24x7x365 e360 Client Technical Support: Call (877) 368-4797 opt 9, or

By Matt Baran (@mbaran5)

Principal Architect, Entisys360

ROBOT, POODLE, HSTS – What do they all mean, and what’s with some of the names?

To begin with, we must go back in time a little bit to around early 2018. It was then that I started to notice that Citrix was releasing new firmware versions for NetScaler (now known as Citrix ADC) for even very old builds such as 10.5. I started to dig into these firmware releases to determine why. It was apparent that a very old RSA and TLS vulnerability had been repackaged and reengineered to attack modern and updated TLS ciphers. This thread is known as ROBOT (Return of Bleichenbacher’s Oracle Threat). In a nutshell, ROBOT is a cryptographic defeat that would enable an attacker to decrypt all TLS traffic. Further, the issue is exponentially worse when using a Wildcard or SAN certificate, since the decryption would be possible against all servers using the same certificate. Citrix was beginning to patch these threats, and quickly!

How does this relate to Citrix ADC?

Citrix ADC is typically the “front door” for many web facing TLS (and in some cases SSL) services. If you host Exchange, a corporate portal, and a Citrix Gateway from a single ADC pair, that’s three exposed services. If there are “in the wild” threats, we must take effort to mitigate the attack vector. Attackers are constantly running prepackaged scripts against all known sites to determine if any number of vulnerabilities exist. Patching is just one method of mitigation, but it must be combined with other efforts for maximum efficiency. POODLE, another vulnerability, is defeated by disabling SSL 3.0 and its fallback mechanism. And, unlike ROBOT, POODLE is not removed via a patch, but rather a configuration change. Others are about ensuring best practices are kept consistent across all devices and services.

SSLLabs to the rescue!

Enter SSLLabs and its breadth of SSL/TLS/Certificate testing functions. More so now than ever, emphasis is beginning to shift toward security with the ADC. No longer was a firewall in front and a certificate on the service suitable. This is where things start to get fun.

Prior to mid-2018, a standard out of the box ADC would score somewhere around a C. Not bad, but not great. This can get better. Fortunately, through the combined efforts of Citrix engineering, blogs, and the Entisys360 team I was able to prepare, with no end user downsides, a method to achieve an A+ scoring fully secured Citrix Gateway site.

Entisys360 (Matt Baran) to the rescue!

I made it a mission within Entisys360 to communicate the urgency of the Citrix ADC security posture to our sales and consulting teams, emphasizing both up to date firmware and secure configurations. All Citrix ADC scopes of work include this now, as well as a service offering (monthly-quarterly) to ensure that our clients Citrix ADC scores never fall below an A+.

In the months and years since, the fun hasn’t stopped. There have been new vulnerabilities, new exploits, and new configurations required to ensure a high score and protection from the latest wave of attacks. HSTS, essentially forcing all communication via a secure channel, is a must have in all deployments, but it is still not a default setting. We’re constantly evolving our security posture to make sure each and every deployment is as secure as it can be.

Do your own scan now… right now!

Have you scanned your Citrix Gateway yet? Give it a shot at SSLLabs.com. Be sure to check the “Do not show the results on the boards” if you want your URL to remain hidden.

If your results look like below (basically anything other than A), you may want to consider the potential risk and loss if that ADC were to be compromised:

Do they look like this? Then you’ve been keeping up with the latest information:

And, if you’re anywhere in between, there’s always room for improvement!

Next Steps

As Citrix administrators, we can tend to get caught up in the false sense of security that Citrix Virtual Apps and Desktops provide us. They’re very secure, and the entry point is very small. We must though consider that the Citrix ADC is an edge device and is likely responsible for more than just Citrix Virtual Apps and Desktops. It is a cornerstone of the security model that we sell to the business, as part of the larger security model of Citrix and the Secure Digital Workspace. These configurations, in conjunction with MFA (Multi Factor Authentication) truly provide a secure end user experience.

Of course, if these tasks are top priority and mission critical, Entisys360 can always assist in working with you and your team to ensure these changes are made efficiently and promptly on 1 or 100 ADC configurations. Contact your Account Executive for more information on how Entisys360 can further secure your Citrix, and by extension enterprise infrastructure.

Services

Security and Privacy

Creating a strategy for managing risk and compliance, while helping to filter the noise of myriad cybersecurity technologies.

Modern Infrastructure

Empowering your enterprise to achieve its full potentialand greatest efficiencyby keeping IT infrastructure operational, available and secure.

Digital Workplace

Helping businesses keep infrastructure up-to-date, minimizing security risks, and maintaining compliance

Cloud, DevOps & Automation

Accelerating IT service delivery for our clients through the adoption of agile methodologies that are all part of a systems-oriented approach.

Microsoft Expertise

Helping set goals and establishing benchmarks for the journey toward the successful deployment of Microsoft solutions.

Enterprise Managed Services

Design, implementation, licensing optimization, and environmental services, ensuring use of Microsoft's best practices and configurations.

Our Markets and Market Support Vehicles

Business

Professional services and nationally-recognized expertise that align perfectly with the trends and challenges facing a variety of industries.

Healthcare

Recognizing the unique challenges faced by healthcare IT organizations, and offering understanding, capabilities, and trusted relationships.

Public Sector

Helping organizations contain costs maintain high availability while finding new ways to increase security, compliance and more.

Group Purchasing

Industry-leading IT consulting services and technology solutionsaccessed through a streamlined contracting process.

Resources

Events

Learn about our upcoming events and webinars.

Solutions Literature

Access content on solution and service offerings.

Blog

Learn about leading technology topics.

Press Releases

Read official updates from the e360 team.

News Stories

Read about latest industry and  e360 news.

About e360

About e360

Our mission, vision, leadership and team

Accolades

e360 awards and recognition

Privacy

e360's commitment to privacy

Community

e360's commitment to privacy

Careers

e360 career opportunities

Contact

e360 locations and contact resources