Overview

Internet security is becoming more important as companies connect their local networks to the Internet. One of the most popular methods to secure an internal network from the Internet is a firewall. A firewall allows an administrator to permit access from the internal network to the Internet while rejecting access from the Internet to the internal network. This provides the corporation with a direct Internet connection while keeping the internal network secure.

Citrix's Internet technology allows users to run WinFrame sessions over the Internet. This poses a challenge for maintaining Internet security because Citrix's Independent Computing Architecture (ICA) protocol is a relatively new networking protocol that runs over TCP/IP using registered port 1494. Firewalls do not understand ICA because it is not a "well known" networking protocol. Therefore, allowing the ICA protocol to pass through the firewall becomes a configuration challenge. Some types of firewalls can be configured to pass ICA, while others cannot. ICA uses dynamic port allocation much like the FTP protocol. The initial synchronization between the WinFrame client and the WinFrame server occurs over port 1494, but the actual WinFrame session occurs over a dynamically allocated port. For this reason, it might be necessary to allow connections over a range of TCP/IP ports through the given firewall. If required, these connections should be allowed only between the client and the server.

The WinFrame TCP/IP client uses the UDP (User Datagram Protocol) feature of the TCP/IP protocol suite when browsing for a WinFrame server. UDP is a connectionless mode protocol, providing a potentially unreliable, unsequenced, and/or duplicated (because it leaves these functions to other protocol layers) communications layer. The WinFrame client broadcasts UDP packets to the network with a destination address of UDP port 1604 (0644 hex) and the source address of the client is any high UDP port (any port over 1023). A WinFrame server replies with a UDP packet where the data area contains the names of the current WinFrame servers. The pull down list is built using this information. This use of UDP can be eliminated by connecting using the IP address rather than by browsing.

Most firewalls use one of four architectures:

Packet Filtering Gateway

Circuit Level Gateway

Application Proxy

Stateful Inspection

These four firewall architectures pose different configuration challenges for passing the ICA protocol. Some of the firewalls have built-in abilities to allow new protocols such as ICA to be passed, while others require specific workarounds.

Packet Filtering Gateways

Packet filtering gateways are the easiest to configure for ICA but provide the least security. A packet filter analyzes each IP packet at the network layer and determines whether to pass or block it based on a set of rules. A packet filtering gateway is more of an intelligent router than a firewall. If the packet filter has a rule specified in its rule base that allows communication between two specific addresses, packets are allowed to travel through the firewall to the specified address. If no rule is available for a given address, the packet is rejected and not allowed to pass through the firewall.

To configure a packet filtering gateway to pass the ICA protocol, insert a rule in the packet filter's rule base that allows communications to the WinFrame server over port 1494. Depending on the vendor and model of the packet filtering gateway, this could involve defining a rule that allows traffic over port 1494 to and from certain machines or groups of machines inside and outside of the network.

Circuit Level Gateways

Circuit level gateways operate at the session level used by TCP/IP and UDP. A circuit is a logical connection that is maintained for a period of time, then torn down or disconnected. The firewall verifies the circuit when it is first created. Once the circuit is verified, subsequent data transferred over the circuit is not checked. Circuit level gateways can limit which connections can be made through the gateway and can be configured for the ICA protocol. They provide a moderate level of security.

Configuring circuit level gateways to pass the ICA protocol involves allowing circuits to be made through the gateway on port 1494. Once the circuit is allowed, connections to WinFrame servers are verified through a circuit that allows WinFrame sessions through the gateway.

Application Proxies

Application proxies are probably the most secure firewalls but a special proxy must be written for a given protocol. Proxy servers provide in-depth knowledge of IP protocols and allow application level analysis. They examine each packet of information as it passes through the gateway. Proxy servers are not designed to allow for new types of protocols. To pass a new protocol through a proxy server, you must develop a workaround.

The most common workaround for proxy servers is a service called SOCKS. This service is loaded on the proxy server and allows new protocols to be passed through the proxy server without writing a full application proxy for the new protocol. While this is a workable solution, not all proxy servers support the SOCKS services. Some vendors are currently working on transparent interfaces much like SOCKS that could allow proxy servers to pass new protocols such as ICA. At the present time, no proxies or SOCKS-compatible services are available for ICA.

Configuring a proxy server to pass the ICA protocol requires allowing communications over port 1494 to the WinFrame server. It should be noted that this is not supported by all proxy servers. Because opening a port on the firewall can pose a security risk, it is recommended that communication be allowed to initiate only from inside the local network. Allowing access over port 1494 from the Internet could pose a serious security risk. Therefore, it is suggested that only WinFrame clients from the local network be allowed to connect to WinFrame servers on the Internet.

Stateful Inspection

Stateful Inspection (SI) is a new firewall technology that lends itself to the configuration of new protocols. Stateful inspection expands on packet filtering by adding state information derived from past communications and other applications. Some of the new SI firewalls allow new protocol definitions to be added to the firewall with minimal work. Much like a packet filtering gateway, SI firewalls can be easily configured to allow new protocols to be passed through the firewall over defined ports. In addition to this ease of configuration, the SI firewalls can provide added security to these new protocols by performing packet inspection as the packets move through the firewall. Some SI firewalls; for example, Checkpoint Firewall-1, have a scripting language that allows custom scripts to be written for packet inspection. This adds an extra layer of security above packet filtering while keeping ease of configuration. The SI firewalls have the ability to inspect all levels of the TCP/IP packets, allowing inspection scripts to be as simple or complex as required.

Configuring SI firewalls to pass the ICA protocol requires defining the ICA protocol as a network service. The ICA protocol should be defined on port 1494 with a dynamic source port allocation; that is, above port 1023. Rules can then be added to the rule base to allow users to access WinFrame servers. It should be noted that allowing inbound connections from the Internet could pose a security problem. Most SI firewalls do perform some level of packet inspection even without a custom inspection script. This provides an extra level of security above packet filtering; however, it is an issue that should be researched depending on the model of firewall used. While many firewalls can be configured to pass the ICA protocol, take measures to ensure a secure environment.

Network Topologies for Using Firewalls With WinFrame

There are three basic network topologies for using firewalls with WinFrame and the ICA protocol:

Clients can connect to WinFrame servers on the Internet from their local area networks through a firewall

Internet users can access a WinFrame server that is behind a corporate firewall

Virtual Private Network (VPN) architecture

Allowing Connections to a WinFrame Server on the Internet

For local users to access WinFrame servers on the Internet, ICA packets must be passed through the firewall in an outbound direction to the Internet. Depending on the type of firewall being used, this could involve opening up port 1494 on the firewall to allow outbound access to the Internet. Because the local users are considered to be inside the trusted domain, a minimal security risk is involved.

Allowing Connections to a WinFrame Server Behind the Firewall

For Internet users to access a WinFrame server behind the corporate firewall, ICA packets must be passed in an inbound direction through the firewall. In this situation, port 1494 should be opened for inbound communication from the Internet.

Allowing WinFrame Connections in a Virtual Private Network

New firewall technologies allow the extension of the corporate network through the firewall to remote sites. In a situation like this, two office networks in different parts of the world can be linked together over a secure channel on the Internet. By implementing a firewall solution that supports Virtual Private Networking (VPN) at both sites, a secure connection can be created that encrypts data as it passes over the Internet from one site to the other.

Configuring a Firewall for TCP/IP WinStations

Citrix ICA traffic uses the registered port 1494 with the TCP protocol. If you have a firewall or other TCP/IP network security protection, you need to configure it to allow information to pass to this port number on any WinFrame servers on your network. Allowing ICA traffic through a firewall generally entails defining a rule to allow port access for port 1494 traffic in the proper direction. If a user receives a "There is no route to the specified address" message, this is usually due to a firewall not allowing port 1494 access.