Security Vulnerabilities?

[Ray Jantz <ra...@gmail.com>]

Hi,

I need to persuade a sys admin that guacamole is secure enough to deploy in
an enterprise.  Security is not one of my strong points, so I'm wondering
if anyone can comment on this subject and maybe offer some talking points I
can use?

Thanks

Re: Security Vulnerabilities?

[Cayetano Gómez <ca...@svtcloud.com>]

First sorry, for my bad english.

I'm use a guacamole balanced cluster with a nginx as reverse proxy an 
balancer.

Nginx have user certificates to autenticate users, and guacamoles use 
user and password credentials.

It is very secure, nginx have some strong addon for security 
improvements, easy monitoring and tracing. Use it in a chroot enviroment 
and instaled in separate machine that guacamole's servers.

Regards

El 14/12/16 a las 19:27, Ray Jantz escribi�:
> Hi,
>
> I need to persuade a sys admin that guacamole is secure enough to 
> deploy in an enterprise.  Security is not one of my strong points, so 
> I'm wondering if anyone can comment on this subject and maybe offer 
> some talking points I can use?
>
> Thanks

-- 

SVTCloud <http://www.svtcloud.com>

Cayetano G�mez / Director de Operaciones
cayetano@svtcloud.com <ma...@svtcloud.com>/ +34 606 57 3333

SVTCloud
902 602 015
Parque Cient�fico y Tecnol�gico Agroalimentario de Lleida Edificio H1 
2pta 25003 Lleida
http://www.svtcloud.com

Este mensaje y la documentaci�n unida a ella como anexo se dirige 
exclusivamente a su destinatario. Se informa a quien reciba por error 
este correo que su lectura, copia y uso est�n prohibidos, toda vez que 
contiene INFORMACI�N CONFIDENCIAL sometida a secreto profesional, cuya 
divulgaci�n est� prohibida por la ley. Le pedimos que si lo ha recibido 
por error nos lo comunique inmediatamente por esta misma v�a a la 
direcci�n svtcloud@svtcloud.com o por tel�fono (902 602 015), 
absteni�ndose de realizar copias del mensaje, enviarlo o entregarlo a 
otra persona, procediendo a eliminarlo inmediatamente.

Re: Security Vulnerabilities?

[Mike Jumper <mi...@guac-dev.org>]

On Wed, Dec 14, 2016 at 10:27 AM, Ray Jantz <ra...@gmail.com> wrote:
> Hi,
>
> I need to persuade a sys admin that guacamole is secure enough to deploy in
> an enterprise.

That is exactly Guacamole's intended use.

> Security is not one of my strong points, so I'm wondering if
> anyone can comment on this subject and maybe offer some talking points I can
> use?
>

We do have code review processes in place intended to prevent this
sort of thing, as well as automated static analysis scans via CI.
There are no current known vulnerabilities. Historically, there have
been two reported vulnerabilities, both of which were fixed:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566 (see
https://glyptodon.org/jira/browse/GUAC-1465)

In general, I would argue that the architecture of Guacamole actually
serves to increase the security of a remote desktop deployment. Its
nature as a gateway reduces overall attack surface, with all traffic
routed through an authentication layer and strong encryption (assuming
you set up proper SSL/TLS, of course). That gateway aspect also allows
admins to more tightly control which remote desktops can and cannot be
accessed by authorized users, rather than exposing access to an entire
subnet of remote desktops via VPN, for example.

Thanks,

- Mike