NetScaler often sits in front of large web services processing large amount of data; some of these services may contain credit card transactions or serve sensitive data. It is therefore crucial that NetScaler is properly configured to protect the data. Also, with this large amount of data going through the application we might be required to troubleshoot network traffic or a session in general.
The following are some of the subjects that we will go through in this chapter:
- Management best practices
- Protecting against DDoS attacks
- SSL and TLS best practices
- Admin partitions
- Auditing and AAA
- Citrix Insight Services
Before configuring NetScaler for any type of service, we should always ensure that NetScaler is locked down in way that management access can be brute-forced, MitM attacks for logging and so on. So as a best-practice we should:
- Disable interfaces that are not used.
- Do not start any features that we do not use.
- Define a SNMP manager we can send alerts to. Prefer using SNMPv3, which allows for encrypted authentication and traffic.
- Disable heartbeat monitoring on disabled interfaces in HA setup.
- Change the
nsrootpassword. - Set up external authentication access to NetScaler, which allows for AD group authentication to NetScaler and makes it easier to audit and control changes; it also restricts access. In order to set up this feature we can follow this Citrix article http://support.citrix.com/article/CTX123782. It is important to make sure that this feature is bound to a global level and that the
nsrootaccount is marked as non-external authentication access. If not, an admin can create annsrootaccount in Active Directory and then have full admin access on NetScaler. - Use SSL/TLS authentication to LDAP whenever possible as well.
- Disable management access on regular HTTP and allow only secure access. This can be done under System | IPs | nsip; mark the checkbox to allow Secure Access Only.
- Set up Secure NTP to allow for encrypted NTP traffic; also we can configure the NTP daemon to prevent traffic amplification attack using the instructions here: http://support.citrix.com/article/CTX200286.
- Switch to public key authentication when using SSH with NetScaler http://support.citrix.com/article/CTX109011.
- Set up an external syslog server to gather errors and information logs from a NetScaler appliance; or use Command Center from Citrix, for instance.
- Enable ARP spoof validation to ensure that no L4 device can spoof a MAC address. This can be enabled under System | Network | configure global arp parameters.
- Create a custom SSH banner for those logging in using SSH: http://support.citrix.com/article/CTX124517.
- Disable ICMP for virtual IP-addresses, unless required. ICMP scanning is a commonly used tool to scan for live hosts; disabling ICMP on all VIP might reduce the number of attacks.
- Disable SSH access to NetScaler via SNIP; this is a default option that enables SSH for all SNIP addresses. This can be disabled on each SNIP address.
- Create a full backup each time we do a change to the configuration. Remember that, if we make a change and manage to lock ourselves out we can reboot NetScaler and get back to the state before we changed the config. If we did not manage the save the configuration, since changes are first stored in the running configuration and that we have to save it to stored configuration. It is also important to have a config backup stored on network-based storage in case of emergency; this can be done under System | Backup and Restore. These backups can either be downloaded using web management or by using SFTP to the host and copying the folders under
/var/ns_sys_backup. - Configure secure RPC communication. By default NetScaler appliances in a HA-setup or GSLB setup communicate without encryption using RPCI. In order to switch to secure communication we can configure this under System | Network | rpc, and secure. Note that we have to configure this on the other appliances as well.
- Try to keep NetScaler up to date. Citrix releases new builds and many of these builds might contain security fixes for known vulnerabilities; they might also contain performance fixes/features and so on. However, do not rush to implement the latest version as some builds might cause other issues. It is important to read the release notes to see if there are other issues with the newest builds before upgrading.
- If we place NetScaler in a virtual environment, disable ARP protection for it, since a NetScaler might have multiple IP-addresses from the same MAC address originating from a single port, which might trigger the virtualization protection features.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.