization, but there are a few trends that seem consistently, no matter where we go. Our safety-conscious customers are generally all do to disable cloud / web related services such as Siri, iCloud backups, etc., but it is also to be important for the services looking like the iOS keyboard microphone, the cloud, if you would be based not think necessarily so. These features / functions can send sensitive data, where you do not want, it comes to be. Make sure to consult vendor documentation always, if you are unsure. The same applies to features like AirDrop, AirPlay and AirPrint, enable users to send data to other devices with little effort. From there it's about giving users the minimum amount of access that they need to be productive. This changes a bit, when we talk about BYO devices, where we should be as minimally invasive as possible. In this scenario, we want to control as much as possible about MDX Policy and our Terms of MDM guidelines limit
User Entropy .: User entropy is activated when the ENCRYPT_SECRETS_USING_PASSCODE client property to true ". this setting is an additional variable (user entropy) of the composition of encryption keys. this means additional security, but there are also a significant impact on the number of WorxPIN / password requests that users expect to see. for this reason, tend to leave most of our customers this option to activate to "false." select only our security-conscious customers this setting.
in summary, there is not a lot that goes to back to a XenMobile use. Try these things to design in a bubble.
Involve your corporate security, legal and compliance teams, so everyone get on the same page, which makes sense for your organization. XenMobile offers an immense number of options and controls to assist with mobile security, but the right to be activated to make the specific solution more effectively. Hopefully this article will help you some food for thought, going to get those calls in the right direction
One last thing :. Safety is very important, but do not forget about balancing the the user experience impact. to find a middle ground, is crucial for a successful implementation.
Think there are other ways that are vital to consider? Feel free to send me to drop a comment below
Ryan McClure
architect. | Citrix Consulting
0 Komentar