CategorySecurity

Securing Citrix Gateway using Citrix ADC Bot Management, Citrix Web Application Firewall and DOS-Protection

S

last update: November 18th 2021 Recently, I had been asked, how to protect a gateway from threads. It’s easy, I thought, Citrix ADC has everything needed in good quality: A Bot Management, Web Application Firewall (WAF), and AppQoE (Application quality of experience, a DOS protection feature). So nothing easier than that: Create the policies desired and bind them to the gateway. Shortly...

Citrix ADC / NetScaler: How to find out, which users use which Ciphers?

C

There is something I frequently get asked for: How can we find out, which users use which ciphers? Will Citrix ADC show this information? Does ADM show it? A simple answer would be: No chance, ADC can’t do it at all. ADM – however – can do. If you don’t like ADM (I’d wonder why) you can’t. Let’s not make things that simple. We all are engineers. The word...

Priority of policies in Citrix ADC / NetScaler Content Switching in combination with Load Balancing

P

In Theory, it’s easy: Load Balancing is stronger than Content Switching. I tested with 13.0 82.42 on a Citrix ADC VPX. With some surprise to me: There had been differences between the features tested. I tested with Responder Policies, Citrix ADC Bot Protection, and Citrix Web Application Firewall. The setup I used a content switching vServer (192.168.229.200) and a non-addressable load-balancing...

Flexible Multi-Factor flows in Citrix ADC (NetScaler) using Azure MFA

F

I came across following issue, doing a Citrix ADC / NetScaler project: My customer wanted to use Azure MFA for internal users and LDAP/RADIUS for external users like contractors and parters. That’s a typical use-case for n-factor authentication. So how do we solve problems like that? The solution A Solution based on group membership The difference between internal and external users is...

Citrix ADC / NetScaler and TLS 1.3

C

Last change: February 4th 2021. Thanks to Dirk Bautz! This is the 2nd part to my article “Which ciphers to use on a Citrix ADC /NetScaler?” This one had been about TLS versions up to 1.2 only. Moving from TLS 1.2 to TLS 1.3 on an existing Citrix ADC ( NetScaler) may be a big step with some obstacles to overcome. It needs some investigation. The problem? It seems to be easy: Just tick...

Which cyphers to use on a Citrix ADC /NetScaler?

W

latest update: May 5th 2021 Recently I found myself in a discussion with another Citrix architect about the number of cyphers needed. I had added as little as fife cyphers to a cypher group. He thought this is not enough. Why should we have many cyphers into a cypher group? To be honest, I don’t understand. It may look flexible, feature-rich and mighty. Customers may get impressed...

A simple way for a Citrix ADC (NetScaler) to respond with a 404 not found

A

I am a big fan of cheating if it comes to security. Giving wrong answers to questions may be misleading and will direct attackers into the wrong direction. This will cost time and, at the same time, rise the risk of being caught red-handed. If someone attacks a website, he has to be discrete and fast. Discrete to not get trapped, quick to be long gone in case the owner learns about the attack. So...

Using Geo-Location in Citrix ADC / NetScaler

U

Last update: 2021-02-18   There are several use cases for geo-location information in Citrix ADC / NetScaler. It may be helpful with WAF logs. I am European, I won’t spend much time on a positive, if the log comes from North Korea, but I would consider it to be a “false positive”, if it comes from Germany, Italy or Sweden. Even though I would not consider it to be secure...

Creating Certificates for Citrix ADC (NetScaler)

C

The way we create certificates has not changed significantly over the years. Only the wizard is subject to a certain change. This blog is based on Citrix ADC 13, elder versions don’t differ significantly. The following steps are necessary to create a certificate: Generate the key pair Create the certificate-signing request Generate the certificate (either using Citrix ADC /...

How to recover a Citrix ADC/NetScaler VPX from CVE-2019-19781 (both on Hypervisor and on SDX)

H

last update: March 2nd 2020 Well, there are many guides. So why do I write a blog about it? Just to have one more? Bull shit! The truth is: I don’t like them at all! What’s wrong about all these guides? They all focus on how to remove malware currently installed on our Citrix ADCs (NetScalers). And, to be honest, it does not make the least little bit of sense. How can you ever be 100%...

Recent Posts

Recent Comments