Archive
Penetration testing tips for your NetScaler – via @neilspellings – #Citrix, #NetScaler
This is a really good blog post by Neil! Keep up the good work! đ
When working on Netscaler implementation projects, most of which tend to be internet-facing, one aspect that most organisations always perform is a penetration test. Having been through a number of these over the years, I thought it would be a good idea to share my experiences and some of the common aspects that get highlighted, to enable you to âpass first timeâ without having any remedial actions to work through and costly re-tests to perform.
The Netscaler has a number of IPs (NSIP, SNIP/MIP, Access Gateway VIPs etc) so what should you test against? The answer may well depend on corporate policy, but I usually test the internet-facing Access Gateway VIP and the management interface (NSIP). I also usually include StoreFront in any internal tests as this is an integral component of the overall solution, but I wonât cover StoreFront in this post.
Of course technically âbad guysâ can only reach internet-facing IP addresses (as permissioned by your external firewall) but I recommend including internal-facing IPs for  any DMZ-hosts to understand your exposure should another DMZ host get compromised (as your attacker can now potentially access internal IPs so the external firewall rules no longer protect you)
- Remove unnecessary management tools (telnet and FTP are considered insecure so should alwaysbe disabled). Also remove SNMP if your Netscalers are not being monitored or managed by an external monitoring service.
- Ensure that âSecure access onlyâ is selected to force SSL access to the GUI
- Ensure that management applications are only available on an internal IP (NSIP or SNIP). Open the IP properties for the IP addresses that wonât be used for management and untick âEnable management accessâ
Â
- Change the default nsroot password to something long (obvious youâd think but youâd be amazed how many Netscalers Iâve seen that I can just log straight into using the default credentials!)
- If you have set up integrated AD authentication via LDAP for administrative access to the GUI, ensure that you have protected access using a filter group, otherwise anyone with a valid AD account will be able to access your Netscaler GUI (although they wonât be able to make any changes, itâs still not a good idea them having this access!)
- If you are using…
Continue reading here!
//Richard
#Citrix #NetScaler #SDX Installation Overview Video
This is a pretty good “quick” video of the SDX installation! Have a look at it, and remember not to use 1Gbps interfaces only if you want to run more than 7 VPX’s on the SDX! Then go for 10Gbps interfaces or many channels/interfaces of 1Gbps to not hit the SR-IOV limit of 7/1Gbps interface! đ
Description
12:45 screen capture with PPT overview on IP Addressing, and walking through install, IP Change for SDX’s SVM and XS IPs, licenses, and then the install of a NetScaler instance with NSIP and SNIP. This is intended to be a quick overview before you set out on a first SDX install, and is in compliment with the SDX Quick Install Guide.
See the video here!
//Richard
The IT Melting Pot! 