An adversary with sophisticated skills has taken advantage of Citrix ADC Servers. This has caused huge problems for organizations all over the globe. This attacker was able to steal credentials from thousands of users, gain access to data and launch attacks. You need to ensure that your organization has the proper security measures in place to prevent this from happening. These are some ways to make sure your ADC Servers remain secure.
Citrix ADC Servers Security Measures
There are many security precautions to be aware of when implementing Citrix ADC servers. You should enable the Secure option, create a TLS certificate custom to your needs, change the password and ensure proper configurations.
Make sure you set up the appliance with a private IP address when configuring it. This is done with SSH keys. If a user forgets his password, the SSH keys are used to gain access to the ADC.
Citrix ADC appliances can support Multipath TCP. This is a TCP/IP protocol extension which identifies multiple paths between hosts. This adds protection against TCP congestion. Make sure that your TCP profile is correctly configured
Citrix recommends an SSL VIP, which is a secure SSL version and a secure encryption key, for enhanced security. Citrix also recommended that you encrypt HTTP cookie persistence, load balancing persistent cookies, and HTTP cookie persistence.
Also, ensure that you use a strong password called “break glass”. The password must be at least 8 characters long and include a special character.
Configuration GSLB
Global Server Load Balancencing (GSLB) is a powerful service that balances traffic between Citrix ADC’s virtual and physical servers. The service can only be used if it is properly configured. What are the steps for configuring it?
GSLB connects your Citrix ADC with sites that are close to your users. This allows for disaster recovery. Client requests will be sent to the closest GSLB site by the system, allowing clients to request assistance from their internal network.
GSLB can either be created internally or externally. You should have a separate GSLB server for each DNS you want to protect. You can, for example, create one service for mydomain.com but keep it separate for other DNS names.
Optimizing ADC Servers
These tips can help you increase security for your Citrix ADC servers. These tips can increase the security of your network as well as stop attacks. It is also important to understand how to protect your appliance against physical and virtual attacks. You can also restrict access to certain IP addresses or devices, and create Access Control Lists.
You can, for example, limit RPC traffic using the NITRO API. This will prevent attackers accessing command and control software or devices on the other side of the wire.
You can also distribute TLS certificates to users to increase security and allow them to connect to the web server via HTTP. Although it will require user interaction in order to establish a connection this provides the same level of security.
You can set up the ADC’s logging options to improve visibility and reporting. Syslog messages are available as a logging option, which can be used to respond to and detect threats. To monitor and identify certain events, you can also use the alerts function.
Multiple features can be configured
Citrix ADC servers can be configured with multiple security features. For example, you can protect against HTTP desync attacks. Alternatively, you can disable SSH access. You can also use TLS certificates that you create. These certificates are created by user interaction during connection establishment to the web server. More information about managing SSL certificates can be found in the Citrix Knowledge Centre.
Inbound NAT listens to connection requests for the server. An Access Control List can be used to limit the access to specific ports. You can, for example, restrict UDP or TCP usage by users or groups.
You can also set stateful behavior to allow back-end cookies. This will stop client scripts from running on the server. This will make cross-site scripting attacks more difficult. Encrypting the persistent cookie used for load balancing can also be done. This will make sure that the cookie can only be read by the server.
