Use NetScaler to Reduce Your Attack Surface

Many organizations today have either Citrix XenApp or XenDesktop in production today. A large percentage of those same organizations also purchased a Citrix NetScaler to encrypt remote access traffic for that XenApp/XenDesktop environment. This is an excellent way to protect your infrastructure, but are you aware of what else the NetScaler can do for you?

A NetScaler is a member of a family of appliances called “Application Delivery Controllers,” or ADCs. The use case outlined above, securing remote access for XenApp/XenDesktop is just a single, very specific role for an ADC. Among other things, ADCs are often used to load balance, SSL offload and reverse proxy.

This isn’t all a NetScaler can do… It has the ability to deflect a denial of service attack. It includes an application firewall that can be used to protect applications from things like SQL injection, cross site scripting, etc. These are a couple of the better known, well-publicized security features of the NetScaler.

If you have an application server that accepts encrypted connections using TLS (as did Domino 8.x, which only accepted SSL v3), using a NetScaler in front of Domino’s web mail feature allows you to require TLS 1.2 utilizing an Elliptical Curve Diffie Helman cipher.

Similarly, if you have a legacy application that uses SSL encryption, but only supports SHA1 certificates, putting the NetScaler between it and external users allows you to use current SHA256 certificates, as well as the aforementioned TLS encryption and higher end ciphers.

Now, you may be looking at this and come to the realization that you do not have either of these issues. Consider yourself fortunate. Many IT departments are “stuck” supporting legacy line of business applications with these issues. These applications are often business critical, and extremely expensive to upgrade or replace.

Moving on from this, there is still a very good reasons to place all of your external facing applications so that the traffic has to come through your Internet connection firewall, and your NetScaler. Simply put, it reduces your attack surface. Over the past year or so, there have many vulnerabilities found in various SSL encryption algorithms (such as POODLE, FREAK, BEAST (or Heartbleed), Logjam, BREACH, Lucky 13, etc.).

These vulnerabilities struck untold numbers of Internet accessible systems. These vulnerabilities affected NetScalers as well. Having said that, let me explain why you still want to place your applications behind the NetScaler. The simple reason is that most immediate threats come from outside your firewall. If you can apply vulnerability patches to your NetScalers on day 1, you have effectively blocked off the vast majority of the threat to your organization. This gives you time to start tracking down patches for all of the now “internal” systems that still have this vulnerability on day 2. If one of those internal systems is a “legacy line of business application” described previously, patching it may be either the work of a hired programmer, or may even be impossible.

This leads me to an expanded possible way to use NetScalers to segment the application infrastructure from the internal users. Look for a blog post on that topic coming up soon.

Brian E. Holzer, CCE-V, CCP-N, CCP-M, CCA-N (former CCI)
Sr. Architect
Innovative Integration, Inc.

About Brian Holzer

Brian is a seasoned IT consultant (pre-sales, delivery and marketing) with experience across many industries (healthcare, financial services, communications, manufacturing, education, government, utilities, professional services, etc.). He is a former IT Director, Assistant Professor with Purdue University, and an application developer.

Leave a Reply

Innovative Integration can help you optimize your IT infrastructure. Request a Consultation