Archive
Penetration testing tips for your NetScaler – via @neilspellings – #Citrix, #NetScaler
This is a really good blog post by Neil! Keep up the good work! đ
When working on Netscaler implementation projects, most of which tend to be internet-facing, one aspect that most organisations always perform is a penetration test. Having been through a number of these over the years, I thought it would be a good idea to share my experiences and some of the common aspects that get highlighted, to enable you to âpass first timeâ without having any remedial actions to work through and costly re-tests to perform.
The Netscaler has a number of IPs (NSIP, SNIP/MIP, Access Gateway VIPs etc) so what should you test against? The answer may well depend on corporate policy, but I usually test the internet-facing Access Gateway VIP and the management interface (NSIP). I also usually include StoreFront in any internal tests as this is an integral component of the overall solution, but I wonât cover StoreFront in this post.
Of course technically âbad guysâ can only reach internet-facing IP addresses (as permissioned by your external firewall) but I recommend including internal-facing IPs for  any DMZ-hosts to understand your exposure should another DMZ host get compromised (as your attacker can now potentially access internal IPs so the external firewall rules no longer protect you)
- Remove unnecessary management tools (telnet and FTP are considered insecure so should alwaysbe disabled). Also remove SNMP if your Netscalers are not being monitored or managed by an external monitoring service.
- Ensure that âSecure access onlyâ is selected to force SSL access to the GUI
- Ensure that management applications are only available on an internal IP (NSIP or SNIP). Open the IP properties for the IP addresses that wonât be used for management and untick âEnable management accessâ
Â
- Change the default nsroot password to something long (obvious youâd think but youâd be amazed how many Netscalers Iâve seen that I can just log straight into using the default credentials!)
- If you have set up integrated AD authentication via LDAP for administrative access to the GUI, ensure that you have protected access using a filter group, otherwise anyone with a valid AD account will be able to access your Netscaler GUI (although they wonât be able to make any changes, itâs still not a good idea them having this access!)
- If you are using…
Continue reading here!
//Richard
#Citrix #NetScaler, #AGEE and Macbook OS X… bad start of the evening session!
Ok, I was just going to log in and play around and setup another AppController to verify some thoughts around a customer case in our EnvokeIT environment. And what did I do? I just opened my lovely Macbook Air (no one will ever take that one from me!!) and thought I would connect into our internal EnvokeIT lab environment and decided for some reason to connect over SSL VPN this time rather than running everything on the internally published desktop.
So I opened the browser and connected to our AGEE vip that presented me with the rather ok-looking login page as you can see here that my colleague modified to make it a bit more aligned with the StoreFront/Receiver for Web that we use in this little environment (otherwise you get that black ugly NetScaler login prompt, please get your product look & feel in synch Citrix!).
But then after I logged in I though that why not try out the SSL VPN client for my Mac! So I choose Network Access here;
And then I realised that the modifications weren’t really all ok as you can see here when I was prompted to download the Access Gateway Plugin for OS X (SSL VPN client)…
The IT Melting Pot! 