Authentication

Going Beyond 2FA With Citrix NetScaler


Mobility is becoming both the present and the future of working professionals because organizations have found it essential to embrace the flexibility of a mobile workforce if they want to stay competitive and expand their global presence.

With the latest trend of allowing access to company resources at any time, in any location, the question of security always comes up.

Citrix NetScaler two-factor authentication is the standard for most Citrix deployments. When a user connects remotely, they are prompted for something they know and something they have.

Generally, this is a combination of a Microsoft Windows password and a one-time password authenticating to a RADIUS server. This certainly adds an extra layer of protection and I recommend implementing just this.

But there are still better ways to improve your remote access security.

Picture this: I am a user at your organization visiting my favorite vacation spot in the entire world– Honolulu, Hawaii. While chowing down at the breakfast buffet, I receive an emergency call that requires me to connect to an application running in your Citrix environment.

So being the hardworking employee I am, I hastily head downstairs to the lobby, jump on the nearest workstation and browse to my NetScaler 2FA page. I enter what I know and open an app on my smartphone to enter my one-time password.

You might be thinking everything sounds good at this point. But what happens if in the heat of the moment, I pull a Dory from one of my favorite Disney movies, “Finding Nemo”, and walk away without remembering to log off?

Anyone could easily walk up and click on a virtual application or desktop and gain access to hundreds of files sensitive to my organization. When I’m asked by customers how this scenario can be mitigated, I always give them these few pieces of advice:

Configure a Timeout Policy

Citrix has many tools in their utility belt to alleviate the above scenario from occurring. Try enabling a timeout policy on the NetScaler Gateway page to disconnect users after a short idle time. This may be a little frustrating to the user when they are prompted to log back in, but the security benefits are astronomical.

Use DigitalPersona Composite Authentication from Crossmatch

Citrix and Crossmatch have partnered to enable multi-factor authentication on individual virtual applications—meaning users can be required to use a fingerprint, OTP or other specified credential when launching specific virtual applications. Not only is this effortless for the user—they no longer need to remember a password for each application—but it also makes it more difficult for perpetrators to gain access to applications where most of the sensitive information lives.

Control Published Resource Visibility

Magic tricks have intrigued me since I was a kid. And this little trick of hiding resources will have an overall impact on the security and usability of your Citrix environment. Consider implementing a delivery group access policy using exclusion filters or StoreFront SDK filters to hide sensitive applications depending on when and where a user is connecting from.

So, What is the Best Solution?

The answer in most cases will probably be a mixture of one or two security measures. Protecting the front door using NetScaler two-factor authentication might even be enough for your organization. But if you’re reading this and are looking to go beyond NetScaler 2FA for your mobile workforce, know there are additional options available to you.

Ryan Friess is a Solutions Engineer for Crossmatch DigitalPersona Composite Authentication. In this role, he is responsible for implementing and demonstrating the Crossmatch’s DigitalPersona® composite authentication solution. Ryan earned a Computer Engineering and Computer Science degree from Florida Atlantic University. He holds over six Citrix certifications in both networking and virtualization, as well as multiple Microsoft Server 2008 and 2012 certifications. Aside from enjoying being a technical engineer, Ryan enjoys spending his eating at his favorite sushi spots or taking a walk on the boardwalk in the sunny Florida weather.
Authentication
The New Security Perimeter in a Borderless Enterprise
Authentication
Revisiting the NIST 800-63-3 SMS Authentication Conversation
Authentication
Cybersecurity Protects $17 Million from Phishing Attacks
There are currently no comments.