By Matt Baran (@mbaran5)

Principal Architect, Entisys360

ROBOT, POODLE, HSTS – What do they all mean, and what’s with some of the names?

To begin with, we must go back in time a little bit to around early 2018. It was then that I started to notice that Citrix was releasing new firmware versions for NetScaler (now known as Citrix ADC) for even very old builds such as 10.5. I started to dig into these firmware releases to determine why. It was apparent that a very old RSA and TLS vulnerability had been repackaged and reengineered to attack modern and updated TLS ciphers. This thread is known as ROBOT (Return of Bleichenbacher’s Oracle Threat). In a nutshell, ROBOT is a cryptographic defeat that would enable an attacker to decrypt all TLS traffic. Further, the issue is exponentially worse when using a Wildcard or SAN certificate, since the decryption would be possible against all servers using the same certificate. Citrix was beginning to patch these threats, and quickly!

How does this relate to Citrix ADC?

Citrix ADC is typically the “front door” for many web facing TLS (and in some cases SSL) services. If you host Exchange, a corporate portal, and a Citrix Gateway from a single ADC pair, that’s three exposed services. If there are “in the wild” threats, we must take effort to mitigate the attack vector. Attackers are constantly running prepackaged scripts against all known sites to determine if any number of vulnerabilities exist. Patching is just one method of mitigation, but it must be combined with other efforts for maximum efficiency. POODLE, another vulnerability, is defeated by disabling SSL 3.0 and its fallback mechanism. And, unlike ROBOT, POODLE is not removed via a patch, but rather a configuration change. Others are about ensuring best practices are kept consistent across all devices and services.

SSLLabs to the rescue!

Enter SSLLabs and its breadth of SSL/TLS/Certificate testing functions. More so now than ever, emphasis is beginning to shift toward security with the ADC. No longer was a firewall in front and a certificate on the service suitable. This is where things start to get fun.

Prior to mid-2018, a standard out of the box ADC would score somewhere around a C. Not bad, but not great. This can get better. Fortunately, through the combined efforts of Citrix engineering, blogs, and the Entisys360 team I was able to prepare, with no end user downsides, a method to achieve an A+ scoring fully secured Citrix Gateway site.

Entisys360 (Matt Baran) to the rescue!

I made it a mission within Entisys360 to communicate the urgency of the Citrix ADC security posture to our sales and consulting teams, emphasizing both up to date firmware and secure configurations. All Citrix ADC scopes of work include this now, as well as a service offering (monthly-quarterly) to ensure that our clients Citrix ADC scores never fall below an A+.

In the months and years since, the fun hasn’t stopped. There have been new vulnerabilities, new exploits, and new configurations required to ensure a high score and protection from the latest wave of attacks. HSTS, essentially forcing all communication via a secure channel, is a must have in all deployments, but it is still not a default setting. We’re constantly evolving our security posture to make sure each and every deployment is as secure as it can be.

Do your own scan now… right now!

Have you scanned your Citrix Gateway yet? Give it a shot at SSLLabs.com. Be sure to check the “Do not show the results on the boards” if you want your URL to remain hidden.

If your results look like below (basically anything other than A), you may want to consider the potential risk and loss if that ADC were to be compromised:

Do they look like this? Then you’ve been keeping up with the latest information:

And, if you’re anywhere in between, there’s always room for improvement!

Next Steps

As Citrix administrators, we can tend to get caught up in the false sense of security that Citrix Virtual Apps and Desktops provide us. They’re very secure, and the entry point is very small. We must though consider that the Citrix ADC is an edge device and is likely responsible for more than just Citrix Virtual Apps and Desktops. It is a cornerstone of the security model that we sell to the business, as part of the larger security model of Citrix and the Secure Digital Workspace. These configurations, in conjunction with MFA (Multi Factor Authentication) truly provide a secure end user experience.

Of course, if these tasks are top priority and mission critical, Entisys360 can always assist in working with you and your team to ensure these changes are made efficiently and promptly on 1 or 100 ADC configurations. Contact your Account Executive for more information on how Entisys360 can further secure your Citrix, and by extension enterprise infrastructure.

Our Expertise

Security and Cyber Risk Services

Creating a strategy for managing risk and compliance, while helping to filter the noise of myriad cybersecurity technologies.

Automation and Cloud

Accelerating IT service delivery for our clients through the adoption of agile methodologies that are all part of a systems-oriented approach.

End User Computing

Helping businesses keep infrastructure uptodate, minimizing security risks, and maintaining compliance

Software Defined Data Center

Empowering your enterprise to achieve its full potentialand greatest efficiencyby keeping IT infrastructure operational, available and secure.

Core Infrastructure Services

Offering design, implementation, licensing optimization, and environmental services to ensure the use of Microsoft’s best practices and configurations.

Microsoft Expertise

Helping set goals and establishing benchmarks for the journey toward the successful deployment of Microsoft solutions.

Our Services

Professional
Services

Enjoy a stressfree implementation that comes through the knowledge and experience of our professional services team.

Enterprise
Managed Services

Align your business initiatives with evolving industry trends to obtain a clear understanding of the impact of future technologies.

Cloud Strategy
and Services

Meeting a diverse range of business requirements through deployments that are flexible, scalable, and have the right mix of elements.

Contract
Management

Never miss another maintenance or warranty contract renewal date or pay for unused maintenance contracts or warranties.

Project
Management

Through this service, our project management team takes the lead role in planning, executing, monitoring and closing projects.

Our Markets and Market Support Vehicles

Business

Professional services and nationallyrecognized expertise that align perfectly with the trends and challenges facing a variety of industries.

Healthcare

Recognizing the unique challenges faced by healthcare IT organizations, and offering understanding, capabilities, and trusted relationships.

Public Sector

Helping organizations contain costs maintain high availability while finding new ways to increase security, compliance and more.

Group Purchasing

Industryleading IT consulting services and technology solutionsaccessed through a streamlined contracting process.

Resources

Events

Learn about our upcoming events and webinars.

Solutions Literature

Accesstodownloadable assets with information on solutions and services offerings.

Blog

Gain expert technical insights around today’s leading enterprise technologies and solutions.

Press Releases

Read news and updates from the Entisys360 team.

News Stories

Learn about new developments with Entisys360 and our team.

About Entisys360

About Entisys360

Our mission, vision, leadership and team

Accolades

Notable industry awards and recognition

Privacy

Entisys360’s and its commitment to privacy

Community

Our commitment to the community

Careers

Entisys360 Career opportunities

Contact Us

Entisys360 locations and contact resources