We speak with security practice manager Lee Foster.
Securing Citrix ADC (Netscaler) – The Basics
For those not living their day to day in the world of Citrix, the title of this blog post may come as a surprise. Citrix renamed their legendary Netscaler appliance along with their entire product suite earlier this year to streamline and simplify the portfolio. Netscaler has become Citrix ADC (Application Delivery Controller) so I’ll behave myself and refer to it as the new name from here on. The re-branding of the portfolio is nicely summed up over at CitrixGuru if you’re eager to know more:
This will be the first blog in a series of three covering the basics of securing, monitoring and reporting on your Citrix ADC deployment.
So let’s get started with basic security!
While there is an abundance of best practices and whitepapers detailing how to secure Citrix ADC, I come across many implementations that are worryingly insecure. Whenever I highlight this with IT Management, engineering or security teams they are naturally keen to plug these holes ASAP.
After some digging, I normally find it’s due to lack of understanding of the product, a disjoint in the handover from the integrator (if installed by a 3rd party) or the project budget was running out and corners were cut. Maybe it went in as a ‘proof of value’ and slipped into production. It’s particularly prevalent in businesses with the absence of a dedicated network/security team and the senior ‘all-rounder’ engineers are responsible for network stack but don’t fully understand Citrix ADC. They’re naturally reluctant to manage it, leaning towards the mind set of “If it’s not broken, don’t fix it”… until their world comes tumbling down following a major security breach…
Anyway, regardless of the reasons, it must be at least somewhat secured!
Here are 10 quick tips I’ve thrown together that will minimise the attack surface and harden your Citrix ADC implementation. I recommend further securing the Citrix ADC as per Citrix best practice but these steps will cover the basics with an hour or two of worthwhile effort…
- Change the default login! Yes, user: nsroot password: nsroot is left in place way too often.
- If running a physical appliance (MPX) ensure it is physically secured in a comms room with limited access to the front panel & console port.
- Configure role-based access security control (RBAC) for the admins and engineers that require access to the device with named accounts for each.
- Configure a low system session timeout for the GUI and CLI. This can be done at user/group level but before going that granular, it can be set globally:
GUI: Navigate to System > Settings, click Set global system parameters, and set the ANY Client Idle Time-out (secs) parameter.
CLI: At the command prompt, enter the following command:
set system parameter -timeout <secs>
- Use HTTPS for GUI management access, disable the HTTP access to the GUI management interface. To do so, run the following command:
> set ns ip <NSIP> -gui SECUREONLY
- Secure SSH access with public key authentication. You know the one, the warning you get when connecting via Putty over SSH… follow this and fix that:
- Patch it! Ensure the latest security patches and known stable firmware are applied.
- Ensure it’s secured by a firewall and that it’s management IP is not accessible from the internet.
- Configure logging to an external host, there’s a nice walkthrough here:
- Use Access Control Lists (ACLs) so that the Citrix ADC CLI and GUI are only accessible from controlled management VLANs / network segments.
I must stress, you can go much further in securing Citrix ADC but the above points are fairly easy to implement and will provide a nice baseline. It should bring some value to those sitting with a wide-open, unsecure appliance, and believe me, there’s plenty of them.
The next blog in this series will provide a free, simple solution for monitoring your Citrix ADC deployment. Stay tuned!
Join the Insentra Community with the Insentragram Newsletter
Hungry for more?
Veritas Risk Advisor & How Insentra can help you
With Veritas Risk Advisor, Insentra can perform an IT Risk Assurance assessment for one or more of your critical business services that are configured in a highly available manner with replication to a secondary datacenter.
Are you Smart Enough to Protect your Data?
Australians take heed! 69% of Americans think having their personal information stolen in their lifetime is inevitable.