By Matt Baran (@mbaran5)
Principal Architect, Entisys360
ROBOT, POODLE, HSTS – What do they all mean, and what’s with some of the names?
To begin with, we must go back in time a little bit to around early 2018. It was then that I started to notice that Citrix was releasing new firmware versions for NetScaler (now known as Citrix ADC) for even very old builds such as 10.5. I started to dig into these firmware releases to determine why. It was apparent that a very old RSA and TLS vulnerability had been repackaged and reengineered to attack modern and updated TLS ciphers. This thread is known as ROBOT (Return of Bleichenbacher’s Oracle Threat). In a nutshell, ROBOT is a cryptographic defeat that would enable an attacker to decrypt all TLS traffic. Further, the issue is exponentially worse when using a Wildcard or SAN certificate, since the decryption would be possible against all servers using the same certificate. Citrix was beginning to patch these threats, and quickly!
How does this relate to Citrix ADC?
Citrix ADC is typically the “front door” for many web facing TLS (and in some cases SSL) services. If you host Exchange, a corporate portal, and a Citrix Gateway from a single ADC pair, that’s three exposed services. If there are “in the wild” threats, we must take effort to mitigate the attack vector. Attackers are constantly running prepackaged scripts against all known sites to determine if any number of vulnerabilities exist. Patching is just one method of mitigation, but it must be combined with other efforts for maximum efficiency. POODLE, another vulnerability, is defeated by disabling SSL 3.0 and its fallback mechanism. And, unlike ROBOT, POODLE is not removed via a patch, but rather a configuration change. Others are about ensuring best practices are kept consistent across all devices and services.
SSLLabs to the rescue!
Enter SSLLabs and its breadth of SSL/TLS/Certificate testing functions. More so now than ever, emphasis is beginning to shift toward security with the ADC. No longer was a firewall in front and a certificate on the service suitable. This is where things start to get fun.
Prior to mid-2018, a standard out of the box ADC would score somewhere around a C. Not bad, but not great. This can get better. Fortunately, through the combined efforts of Citrix engineering, blogs, and the Entisys360 team I was able to prepare, with no end user downsides, a method to achieve an A+ scoring fully secured Citrix Gateway site.
Entisys360 (Matt Baran) to the rescue!
I made it a mission within Entisys360 to communicate the urgency of the Citrix ADC security posture to our sales and consulting teams, emphasizing both up to date firmware and secure configurations. All Citrix ADC scopes of work include this now, as well as a service offering (monthly-quarterly) to ensure that our clients Citrix ADC scores never fall below an A+.
In the months and years since, the fun hasn’t stopped. There have been new vulnerabilities, new exploits, and new configurations required to ensure a high score and protection from the latest wave of attacks. HSTS, essentially forcing all communication via a secure channel, is a must have in all deployments, but it is still not a default setting. We’re constantly evolving our security posture to make sure each and every deployment is as secure as it can be.
Do your own scan now… right now!
Have you scanned your Citrix Gateway yet? Give it a shot at SSLLabs.com. Be sure to check the “Do not show the results on the boards” if you want your URL to remain hidden.
If your results look like below (basically anything other than A), you may want to consider the potential risk and loss if that ADC were to be compromised:
Do they look like this? Then you’ve been keeping up with the latest information:
And, if you’re anywhere in between, there’s always room for improvement!
As Citrix administrators, we can tend to get caught up in the false sense of security that Citrix Virtual Apps and Desktops provide us. They’re very secure, and the entry point is very small. We must though consider that the Citrix ADC is an edge device and is likely responsible for more than just Citrix Virtual Apps and Desktops. It is a cornerstone of the security model that we sell to the business, as part of the larger security model of Citrix and the Secure Digital Workspace. These configurations, in conjunction with MFA (Multi Factor Authentication) truly provide a secure end user experience.
Of course, if these tasks are top priority and mission critical, Entisys360 can always assist in working with you and your team to ensure these changes are made efficiently and promptly on 1 or 100 ADC configurations. Contact your Account Executive for more information on how Entisys360 can further secure your Citrix, and by extension enterprise infrastructure.