This is the fifth part of this blog. Part Part 1 2 3 4 5 Form-fields are a major gate to send malicious data to a web-server. It’s obvious, a website programmer does not want to do input validation twice, on the user and on the server-side. What could happen? If everything is tested on the client-side, data arriving on the server-side has to be good. Even worse: If an input field does not...
last update: December 10th 2020 I recently came across a problem, that had been hard to resolve. Active/passive load-balancing typically is easy to do: You create a load-balancing vServer for the active service, and another one, intended to be passive, for desaster recovery. Then you set the disaster recovery vServer as a protection vServer for the active vServer. It will automatically switch to...
Last change: December 21st 2021. Thanks to Dirk Bautz! This is the 2nd part to my article “Which ciphers to use on a Citrix ADC /NetScaler?” This one had been about TLS versions up to 1.2 only. Moving from TLS 1.2 to TLS 1.3 on an existing Citrix ADC ( NetScaler) may be a big step with some obstacles to overcome. It needs some investigation. Why TLS 1.3? Simple: TLS 1.3 is faster, as...
Thinking back to the end of my UNIX days, there had been something called SSH. It had been a replacement for telnet and had a nice feature called SSH keys. SSH keys were a safe and easy way to replace those tiresome passwords. I loved them! Almost at the same time, Windows came up and I lost contact with UNIX. I always hoped, IT will switch over to Linux, but it never happened and my UNIX...
This is an old problem with Citrix ADC / NetScaler: You should test all changes in test-site first and move them to production, or synchronise production site and disaster recovery site. Unfortunately, there is no built-in mechanism to synchronize configuration. So, over time, these sites will start differing, a very unwelcome state. This is especially true for WAF, as applications tend to change...
latest update: May 5th 2021 Recently I found myself in a discussion with another Citrix architect about the number of cyphers needed. I had added as little as fife cyphers to a cypher group. He thought this is not enough. Why should we have many cyphers into a cypher group? To be honest, I don’t understand. It may look flexible, feature-rich and mighty. Customers may get impressed...
I am a big fan of cheating if it comes to security. Giving wrong answers to questions may be misleading and will direct attackers into the wrong direction. This will cost time and, at the same time, rise the risk of being caught red-handed. If someone attacks a website, he has to be discrete and fast. Discrete to not get trapped, quick to be long gone in case the owner learns about the attack. So...
This is Corona time, and Corona drives virtualization like nothing else did before. I recently had to fix issues with remote access. Usually, it would have to handle round about 1,500 users, but now, the number of users increased to 15,00, so ten times as much. The existing MPX-11500 could not handle all these connections, latency was way to high. Our customer needed a quick resolution, as every...
Last update: May 8th 2023 There are several use cases for geo-location information in Citrix ADC / NetScaler. It may be helpful with WAF logs. I am European, I won’t spend much time on a positive, if the log comes from North Korea, but I would consider it to be a “false positive”, if it comes from Germany, Italy or Sweden. Even though I would not consider it to be secure...
© Wikipedia, Creufop There seems to be no way to log events inside partitions, even though there are settings for logging and configuration seems to be right. They are exactly the same as in default partition. Syslog server is 127.0.0.1, so the local machine. Everything seems to be perfect. But /var/partitions/<partitionname>/log will remain empty. Why? Well, the syslog-server is 127.0.0.1...