United States | Securing Citrix ADC (Netscaler) – The Basics

John Gallacher - 23.11.201820181123

United States | Securing Citrix ADC (Netscaler) – The Basics

Join our community of 1,000+ IT professionals, and receive tech tips and updates once a week.

Securing Citrix ADC (Netscaler) – The Basics

United States | Securing Citrix ADC (Netscaler) – The Basics

For those not living their day to day in the world of Citrix, the title of this blog post may come as a surprise. Citrix renamed their legendary Netscaler appliance along with their entire product suite earlier this year to streamline and simplify the portfolio. Netscaler has become Citrix ADC (Application Delivery Controller) so I’ll behave myself and refer to it as the new name from here on. The re-branding of the portfolio is nicely summed up over at CitrixGuru if you’re eager to know more:

http://www.citrixguru.com/2018/05/08/citrix-rebranding-2018/

This will be the first blog in a series of three covering the basics of securing, monitoring and reporting on your Citrix ADC deployment.

So let’s get started with basic security!

While there is an abundance of best practices and whitepapers detailing how to secure Citrix ADC, I come across many implementations that are worryingly insecure. Whenever I highlight this with IT Management, engineering or security teams they are naturally keen to plug these holes ASAP.

After some digging, I normally find it’s due to lack of understanding of the product, a disjoint in the handover from the integrator (if installed by a 3rd party) or the project budget was running out and corners were cut. Maybe it went in as a ‘proof of value’ and slipped into production. It’s particularly prevalent in businesses with the absence of a dedicated network/security team and the senior ‘all-rounder’ engineers are responsible for network stack but don’t fully understand Citrix ADC. They’re naturally reluctant to manage it, leaning towards the mind set of “If it’s not broken, don’t fix it”… until their world comes tumbling down following a major security breach…

Anyway, regardless of the reasons, it must be at least somewhat secured!

Here are 10 quick tips I’ve thrown together that will minimise the attack surface and harden your Citrix ADC implementation. I recommend further securing the Citrix ADC as per Citrix best practice but these steps will cover the basics with an hour or two of worthwhile effort…

  1. Change the default login! Yes, user: nsroot password: nsroot is left in place way too often.
  2. If running a physical appliance (MPX) ensure it is physically secured in a comms room with limited access to the front panel & console port.
  3. Configure role-based access security control (RBAC) for the admins and engineers that require access to the device with named accounts for each.
  4. Configure a low system session timeout for the GUI and CLI. This can be done at user/group level but before going that granular, it can be set globally:

GUI: Navigate to System > Settings, click Set global system parameters, and set the ANY Client Idle Time-out (secs) parameter.

CLI: At the command prompt, enter the following command:

set system parameter -timeout <secs>

  1. Use HTTPS for GUI management access, disable the HTTP access to the GUI management interface. To do so, run the following command:

> set ns ip <NSIP> -gui SECUREONLY

  1. Secure SSH access with public key authentication. You know the one, the warning you get when connecting via Putty over SSH… follow this and fix that:

https://support.citrix.com/article/CTX109011

  1. Patch it! Ensure the latest security patches and known stable firmware are applied.
  2. Ensure it’s secured by a firewall and that it’s management IP is not accessible from the internet.
  3. Configure logging to an external host, there’s a nice walkthrough here:

http://support.citrix.com/article/CTX121728

  1. Use Access Control Lists (ACLs) so that the Citrix ADC CLI and GUI are only accessible from controlled management VLANs / network segments.

I must stress, you can go much further in securing Citrix ADC but the above points are fairly easy to implement and will provide a nice baseline. It should bring some value to those sitting with a wide-open, unsecure appliance, and believe me, there’s plenty of them.

The next blog in this series will provide a free, simple solution for monitoring your Citrix ADC deployment. Stay tuned!

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United States | The AI Execution Gap: Why Belief Without Action is the New Business Risk

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.