The Citrix NetScaler is already hardended and only VIP’s will respond to TCP handshakes. However here are some more considerations for hardening your deployment. Hardening takes place by implementing the following on the Citrix NetScaler Load Balancer – Securing NetScaler system communication, Access Control Lists (ACL), Securing the NetScaler system using RPCNode and External authentication.
Securing NetScaler System Communication
System to system communication
- High Availability (HA)
- TCP port 3010 and 3011; or secure on TCP port 3008 and 3009.Used for Command Synchronization and Command Propagation.
- UDP port 3003Used for HA heartbeat; health check – industry standard.
- TCP port 3011; or secure on port 3009.Used for GSLB MEP communication
- SSH: TCP port 22
- Web front end: TCP port 80 (HTTP); or secure on TCP port 443 (HTTPS)
- Java applet: TCP port 3010; or secure on TCP port 3008
- SNMP Request/Response traffic (polling): UDP port 161
- SNMP Traps: UDP port 162
- XML-API: TCP port 80; or secure on TCP port 443
Access Control Lists
The NetScaler system can implement IP address based traffic control on data that it handles using Access Control Lists (ACLs). This functionality is inherent to the NetScaler system, it does not need to be enabled. The ACL entries can be matched based on the source and/or destination IP addresses of the traffic. Once matched the traffic can be dealt with in one of the following ways.
- Allowed – traffic is allowed and is processed by the NetScaler as it would be normally
- Bridged – traffic is forwarded through the NetScaler system but not processed
- Denied – traffic is dropped
The ACL can be created to identify traffic by specifying 8 different attributes of the IP Packet:
- Source IP Address – IP address of source machine originating the traffic; may refer to an individual IP Address or range/subnet.
- Source Port – Port of traffic from source machine.
- Destination IP Address – IP address of destination machine; may refer to an individual IP Address or range/subnet.
- Destination Port – Port of traffic to destination machine.
- Source MAC Address – MAC address of source machine.
- Protocol or Protocol Number – Protocol corresponding to the Protocol field in the IP Header.
- VLAN ID – VLAN ID of the VLAN where the packet was generated.
- Interface – Interface on which packet arrives.
If traffic matches more then one ACL the most specific match will be used. If it matches different ACL entries for the source and the destination, the most specific destination ACL will be used.
RPCNode and the NetScaler System
By default, management access and communication between two systems is not secure
- The set rpcnode command can be used to enable SSL communcation
- Set ns rpcnode <ip-address> -secure YES
- The set rpcnode command needs to be issued for each IP address used for system to system communication or management
Users and Groups
The following order is recommended to configure external authentication of users
- Create LDAP
- Create a user
- Add the user to a group
- Create LDAP policies
- Apply the policies to the group
- If multiple users are setup, group extraction can be used with LDAP
- The user is associated with the group by the LDAP group extraction
- All the members of that group get the same permissions
if more than one type of permissions setup is needed, than that user needs to be specified or a new group needs to be created.