While there is an abundance of best practices and white papers on how to secure your Netscaler, I come across many implementations that are worryingly insecure. Whenever I highlight this with the IT Manager, engineering or the security team they are naturally keen to plug these holes asap.
After some digging I normally find it’s due to lack of understanding in the product, a disjoint in the handover from the integrator (if installed by a 3rd party), or the project budget was running out and corners were cut. Maybe it went in as a POC and somehow slipped into production as it was ‘working’. It’s particularly prevalent in businesses where there is an absence of a dedicated network / security team and the senior ‘all rounder’ techs manage the routing, switching and firewalls but aren’t too sure of the mystical box called Netscaler that someone installed at some point.
Regardless of the reasons, it must be a least, somewhat secured!
Netscaler is an awesome but complex product, unlike it’s main competitor, the F5 which is modular, the Netscaler is an all in one, unified system, you just need to license the appliance for the features you need. That also explains why the answers vary when you ask, “What is a Netscaler?”
“It’s a secure access gateway”, “it’s a load balancer”, “it’s an application accelerator”, “it’s an SSL offloader”… Well, it’s all of those things and a whole lot more…
Here are 10 tips I’ve thrown together that will minimize the attack surface and provide some security for your Netscaler implementation. I recommended further securing the Netscaler as per Citrix best practice but these steps will at least get it somewhat secured in around an hour.
1.Change the default login! Yes, user: nsroot password: nsroot is left in place way too often.
2. If running a physical appliance (MPX), ensure it’s physically secured in a comms room with limited access to the front panel & console port.
3. Configure role-based access security control (RBAC) for the admins and engineers that require access to the device with named accounts for each.
4. Configure a low system session timeout for the GUI and CLI. This can be done at user / group level but before going that granular, it can be set globally:
- GUI: Navigate to System > Settings, click Set global system parameters, and set the ANY Client Idle Time-out (secs) parameter.
- CLI: At the command prompt, enter the following command:
set system parameter -timeout <secs>
5. Use HTTPS for GUI management access, disable the HTTP access to the GUI management interface. To do so, run the following command:
- > set ns ip <NSIP> -gui SECUREONLY
6. Create a 2048-bit RSA private and public key pair and use the keys for HTTPS and SSH to access NetScaler IP address, instead of using the factory provisioned 512-bit RSA private and public key pair.
7. Patch it! Ensure the latest security patches and known stable firmware are applied.
8. Ensure it’s secured by a firewall and that it’s management IP is not accessible from the internet.
9. Configure logging to an external host, there’s a nice walk through here:
10. Use Access Control Lists (ACLs) so that the Netscaler CLI and GUI is only accessible from controlled management VLANs / network segments.
I must stress, you can go much further in securing the Netscaler but the above points are fairly easy to implement and will provide a nice baseline. It should bring some value to those sitting with a wide open, unsecure appliance, and believe me, there’s plenty of them!
Feedback and ideas are welcomed, as always! thanks