Citrix TIPs: Networking recommendations from security assessments

The Citrix Application Delivery Controller (ADC) is normally at the heart of protection for your core application delivery environment. So it makes sense to ensure your administrators are up to date with the latest training and education on the key application security features and functionality that Citrix ADC provides.

With features like Web Application Firewall (WAF), Application-level Quality of Experience (AppQoE, DoS protection), and SSL Offload, you can not only improve your return on investment for the ADC but also meet security compliance requirements and achieve service levels for uptime and availability.

Many customers ask us about system-security hardening for Citrix ADC appliances deployed in their operational environment. This quick list of security tips and recommendations is based on findings from the field by our Citrix Networking Security subject matter experts as part of our Networking Security Assessment service. There is also some further information on how to validate and adjust configurations.

Before implementing, please always test any recommendations in a safe place first to ensure they meet your security requirements and follow your normal production change control on backup and recovery procedures!

The following suggestions are loosely grouped around the core information security key concepts of confidentiality, integrity, and availability.

Systems Confidentiality

Confidentiality “is the concept, that information is not made available or disclosed to unauthorized individuals, entities, or processes.” In this case, we are focusing on how encryption and secrets are stored and configured.

• Create the system master key for data protection. From the Citrix ADC 11.0 release, it is possible to create a system master key to protect certain security parameters, such as passwords for service accounts required for LDAP authentication and locally stored AAA user accounts. To create the system master key:
  • Using the command line interface, log in as a system administrator.
  • Enter the following command: create kek <PassPhrase>
• Set up secure communication between high-availability (HA) nodes (or global server load balancing (GSLB) nodes if enabled).
  • In the configuration utility’s navigation pane, expand the Network node.
  • Select the RPC node.
  • On the RPC page, select the IP address.
  • Click Open.
  • Type the password in the Password and Confirm Password fields.
  • Select the Secure option on the Configure RPC node dialog box.
• Change the default self-signed SSL certificate bound to the NSIP to a trusted enterprise certificate. See this article.
• On SDX systems ensure you utilize secure communication (HTTPS) between the services virtual machine (SVM) and provisioned VPX instances. See this article.
• Disable unsecure SSL and TLS versions (Citrix ADC management) for SDX appliances or for MPX/VPX.
• Review defaults and configure suitable TLS strong cipher suites (Citrix MPX / VPX ADC management). See the secure deployment guide link.
• Review defaults and configure suitable TLS protocol parameters (Citrix MPX / VPX ADC management). See the secure deployment guide link.
• Review and secure SSH access to the Citrix ADC appliance (Citrix MPX / VPX ADC management). See more here. Enforce HTTPS management only and secure GUI access on either NSIP or SNIP; if used for management of an HA pair, for example, set ns ip <NSIP> -gui secureonly

Systems (Configuration) Integrity

Integrity means maintaining and ensuring the accuracy and completeness of data (systems configuration) over its entire life cycle. This means that it cannot be modified in an unauthorized or undetected manner.

• Regularly review and test your Citrix ADC firmware version and builds against the current maintenance release as it may contain security patches and bug fixes or security enhancements that will improve your system’s operational security. For example, the two-factor authentication feature works on Citrix ADC 12.1 build 51.16 onward.
• For day-to-day Citrix ADC administration use alternate “named-based” accounts as required, also with “strong passwords” in line with your password policy for local systems management, and configure administration session timeouts relevant to your security policy: set system parameter –timeout <seconds>
• The same password rules should be applied to all default built-in ADC accounts like the nsinternal account, which is used when the account and password are set as part of HA or GSLB configurations. Also, don’t forget additional configured “service accounts” used for LDAP authentication’s BaseDN, for example.
• Disable unused features or modes not required for your network environment, for example, MAC-based forwarding (MBF) or Layer 2 or 3 modes (L2, L3, packet bridging or forwarding).
• Customers should consider employing both role-based access control (RBAC, with least privilege) for authorized Citrix ADC administrators and terminals having secure access (firewall or access control List) to only allow access to the Citrix ADC NSIP or IP with management access (GUI, CLI).
• We strongly recommend that the Citrix ADC management IP (NSIP) not be exposed to the public internet and be deployed behind an appropriate stateful packet inspection (SPI) firewall or isolated management network segment.
• If required by your security policy, you can configure external authentication for systems administration accounts (via external LDAPS, TACACS+ or Radius authentication servers) for SDX or for MPX / VPX.
• Restrict non-management applications access. Run the following command to restrict the ability of non-management applications to access a Citrix ADC appliance and secure access to the XML-API web service: set ns ip <NSIP> -restrictAccess enabled
• Configure and test external audit logging to secure SYSLOG servers (two servers) for access logging and apply the audit policy globally.
• Configure, test, and restrict NTP and ensure synchronization with your time source.
• Configure, test, and restrict SNMP v3 monitoring.

Systems Availability

For any information system to serve its purpose, the information must be available when it is needed. This means the computing systems used to store and process the information, the security controls used to protect it and the communication channels used to access it must be functioning correctly. High-availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.

• Regularly review and ensure your systems documentation is up to date and accurate, and reflects your current networking environments configuration. Also, if you have an HA or GSLB deployment, test it regularly, as you cannot fix issues you do not know about.
• Provide physical access to Citrix ADCs and cabling to authorized personnel only.
• On physical SDX and MPX appliances, ensure you have diverse, protected power supplies, network connectivity, and enclosures, especially if you have HA pairs of ADC appliances. Additionally, disable any unused interfaces to prevent HA issues and unauthorized or wrong equipment being plugged in to the appliance.
• As the default nsroot account cannot be removed, a good practice is to change it to a strong “break glass” password (manual or password generator).
  1. The password must have a minimum length of eight characters.
  2. The password must not contain dictionary words or a combination of dictionary words.
  3. The password must at least include one uppercase letter, one lowercase letter, one number, and one special character.
• Strong passwords can be enforced by setting two parameters: one for the minimum length and the other to enforce complexity by using the set system parameter –minpasswordlen 8 –strongpassword ENABLED
• Store and secure the password (password vaulting or offline safe) and only use it in a break-glass emergency or if required for a systems upgrade (this password process should be documented as part of your network security policies, and only authorized and trained networking admins should have access to the nsroot credentials).
• Do NOT use the nsroot account for day-to-day administration. It is also advisable to disable external authentication for the nsroot account by default. If enabled, the system will check external authentication first for management access, so to prevent potential spoofing (duplication) of the nsroot account (or other local admin account) in Active Directory, for example, use set system user nsroot -externalAuth Disabled
• Customers who use out-of-band management networks / servers should update the firmware and also follow the guidance provided in the Securing the Citrix ADC Lights Out Management (LOM). We strongly recommend taking the following measures to secure the LOM interface:
  • Reset the Citrix ADC LOM and then update firmware if required.
  • Do not expose the LOM port to the Internet.
  • Deploy the LOM behind an SPI firewall or isolated management network segment.
  • Deploy the LOM on a network segment that is separated either logically (separate VLAN) or physically (separate LAN) from untrusted network traffic.
  • Set different username, password, and SSL-certificate and SSL-key values for the LOM and the ADC management ports.
  • Ensure that devices used to access the LOM management interface are dedicated to a network management purpose and placed on a management network segment that is on the same physical LAN or VLAN as other management device ports.
  • To easily identify and isolate LOM IP addresses, reserve special IP addresses (private subnets) for LOM management interfaces and management servers. Do not use reserved IP subnets with LAN interfaces of the managed appliances. Dynamic IP addresses assigned by DHCP are not recommended because they make it difficult to implement firewall access control lists based on a MAC address outside the LAN segment.
  • Set the password for a minimum of eight characters, with a combination of alphanumeric and special characters. Change the password frequently.

• Ensure your Citrix ADC appliances are backed up to a secure location and can be recovered within your organization’s recovery time objective (RTO).
• Finally, for organizations with many ADC appliances we offer Citrix Application Delivery Manager (ADM), which can be used to automate backup and recovery, as well as provide centralized management, monitoring, and orchestration of any Citrix networking technologies (physical, virtual, or microservices) either on premises or as part of the ADM service in Citrix Cloud.

As always, do not forget to review your Citrix ADC’s security posture regularly and make sure that it still meets your needs. In most enterprise environments, security threats can change regularly.

I hope you found this tips list useful as a starting point. For additional, detailed Citrix ADC security hardening deployment information, please reference this security deployment guide.

If you have some good Citrix ADC security tips, let us know in the comments below. Stay safe, everyone!

– Andy Gravett, Principal Security Consultant