{"id":1544,"date":"2018-11-23T01:00:00","date_gmt":"2018-11-23T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/securing-citrix-adc-netscaler-the-basics\/"},"modified":"2018-11-23T01:00:00","modified_gmt":"2018-11-23T01:00:00","slug":"securing-citrix-adc-netscaler-the-basics","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/secure-workplace\/securing-citrix-adc-netscaler-the-basics\/","title":{"rendered":"Securing Citrix ADC (Netscaler) \u2013 The Basics"},"content":{"rendered":"

For those not living their day to day in the world of Citrix, the title of this blog post may come as a surprise. Citrix renamed their legendary Netscaler appliance along with their entire product suite earlier this year to streamline and simplify the portfolio. Netscaler has become Citrix ADC (Application Delivery Controller) so I\u2019ll behave myself and refer to it as the new name from here on. The re-branding of the portfolio is nicely summed up over at CitrixGuru if you\u2019re eager to know more:<\/p>\n

http:\/\/www.citrixguru.com\/2018\/05\/08\/citrix-rebranding-2018\/<\/a><\/strong><\/p>\n

This will be the first blog in a series of three covering the basics of securing, monitoring and reporting on your Citrix ADC deployment.<\/p>\n

So let\u2019s get started with basic security!<\/p>\n

While there is an abundance of best practices and whitepapers detailing how to secure Citrix ADC, I come across many implementations that are worryingly insecure. Whenever I highlight this with IT Management, engineering or security teams they are naturally keen to plug these holes ASAP.<\/p>\n

After some digging, I normally find it\u2019s due to lack of understanding of the product, a disjoint in the handover from the integrator (if installed by a 3rd party) or the project budget was running out and corners were cut. Maybe it went in as a \u2018proof of value\u2019 and slipped into production. It\u2019s particularly prevalent in businesses with the absence of a dedicated network\/security team and the senior \u2018all-rounder\u2019 engineers are responsible for network stack but don\u2019t fully understand Citrix ADC. They\u2019re naturally reluctant to manage it, leaning towards the mind set of \u201cIf it\u2019s not broken, don\u2019t fix it\u201d\u2026 until their world comes tumbling down following a major security breach\u2026<\/p>\n

Anyway, regardless of the reasons, it must be at least somewhat secured!<\/p>\n

Here are 10 quick tips I\u2019ve thrown together that will minimise the attack surface and harden your Citrix ADC implementation. I recommend further securing the Citrix ADC as per Citrix best practice but these steps will cover the basics with an hour or two of worthwhile effort\u2026<\/p>\n

    \n
  1. Change the default login! Yes, user: nsroot password: nsroot is left in place way too often.<\/li>\n
  2. If running a physical appliance (MPX) ensure it is physically secured in a comms room with limited access to the front panel & console port.<\/li>\n
  3. Configure role-based access security control (RBAC) for the admins and engineers that require access to the device with named accounts for each.<\/li>\n
  4. Configure a low system session timeout for the GUI and CLI. This can be done at user\/group level but before going that granular, it can be set globally:<\/li>\n<\/ol>\n

    GUI:<\/strong>\u00a0<\/span>Navigate to System > Settings, click Set global system parameters, and set the ANY Client Idle Time-out (secs) parameter.<\/p>\n

    CLI:<\/strong>\u00a0<\/span>At the command prompt, enter the following command:<\/p>\n

    set system parameter -timeout <secs><\/p>\n

      \n
    1. Use HTTPS for GUI management access, disable the HTTP access to the GUI management interface. To do so, run the following command:<\/li>\n<\/ol>\n

      > set ns ip <NSIP> -gui SECUREONLY<\/p>\n

        \n
      1. Secure SSH access with public key authentication. You know the one, the warning you get when connecting via Putty over SSH\u2026 follow this and fix that:<\/li>\n<\/ol>\n

        https:\/\/support.citrix.com\/article\/CTX109011<\/a><\/strong><\/p>\n

          \n
        1. Patch it! Ensure the latest security patches and known stable firmware are applied.<\/li>\n
        2. Ensure it\u2019s secured by a firewall and that it\u2019s management IP is not accessible from the internet.<\/li>\n
        3. Configure logging to an external host, there\u2019s a nice walkthrough here:<\/li>\n<\/ol>\n

          http:\/\/support.citrix.com\/article\/CTX121728<\/a><\/strong><\/p>\n

            \n
          1. Use Access Control Lists (ACLs) so that the Citrix ADC CLI and GUI are only accessible from controlled management VLANs \/ network segments.<\/li>\n<\/ol>\n

            I must stress, you can go much further in securing Citrix ADC but the above points are fairly easy to implement and will provide a nice baseline. It should bring some value to those sitting with a wide-open, unsecure appliance, and believe me, there\u2019s plenty of them.<\/p>\n

            The next blog in this series will provide a free, simple solution for monitoring your Citrix ADC deployment. Stay tuned!<\/p>\n","protected":false},"excerpt":{"rendered":"

            For those not living their day to day in the world of Citrix, the title of this blog post may come as a surprise. Citrix renamed their legendary Netscaler appliance along with their entire product suite earlier this year to streamline and simplify the portfolio. Netscaler has become Citrix ADC (Application Delivery Controller) so I\u2019ll… Continue reading Securing Citrix ADC (Netscaler) \u2013 The Basics<\/span><\/a><\/p>\n","protected":false},"author":83,"featured_media":1545,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[],"class_list":["post-1544","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/users\/83"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/comments?post=1544"}],"version-history":[{"count":0,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1544\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media\/1545"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media?parent=1544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/categories?post=1544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/tags?post=1544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}