So you have this “NetScaler” thing to front end your XenApp or XenDesktop environment… But maybe you are like me and NetScaler Security isn't what you spend most of your day dealing with. So, how can you make sure in light of recent security threats that it is running properly? In a post in 2016 I discussed how to get an A+ Rating at SSL Labs for your NetScaler Gateway in under 5 minutes. I figured it was time for an update for 2017 taking some new things into consideration but approach this from the point of view of someone like me that isn't “A NetScaler Person.”
(last update: January, 2019)
Given that my point of reference in 2012 was this wonderful Citrix blog article called “NetScaler for the XenApp Dummy” I thought I would pay homage with my own guide! And for the record, I'm not calling anyone a ‘dummy'. I'm just trying to take the approach of not having any assumptions so everyone can understand. I've learned a lot just in writing this article! So don't be a dummy like I was- take NetScaler Security seriously even if you're just using it for NetScaler Gateway!
In this series you'll learn simple ways to increase your NetScaler security (especially for NetScaler Gateway) using our recommended 4-phase Methodology: Assess, Design, Change, Maintain.
Our first step will be to Assess the current state of your NetScalers and figure out what areas of risk you have.
First- I'm assuming you have a functional, running NetScaler with a NetScaler Gateway.
Second, I'm assuming you will have access to the following:
- Some basic knowledge of how TCP/IP and UDP works
- At least some basic knowledge of NetScalers
- Your NetScalers' administrative IPs (Called NSIPs)
- Your nsroot password (the main administrative password for NetScalers) or an elevated account
- A web browser with Java (if you have an older NetScaler version, anyway) – Chrome is my go-to here but Firefox works well too.
- Access to the subnet in which your NetScalers live – primary ports needed will be 80, 443 and 21 (SSH) and 22 (SCP)
- An account with Citrix to access Insight Services and possibly your license files
- Optional but recommended: A Windows admin machine or Server designated for access with puTTY and WinSCP programs as well as a good text editor such as NotePad++
Third, a general warning- if you are running a FIPS NetScaler and don't know this stuff already- stop and hire an expert. FIPS NetScalers have built in security standards that must be approached carefully. Even a firmware update done incorrectly can permanently lock you out of a FIPS NetScaler. Know your limits!
Document Your Findings
During the Assess phase, our goal is simply to gather information. We are NOT taking actions right now. What I recommend is starting a document to begin writing down your findings so that during the Design phase you can address each item and know what you are doing before you schedule an outage for the Change phase. Your management will thank you. [A little career guidance tip: We all get busy and sometimes we need to delegate tasks. Following a process seems to be something that slows you down at first, but being the single point of failure does noone any good. Don't be a ‘dummy' in that regard- be a professional. Even if you are the only one on the team, having things written down lowers your risks and makes you look the pro. In other words, this is how you differentiate yourself!]
The document doesn't have to be complex. Some folks even just use a spreadsheet. Regardless, you want to track several key areas for each finding. Here are some suggested areas you may want to include:
|Risk Area||Issue Details||Recommendations||Urgency||Importance||Owner||Status||Notes|
|Typically Operational, Security, Functionality, Leading Practices, etc||An overview of the Risk||What should be done to address the Risk||Criticality of fixing the Finding (High, Medium, Low)||Impact of changing or not changing the Finding (High, Medium, Low)||who will be responsible for making sure the risk is addressed||Not Started, Started, Complete||Configuration items, anything else you need to write down|
I have a spreadsheet I use to do this that I try to keep up to date as I make modifications. If you'd like a copy, contact me at the form below; or sign up for our Newsletter.
Reach Out for Help
If you are in over your head, this may not be the best thing to experiment with and find your way. What we are going to be going thru will by it's nature be restricting functionality. That's a key with any NetScaler Security initiative- reducing the attack surface by reducing certain functionality. Here's some suggestions:
- Set up a Test environment. Citrix makes a free NetScaler VPX available. It's limited in what it can do and only supports 5 Mbps, but it does have the ability to run NetScaler Gateway which is a key for our focus.
- Join the Citrix User Group Community. There is a wealth of unbiased information available here, folks just like you who don't mind helping each other out. Of course best of all- local groups! Just go to myCUGC.org to sign up. And let me know that you did! I really want to know how many folks join because I suggested it!
- Post on our Facebook Page. While moderated, if you are needing help- please post and we'll try to get someone in the ctxPro community to help out!
- Get me Feedback. I'm becoming very aware that people don't always like to post in public forums that don't have curated membership. I'd like your feedback on if forming one would be valuable to you.
- Hire Help! My company can help you if you need it- I'll have a contact form at the bottom of the page where you can contact me to learn more about having certified professionals look into this for you if you don't have the time or comfort in securing your NetScalers.
NetScaler Security Assessment Basic Tools
Let's get started! I'm going to focus on free tools in this article, but watch for more about monitoring options in part 4 that can make this process easier next time.
Note- these findings were current in late 2017. Always check for the latest leading practices but I'll update this article as I find them!
First- let's look at what the outside world sees. This is a key indicator for overall NetScaler security as usually we're most concerned with outside threats. As described in the earlier article, I would go to SSL Labs and use their free tool to scan your URL. I highly advise doing this for all of your URLs, but in our case we'll be focusing on the NetScaler Gateway we are using for a demo project we are doing. Quick note- make sure you check the box to not share your results on the boards!
Here's my first result:
You'll see here that this cert is a good enough strength, but is not an EV cert. For NetScaler Gateway- this is not really a problem, as EV certs are intended more for transaction handling.
You'll also note that we haven't yet set up which CA is authoritative for our domain (DNS CAA). In my particular case this is on purpose because I use both GoDaddy and Digicert for this domain. Therefore we cannot yet comply with RFC 6844 until we standardize across the board. I'm still investigating the appropriate use for this but look for this to be a big deal going forward. Your organization may want to consider this if you are processing transactions or other public-facing content.
Next, let's look at ciphers by scrolling down on the page.
Uh oh. Here's my first recommendation to write down. This configuration is still using SSL 3. More on that in a moment.
Next you'll see a list of Ciphers that the server hands out as preferred order. While this does matter for security in regards to which one it supports, one of my colleagues recently explained to me that for NetScaler Gateway, this confusing series of letters and numbers represents the encryption used in terms of performance. The default seen here will be less secure and likely lead to more CPU usage. Good to know!
Scrolling down on the report more, you'll find a very cool feature for handshake simulations. This is simulating how different browsers or devices will connect and showing you the cipher used.
When making recommendations and testing, this is of HIGH importance in regards to NetScaler Gateway specifically because the more we lock things down, the less clients will be able to logon. So if you have Windows XP or Vista machines, certain older thin clients pay attention to this list. During the design phase you'll want to determine Ciphers based on what your endpoints will support. Let's not get bogged down in details right now, however- write it down or take a screenshot and continue on!
Check the Not Simulated Clients collapsed menu for what your SSL cert will not support. As an example, here's the list of unsupported clients from a NetScaler Security simulation I did a few months ago:
Something tells me it won't be a problem but… if you have older clients connecting- it really is something to be aware of.
Finally- time for writing down some risks and recommendations on your SSL cert chain.
Click on each Red and Orange link for more detail and then determine which recommendations you'll be making and writing down. We'll be covering topics like tackling Secure Renegotiation and HTTP Strict Transport Security (HSTS). NOTE- HSTS does not affect an SSL Labs score today but its nice to see they include testing for it. Take note of a “no” on HSTS.
SSL3 has been recommended to be shut down since 2014, but for compatibility reasons it is the default- not a great NetScaler Security practice, however! Important to know and don't be shocked if you see this coming up frequently. Along these same lines- pay attention to the other vulnerabilities such as BEAST and if it's been mitigated server-side. Though SSL Labs doesn't including this in the rating system any more, I still think it's important for public facing IPs to be aware. Bottom line- in 95% of cases I've encountered, it can be disabled.
What we are really looking for looks more like this:
Next- DigiCert Tools: SSL Install Diagnostics and CertWizard can be very useful in making recommendations. I'm a huge fan of DigiCert. Use their SSL Installation Diagnostics Tool for free regardless of where you bought your cert. My story with this is that this checker saved my bacon identifying a bad XenMobile cert install, and just recently in my lab identifying a bad cert link.
The root cause of this? Initially the lab NetScaler had been set up with an address pointing to a different IP for the external (NAT) address, but we'd made a mistake in our outside DNS entry pointing that name to our other VIP address! Oops! Something to note in our document to change for sure. You'll also get confirmation of the SSL ciphers being listed as supported.
Next we'll be getting into the NetScaler itself and gathering some information, the easiest way to gather information from your NetScaler and upload it to Citrix's free analysis tool, Insight Services.
Logon to the NetScaler GUI, first with http. If you get a logon screen, write down “http access allowed for GUI” in the findings. We want this to be only https. But more on that in the design phase.
If you just typed in nsroot twice, please write down “Default NSROOT password” in the findings. This is the second most common thing I find and it's a HUGE no-no!
Next- have a look at the system configuration.
Check the system time against the current real time. If there's a discrepancy, that could be a problem. Note that this page does not refresh the time so you may need to refresh.
Now look at the top-right hand corner.
If you are in production and don't have an HA pair, this is another potential risk, especially when it's time to update! In production HA is always desirable so it's a good thing to write down.
Click on the username pull down for a quick reference of the firmware you are currently running.
Running the Latest NetScaler Firmware isn't always a leading practice, but checking your firmware against known vulnerabilities is!
We'll get to checking the firmware version shortly.
Let's get some information downloaded. Click on System and Diagnostics.
First- let's save our current configuration – click Saved Configuration (assuming you haven't made any changes recently).
Click Save text to a file and ns.conf will automatically download. I usually rename it with today's date.
Then click on Generate support file.
For later firmware versions, you will be presented with the option to upload the collector archive directly to Citrix Insight Services. Don't worry, you'll be presented with the option to download the file either way. Click Run and you'll see a window pop up. This process usually takes a few minutes, so be patient. The collector file can be fairly large.
Like- a long time. Sometimes I'll highlight a few of the lines at the bottom and keep scrolling to make sure it's still doing something; I'll admit it.
But you should always see a confirmation when Citrix gets the upload, however. Watch for an email from [email protected] to pop up.
I typically download the file and rename it to the date or project.
You'll also get an email when the analysis is completed. Let's go have a look. Click the link in the email you got, or if you are wanting to upload the file manually, login to CIS (Citrix Insight Services) manually.
You'll see in the summary the highest priority items. I typically click the links here to see if it's something I need to worry about, but here's some more things to write down in our document!
Click on Analysis Results for more information about each issue and note them down. You'll see more than just items addressing NetScaler security here- other leading practices will be listed.
For example, in our case I see that I haven't yet configured the default behavior to drop invalid requests and still haven't locked down my management to only NSIP
My fellow CUGC Nashville member and CTP Carl Webster has some great resources for getting documentation of an environment as well. Me, I usually download all of his current scripts and keep an updated local file.
Keep in mind that in order to run these scripts you'll need power shell that is relatively up to date and have Word installed to generate the output file.
I usually copy the files to a specific location on my C drive and double-click
Or- from the command line
Continue from any warnings, then enter in the NSIP (Management address) of the first NetScaler and the username and password when that window pops up.
Repeat the process for any other NetScalers you may have. Expect a pretty long document- in my case it was 152 pages.
Pro Tip: When viewing a document like this in Word, click on View and activate the Navigation Pane.
This makes finding what you need much easier
No script is perfect, and you probably want to confirm a few things. In our scope, we're primarily concerned with authentication, SSL and ACLs
NetScaler Security Items to Check
Access Control Lists
New for 2017- we have something to write down in our findings if we see this:
Due to some potential threats, Citrix is now highly recommending that customers define a specific group of IP addresses allowed to administer NetScalers (jump boxes, for example) and lock down at the NetScaler level access from these IPs. Previously, most companies would simply configure firewalls outside of the NetScaler to do this, but that is not really adequate protection. We'll be talking a lot more about this in the Design phase because it will require some thought!
By the way- in the GUI, ACLs can be found in System / Network / ACLs
What prompted me to write this series, in fact was a discovery in late September 2017 prompting Citrix to remove every single NetScaler build from the website and replace them with newer code. https://support.citrix.com/article/CTX227928. So next on your list should be to verify first that this article has not been superseded, but for now make sure your firmware is HIGHER than these revisions:
- 12.0 earlier than build 53.13 (except for build 41.24)
- 11.1 earlier than build 55.13
- 11.0 earlier than build 70.16
- 10.5 earlier than build 66.9
- 10.5e earlier than build 60.7010.e
- 10.1 earlier than build 135.18
You can see if you look at the screenshot I took above that I am running build 12.0 51.24nc which is vulnerable. I will need to put this on my list as a high priority item.
UPDATE: Jan 23 2019
https://support.citrix.com/article/CTX240139 instructs about an additional vulnerability you need to know about.
Those with the following platforms can keep reading:
- MPX 5900 series
- MPX/SDX 8900 series
- MPX/SDX 15000-50G
- MPX/SDX 26000-50S series
- MPX/SDX 26000-100G series
- MPX/SDX 26000 series
You may also not be affected if you have completely disabled any CBC-based cipher suites
You may have the issue if you are on SDX and newer platforms with the Intel Coletto SSL chip (if you aren't sure, you can check with instructions here):
- Citrix ADC and NetScaler Gateway version 12.1 earlier than build 50.31
- Citrix ADC and NetScaler Gateway version 12.0 earlier than build 60.9
- Citrix ADC and NetScaler Gateway version 11.1 earlier than build 60.14
- Citrix ADC and NetScaler Gateway version 11.0 earlier than build 72.17
- Citrix ADC and NetScaler Gateway version 10.5 earlier than build 69.5
If you really want to dive in deep, keep an eye on https://www.cvedetails.com/vulnerability-list/vendor_id-422/product_id-12586/Citrix-Netscaler.html and similar sites to look for published CVEs.
As others are found, I'll go ahead and update this and other articles!
Citrix updates a list of recommended default settings at https://support.citrix.com/article/CTX121149 – it's best to review these and keep in mind that just because the article says to do it doesn't mean it should always be done. Test before anything- but honestly I recommend starting with these settings first. In terms of NetScaler Security specifically I'd recommend also reviewing the Secure Deployment Guide for NetScaler (PDF). Here's the reality, however- security is so much more important than a lot of these performance based recommendations for the NetScaler Gateway. If you are using the same NetScaler for advanced transaction processing and external load balancing of customer-facing web pages… there are probably other guides you should be reviewing in addition to this!
For now, we have what we need to get started and then some!
Urgency and Importance
Earlier I recommended a spreadsheet that we can sort by Urgency and Importance. This is where some level of experience and research will come in handy. You'll need to figure out the overall risk level (urgency) and how much impact it could potentially have on users (importance). I like to keep things simple, Low, Medium, and High.
Here's an example of what my spreadsheet looks like given what we found together above:
Now that I've got it all written down, I can sort it by Urgency and Importance and give a report to my team letting them know we have some work to do designing a solution!
Next Time in the NetScaler Security for the XenApp Dummy
Part II (published now!) covers Design; more specifically how you can identify step by step ways to address all of the NetScaler security problems you've identified so far so you can update your designs appropriately. We'll formulate a plan, test and schedule a change window!
For now, take a break. You've done a lot of work today but we're well on our way to far better NetScaler security.
Need Help or anything else? Shoot a message with your email and I'll get someone in touch with you if I can't help you directly!
Error: Contact form not found.
Don't forget to sign up for our Newsletter!
Also, If you'd like to get a copy of the spreadsheet I mention, contact me!