Security Vulnerabilities?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Vulnerabilities?

Ray Jantz
Hi,

I need to persuade a sys admin that guacamole is secure enough to deploy in an enterprise.  Security is not one of my strong points, so I'm wondering if anyone can comment on this subject and maybe offer some talking points I can use?

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerabilities?

Cayetano Gómez

First sorry, for my bad english.

I'm use a guacamole balanced cluster with a nginx as reverse proxy an balancer.

Nginx have user certificates to autenticate users, and guacamoles use user and password credentials.

It is very secure, nginx have some strong addon for security improvements, easy monitoring and tracing. Use it in a chroot enviroment and instaled in separate machine that guacamole's servers.

Regards

El 14/12/16 a las 19:27, Ray Jantz escribió:
Hi,

I need to persuade a sys admin that guacamole is secure enough to deploy in an enterprise.  Security is not one of my strong points, so I'm wondering if anyone can comment on this subject and maybe offer some talking points I can use?

Thanks

--

Cayetano Gómez / Director de Operaciones [hidden email] / +34 606 57 3333

SVTCloud
902 602 015
Parque Científico y Tecnológico Agroalimentario de Lleida Edificio H1 2pta 25003 Lleida
http://www.svtcloud.com

Este mensaje y la documentación unida a ella como anexo se dirige exclusivamente a su destinatario. Se informa a quien reciba por error este correo que su lectura, copia y uso están prohibidos, toda vez que contiene INFORMACIÓN CONFIDENCIAL sometida a secreto profesional, cuya divulgación está prohibida por la ley. Le pedimos que si lo ha recibido por error nos lo comunique inmediatamente por esta misma vía a la dirección [hidden email] o por teléfono (902 602 015), absteniéndose de realizar copias del mensaje, enviarlo o entregarlo a otra persona, procediendo a eliminarlo inmediatamente.

Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerabilities?

Mike Jumper
In reply to this post by Ray Jantz
On Wed, Dec 14, 2016 at 10:27 AM, Ray Jantz <[hidden email]> wrote:
> Hi,
>
> I need to persuade a sys admin that guacamole is secure enough to deploy in
> an enterprise.

That is exactly Guacamole's intended use.

> Security is not one of my strong points, so I'm wondering if
> anyone can comment on this subject and maybe offer some talking points I can
> use?
>

We do have code review processes in place intended to prevent this
sort of thing, as well as automated static analysis scans via CI.
There are no current known vulnerabilities. Historically, there have
been two reported vulnerabilities, both of which were fixed:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566 (see
https://glyptodon.org/jira/browse/GUAC-1465)

In general, I would argue that the architecture of Guacamole actually
serves to increase the security of a remote desktop deployment. Its
nature as a gateway reduces overall attack surface, with all traffic
routed through an authentication layer and strong encryption (assuming
you set up proper SSL/TLS, of course). That gateway aspect also allows
admins to more tightly control which remote desktops can and cannot be
accessed by authorized users, rather than exposing access to an entire
subnet of remote desktops via VPN, for example.

Thanks,

- Mike