Archive
Penetration testing tips for your NetScaler – via @neilspellings – #Citrix, #NetScaler
This is a really good blog post by Neil! Keep up the good work! đ
When working on Netscaler implementation projects, most of which tend to be internet-facing, one aspect that most organisations always perform is a penetration test. Having been through a number of these over the years, I thought it would be a good idea to share my experiences and some of the common aspects that get highlighted, to enable you to âpass first timeâ without having any remedial actions to work through and costly re-tests to perform.
The Netscaler has a number of IPs (NSIP, SNIP/MIP, Access Gateway VIPs etc) so what should you test against? The answer may well depend on corporate policy, but I usually test the internet-facing Access Gateway VIP and the management interface (NSIP). I also usually include StoreFront in any internal tests as this is an integral component of the overall solution, but I wonât cover StoreFront in this post.
Of course technically âbad guysâ can only reach internet-facing IP addresses (as permissioned by your external firewall) but I recommend including internal-facing IPs for  any DMZ-hosts to understand your exposure should another DMZ host get compromised (as your attacker can now potentially access internal IPs so the external firewall rules no longer protect you)
- Remove unnecessary management tools (telnet and FTP are considered insecure so should alwaysbe disabled). Also remove SNMP if your Netscalers are not being monitored or managed by an external monitoring service.
- Ensure that âSecure access onlyâ is selected to force SSL access to the GUI
- Ensure that management applications are only available on an internal IP (NSIP or SNIP). Open the IP properties for the IP addresses that wonât be used for management and untick âEnable management accessâ
Â
- Change the default nsroot password to something long (obvious youâd think but youâd be amazed how many Netscalers Iâve seen that I can just log straight into using the default credentials!)
- If you have set up integrated AD authentication via LDAP for administrative access to the GUI, ensure that you have protected access using a filter group, otherwise anyone with a valid AD account will be able to access your Netscaler GUI (although they wonât be able to make any changes, itâs still not a good idea them having this access!)
- If you are using…
Continue reading here!
//Richard
#Gartner analyst slams #OpenStack, again – #IaaS
Good article and I must agree that OpenStack has quite a long way to go before the “average” enterprise embraces it…
OpenStack still has maturing to do before it’s really ready for the enterprise, analyst says
Network World –Â Gartner analyst Allessandro Perilli recently attended his first summit for the open source cloud platform OpenStack and he says the project has a long way to go before it’s truly an enterprise-grade platform.
In a blog post reviewing his experience, the analyst – who focuses on studying cloud management tools – says that OpenStack is struggling to increase its enterprise adoption. Despite marketing efforts by vendors and favorable press, enterprise adoption remains in the very earliest stages, he says.
Don’t believe the hype generated by press and vendor marketing: OpenStack penetration in the large enterprise market is minimal.â Gartner analyst Alessandro PerilliÂ
Sure there are examples like PayPal, eBay and Yahoo using OpenStack. But these are not the meat and potatoes types of enterprise customers that vendors are looking to serve. Why? He outlines four reasons, most of which are related to the process and community nature of the project, and less around the technical maturity of it. By the way, this is not the first time a Gartner analyst has thrown cold water on the project. Â
[EARLIER CRITICISMS FROM GARTNER:Â Gartner report throws cold water on OpenStack hype]
Lack of clarity about what OpenStack does
There is market confusion about exactly what OpenStack is, he says. It is an open source platform that can be assembled together to build a cloud. It, by itself, is not a cloud though just by downloading and installing it. OpenStack requires some heavy lifting to turn the code into an executable cloud platform, which is why dozens of companies have come out with distributions or productized versions of OpenStack code. But, the code itself is not a competitor to cloud platforms offered by vendors like VMware, BMC, CA or others. Read more…
The IT Melting Pot! 