Duration 33:12
16+
Play
Video

Citrix Synergy TV - SYN221 - How to protect your Citrix deployments and modern applications with...

Patrick Coble
Principal Consultant at VDISEC
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 23 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN221 - How to protect your Citrix deployments and modern applications with...
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
322
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

About the talk

Topic: IT

Explore the major security features that Citrix ADC offers and some deployment techniques to implement them in your organization. Citrix ADC is a security engineer’s Swiss Army knife and you will discover tools you may not know about, including Web Application Firewall, GeoIP and bad IP reputation blocking. You’ll also hear about Citrix ADC denial of service (AppQoE) protections along with SmartAccess, multifactor authentication and more. If your Citrix ADC is acting as a gateway, join this session to see how it can further secure your Citrix deployment.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

I think we're getting close here guys. All right. We are ready to rock and roll first off. Thank you for coming right. 00:05 Everyone has had a long week has watched hundreds. If not thousands of power points lines and may have had adult beverages. 00:14 So I know this is like almost the end of the road here. We're in between you and lunch. So let's get this thing on. That's right. 00:23 All right. So if you can see this is what we do. I must security nerd Ava run us through security consulting company called B is a cry just focus on 00:35

vdi security I break into things I click and type things and I draw sticks and bubbles on power on whiteboards. So 00:44 are the group and working on yfn 00:51 descaler. It's not more announcements coming here to school. All right. So our agenda is basically dive into the main security components within the 01:01 Citrix ATC portfolio and practical things that you can do to actually deploy these things and also get your brain wrapped around how to plan to deploy 01:10 these things. So to start off give you guys a quick update on where Citrus is going with a security before you head over to Patrick. So the 01:20

overarching problem is as many of us know is that the tide of vulnerabilities and ability to execute Attacks 01:30 Internet is overwhelming, right? 92% What we see is that applications ati's are organizations 01:39 most valuable assets and you can see from these places here that there are alarmingly high percentages of organizations that I feel that this is out 01:49 of control problem for them. So what we need to do with the app security portfolio is to continue to add additional value for 01:59

our customers and partners to give you guys more tools to leverage that she's going to go over some the ways. You can leverage ATC today. I just give 02:08 me this. Security update on what we're doing with wife and firewall SSL. We have a signature team 02:17 extended logging is a place as of 12. 1 onwards. There's an RC compliance check and we've also recently been icsa 02:27 certified for the MPX platforming that actually flies to all platforms. So a lot of new stuff here on laugh firewall in General 02:36

Security. And we're also making Headway on content inspection. So I tap the process of sending 02:46 traffic over to an IPS or IGA for example to inspect it for vulnerabilities or for violating traffic. Is there 02:55 in line device integration of Port mirroring as well. So these are all things that are there right now today. But we're also excited to NAS 03:05 this this was in the keynote, but maybe you guys may have missed it. I walked so excited to announce that we're developing a bot management platform. 03:14

That's part of the Citrus ATC So ba bass we need anything that's automated or scripted right and it can be a kid in his dorm with a 03:21 python python script or can be a nation-state sophisticated attack. Right? It's a very wide range of capabilities as intensification 03:31 platform games to do is to control unwanted automated traffic to website. So features 03:38 device fingerprinting over twenty-six hundred signatures as well as the rate based in Behavior based detections who is coming out in Q3. 03:48

And there's a little swirly animation to stay home so that all paint over to Patrick cuz I think some more valuable for you guys to hear from a road 03:59 warrior who's done this for many years on how to implement the best security practices ABC. Thanks Frank. Alright, so back in 2006. I thought net 04:08 scalars were cool. And I don't know how many times I'm going to say netscaler could be another Drinking Game Force energy right now to hopefully you 04:18 just have water to rehydrate for your drive and fly home, but once I got in past the Gateway, I realize there was so much more it could do it was 04:24

the Swiss army knife of being able to secure things and make things more highly available. And of course MacGyver would have one right if he has a 04:34 Swiss army knife. That is his Network Swiss army knife. So First thing is do you have any DC? Yes, let's get ready to rumble. 04:43 If you don't Sad Panda, right? It's a very powerful Appliance. And if you don't have one and you have a surgery compliment, you've definitely missing 04:53 a lot of features and especially when it comes to security and availability, but if you do have one, it's what version do you have? Right? So 05:00

obviously, we have standard Advanced and premium what used to be platinum. So we like to change name to keep it exciting for all of us. But Platinum 05:09 you get all the goodies, right and then something between most people even standard edition you have denial service protection. You should use it 05:18 right and we'll kind of go into that. So let's eliminate these threats together and be happy about it. Right cuz it's going to be super fun night. So 05:26 first thing I'm Just Three Amigos of protection the kind of the core Foundation of netscaler security is geoip if I can eliminate a couple 05:33

billion IP addresses with just a single checkbox, that's exact. Play reducing my attack service by anywhere from 40 to 60% Now. If you have people 05:43 that are jet-setters, they're going all over the world. You're going to have to include other companies and it could get kind of annoying right 05:52 because it's a gigantic CSV file and you have to Define IP ranges and IP ranges are sold and bought and traded and they become this country than that 06:00 country. But it's at least you're trying to do something right a lot of things in security or not. Absolute. All we're trying to do is reduce risk, 06:08

right so we can reduce Risk by doing this and that will do it. Right. So from there, this is kind of the process. So if you screenshot this or even go 06:15 to that CTX article, that isn't how you turn on Geo IP blocking exactly. It is not a complicated process. It is 5 Steps and basically want you 06:24 imported it is a signing it to Most important thing to note on this overarching every fit every bit that were talking about and all the cool things. 06:33 We want to turn on. I want you to go back to your home and I want you to right click your gateway. I want you to right click your storefront very poly 06:42

to right click something. I want you to copy it. I don't want to do this to production only to make a new IP address that has these things turned on 06:50 and guess what test it right? No one's going to know about this new event, except you so when we kind of go through this this is basically what it 06:57 looks like from the command line where you can see how many records there are four that CSV and we kind of stepped through this and we are entering 07:05 these commands were making a responder policy. We can see what we want to name it. We're dropping by country or dropping there. A lot of this stuff is 07:12

up to you and label policy something that makes sense. Just say g y p because most likely it's going to be a geode i p - not this country. 07:19 Not that country. Not that country right or just us and then once you've actually made that responder policy and go to policy manager. You can find it 07:29 to your top-secret is server and then if it doesn't work, guess what you can unbind it, right? These are not absolute things. This is the easy way for 07:37 you to roll it out very safely and provide a lot of protection to your company and then you just hit bind and bought a bing. Now if it comes from 07:45

those IP ranges, it's not allowed to come to your site what that allows to is. It saves you a lot of bandwidth internally processing request a lot of 07:52 CPU and RAM that's wasted doing bad request for other deployments. So it's good. So obviously geoip databases March 2018 08:00 is how that's how big it was there and it's continually growing and shifting. If you really go down this road. You're probably going to want to get 08:10 one of these subscriptions and that way it's more up-to-date automatically dish right just like most things in this is what it looks like right now. 08:17

It shows you which country which IP start range and then basically a sequential number and then you can't talk about DUI pee without bad eye peas, cuz 08:25 there's a guy pees all over the And there's bad guy pees everywhere else around then then you can't have that without a bad reputation from Taytay, 08:35 right? You got to respect her. I'm so you know, she does have a bad reputation big reputation. Right? So basically what this does is this is just 08:42 we've already eliminated a couple billion IT addresses. Now, we're going to eliminate a couple hundred million IP addresses is your IP addresses that 08:50

are on bought networks anonymizers. Tor exit nodes things. Maybe you don't want that your business users to be coming through on so it's a good way to 08:57 block and it's kind of a comes in from Webroot. And basically it looks through that XML file and says, hey you're shady. You're not allowed to connect 09:06 right? And so when we do this, this is yet another very simple thing, but you need to make sure your netscaler can get to the Internet. 09:14 So depending on if you've done a very good job firewall on your NSI peas, you're going to need to open up some stuff right and don't open up the 09:23

internet just open it up two very specific DNS names, right? Which could get in. In some cases, but it's a lot safer than just saying you're nuts go 09:31 to get to the internet kind of the same thing is a very simple process you turn on reputation you click a box like this is literally how he says and 09:39 then we had okay and then we go back to that responder policy that we just made for g l i p and we make one for bad IP. And we do the exact same thing 09:49 we're going to say is malicious. We can also do many other filter as you can see so that we can just block certain types of sites that are malicious. 09:57

You don't have to go all in and block all of them. You might not want that many in there. So then and now we've got DUI IP blocking and now we have 10:05 bad IP blocking and basically you can look here and you can see if you can get to it or not get to it right. There's a couple command line the CTX 10:14 article the very beginning of this can actually talk about that. So now we've eliminated billions of IP addresses from talking to us a couple hundred 10:23 million more IP addresses to talk to us. And now what we want to do is fine-tune that with quality service. We want to make sure that we know how big 10:31

things are and how fast things can go and there have been gigantic multi terabit attacks of denial service and the terrible denial of actor also a 10:39 great way to knock the door down and you're dealing with the denial service while there's a persistent attacker. Sometimes these things are very 10:49 coordinated. They're not by random. They're not by accident when someone wants to spend a bunch of money to denial-of-service attack you it's usually 10:55 for a good reason for them. So let's think about how we need to put our brains around how to turn on after you a Wii into Dell service protection. 11:02

Our internet circuit is 1 gigabit are ATC Uplink is 10 gigabit are external VIP dose limit. What should it be? 11:12 Maybe .75 gigs maybe less than that. If your internet is only 100 mags your 11:20 Vape should not be set the 10 gigs. Where does that make sense? Right so let's go ahead and turn those down and guess what all of you if you have a 11:30 secret ATC can do this. This isn't a platinum feature is a very simple way to do it. And if we have internal website is kind of the same thing, even 11:39

though that use or might have a gigabit or maybe 480 bit or 480 megabits cuz they're on 802 11 right there on Wi-Fi. Maybe it needs to be even lower 11:47 than that. Maybe it just needs to be a hundred megabits. This is where if you don't have Moss installed it's going to be kind of hard for you to do 11:57 some of this these are kind of this in the cheat sheet. You need to think about what's the average number of users especially were talking about 12:04 Gateway Friday so we can limit Things based on that. But then how many responses for a second this is where Moss comes in where you can be able to 12:12

look at your existing dip and go. Hey I get about 7 million packets per second. Okay, maybe I'll make it ten million because if it was 20 million 12:18 something really bad is going on, right? We just doubled our company size overnight. Someone is actually attacking us, right. Then from there, what's 12:27 our throughput? What's our big throughput limits? So this is where you're going to look in Moss or even on the netscaler and Analysis chapter and 12:35 Reporting you'll be able to see that and that max amount of bandwagon. The number of clients. You can also Bluemont things by the number of 12:42

connections. If you know, you only have 33,000 connections don't allow 2.7 million, right? There's any default values, especially when it comes to the 12:49 net scalars made for performance. So a lot of these counters are all is zero maximum throttle Scotty, right? Like we're going Warp 7 night was do this 12:57 masses are ATM. If you don't know that that's their management 13:05 analytic services. And basically it is a sweet way to be able to visualize what's going on your netscaler one being a Pinot picture's worth a thousand 13:15

words and a graph is worth a thousand to write. So when you see gigantic Peaks and valleys you conceive real usage and it's also a great way to 13:23 correlate all your sis login. It's also a great way to backup all your net scalars and get configuration to be able to restore it. So if you have more 13:31 than one netscaler and you have HIV Perry, you should have Moss deployed. And yeah, it's so net-net. 13:40 You 13:48 literally come in here and you can see those are the things you need to know before you start doing this make them really big and then start training 13:57

turning them down right make them safe. You don't want to cause an outage in this is why we're also doing this on a test that we're not doing on on 14:06 the production dip. And guess what's cool about this we all were doing so far as we're making 3 responder policies and when we're done we go to 14:14 production and we just apply one. Let it marinate for a week apply to let it marinate for a week apply the third one little marinade for weeks. We've 14:21 eliminated eliminated over three billion IP address is 100 million bad IP addresses and we've eliminated Someone actually crashed the netscaler or 14:28

that back in website and just three responder policies. This is not high tech super, you know hacker Matrix stuff here. Now testing a 14:36 denial-of-service. This can get kind of shady if you're going to do this these all work. This is what I use to test an owl service protection 14:44 policies. Running in VM run at sandboxed. Be careful where you put it on your network. This is very old software. It's 14:53 Shady. So treated Shady right but it's the only way you're going to make it tilt right? There's other there's other applications out there that can do 15:02

it. There's ways you can custom rights in Powershell scripts, but these work like no problem, but you need to protect yourself. So danger Will 15:11 Robinson dropping invalid packets is also another great way. These are just a couple commands that dropped pin drop literally billions of Ip packets a 15:20 day from your Appliance means it doesn't have to process them anymore. It does have to figure out like Hey, where's this go that goes to this dip that 15:30 goes to this fit drop things that are not right? If someone sending you a malformed packet, it's for a reason right there attempting to exploit you 15:36

they're attempting to turn the doorknob of your access Gateway your owa site your whatever right? So you can block those and then strict transport 15:44 protocol. Someone's giving you some bogus HTTP traffic. We don't want that either. It's part of invalid packets, but we want to make sure we're 15:53 processing things in a safe Manner and as we keep going through this for eliminating threats every single one of these responder policies and every 16:02 time we hit and run in here as you can see some of these the way you apply them is the same way. It's just a chat box on a dip. This is not something 16:10

that takes days weeks months to do do it on a test strip. Right? Don't go don't go running with Scissors and you can actually see to what's the 16:19 maximum age and if you can see that that's like basically forever is what that it means a netscaler that means it trust it forever. So you can adjust 16:28 that and if you see here, this is where you should also be looking underneath protocol. This is where you need to be paying attention to your SSL, 16:36 right? Tlf 100 I wouldn't think so. One one maybe one too. Cuz he have to 13 you want to be ready, right? So depending on 16:43

where you're at in your Citrix Receiver life and work space app is how far you can go with that send cookies or another great way to attack people, 16:53 but the good thing the next killer has a built-in protection policy and it just blocks and right off the bat you guys can read that could be monsters 17:01 not happy with an S Keeler, right? So it's it's what it is. So you look at it. It's just more stuff on how a Cindy OS Works versus a 17:09 regular denial service. And so probably be literally the most powerful security feature. The Citrix has when it comes to the ATC Appliance is 17:19

the wife and Egger Ryan District web application firewall. And so if you're not a network person or security person, you usually don't get to pick the 17:28 applications applications pick up, right? We don't cook it we deserve it. And so when that happens we need web application firewall and it's because 17:38 it goes beyond just opening up Port 80 and 443 like all the firewall guy and then that is done but that means anything is literally allowed at Port 80 17:45 and 443. Right? So we want eliminate that and so anything that I value most likely if it's behind your ATC it is how I value most likely if it's 17:55

publishing Citrix is high valued business-critical is revenue impacting right? So almost everything could be determined for that eliminate those but 18:04 the key is remember is before just allowing those ports up and only takes one security defect from any of your application portfolio to cause someone 18:13 to be able to get in. Right. And so this is where wife really starts to shine and this is like a more visual visual way to look at it your app forgot 18:20 your regular firewall is only blocking just three layers of that model and so, you know restrictions are happening on what types of packets and 18:29

protocols they can come across their malformed packets bad things payloads bite sizes how big the packets are in to use is just all unlimited. So when 18:36 we put a ATC wife in front of it, then we are expecting those things and we are the man in the middle so we can apply much more granular 18:46 policies than that far walk in and you paid good money for your ATC. So you definitely want to use that so they're on their seventh generation of 18:55 firewall. So depending if you're over 200 gigabit throughput so there's literally no reason for any of us mere mortals other than maybe Google or 19:04

Apple that need like 72 of these cuz they're doing like a couple terabit II There is an app firewall Paula appliances going to support your traffic 19:13 rights. That's a good thing and when we get to hear this is kind of how it works. This is like a Navy at this point. It has negative mode. I know what 19:21 bad things are and I'm going to block bad things is cross-site scripting certain types of strict and some slow and fast attacks and sending tax and 19:31 then positive we put the thing in learning mode, right? So it's going to learn what good traffic is this is where most people make mistakes they don't 19:40

give it all the traffic at needs. Someone did not go through the whole workflow that application save data patient application. We're all we're doing 19:48 is uploading insurance cards. We need the whole car to get uploaded. We need multiple times of people going through that application to see the good 19:55 behavior. So the netscaler knows that if someone sends me a XML file and it's 1024k that's good. So anything bigger than that is 20:03 no right. So we combine those two we get into hybrid. We're blocking. The bad things and we're all so we only allow the good things what this 20:13

does is a zero-day protection. It means that when something bad is attempted. It's completely dropped and if we've listened and we kind of picking up 20:23 what we're doing we've eliminated so many threats until this slide billions of IP addresses can't even talk to this wack Appliance write hundreds of 20:32 millions of bad IP addresses can't do it millions and millions of requests that are not correct can't talk to it. And now once it's here where The 20:41 Gatekeepers so that is the the good way and most important right there One does not simply turn this on without testing 20:49

one thing. That's when you go down this wife Road. It is a journey and it's going to be a lifelong partner. So you no respect it accordingly right by 20:59 anniversary gifts because one thing is going to happen is you patch this system is application that's behind there. You may have to go back into 21:08 learning mode cuz the Can literally change they change their packet sizes. They change their rates. They change the way they talk to change the ports. 21:16 So you're going to need to constantly test this so you need to have a test with zip in front of your test application. Hopefully have a test 21:23

application. We're not just testing and prod, you know with scissors running around that move with the fire, right? So hopefully not but wife is just 21:32 as easy to implement. Basically, we turn it on Phase 1 and week on that bip and then we run the wizard and we keep testing it and so as we 21:40 keep going through this policy, those are the things that it's allowing us to do the good thing about laugh if you turn on logging, it 21:50 doesn't block anything and that way you can look through the logs and see what would have been blocked. If you been to my session about application 22:00

whitelisting and stuff like that. You want to turn on auditing mode first you want to know what it would have blocked. You don't want to just turn 22:08 this on and hope for the best right Living on a Prayer is a song. No way to live when you talk about this, right so you can see these are all types of 22:14 different types of known bad attacks and you basically check the box multi-factor authentication. This is probably 22:22 the best filtration I can show you and how important it is. When I do penetration testing break into people's offices externally internally in Every 22:32

Witch Way. I only need a username and password. If you just give me with no MFA, I literally just need one piece of information and there's number 6 22:40 billion records on D hash. Calm and have I been pwned that are easily searchable. So With that if you just have MFA maybe 22:49 not the best MFA, right? Cuz there's obviously varying levels you need at least three to five things stolen acquired from your target before you 22:59 can attack now is this a completely infallible know-nothing and security is infallible. It just takes pressure and time. It only takes usually about 2 23:09

minutes for me to go past most nfa's appointment and it's just social engineering. It just takes a couple minutes phone call to talk to someone and 23:17 say hey, how's it going today? I see Frank's out. Have you been having problems with your token know my tokens? Good while Frank told me I needed to 23:25 call and he was really worried that you can't get in. Okay. Well, can you help me out and just tell me what your token is real quick. 23:34 Okay. Perfect. Thank you. Have a great day. I'll let Frank know when he comes back from vacation done just logged in and if they defeated right why is 23:43

that well because the personal social media post Exactly where they were it was all updated and correlated with LinkedIn so I can see the 23:52 organization. I know who works there. I know who's in the same department and within just that little piece of social information. I was able to 24:00 exploit that and so if you're not doing good social engineering and fishing training, this is the same thing will happen to you. There's been many 24:07 attack for NFA has been done by that. So the way I like to do MFA is the opposite of most everyone that ever does MFA especially if you called do or 24:14

Azure you say I'd like some in faith. They say just give it to all the users that is the exact opposite of what you want to do first. You want to 24:23 start with i, t you guys need to be comfortable with it. You need to know what it does. You need to know how it works next. We need to go to the CEOs. 24:31 I know we don't like them. They don't like computers but we have to do it. We want to go from the top down right? We don't want to go from the bottom 24:39 up. We want them to be there who can transfer $800,000 on a Tuesday and it doesn't look anything out of the normal the c-suite. People in finance 24:46

people in purchasing also don't forget their assistance and their secretaries they can send millions and millions of dollars with just a single email 24:56 and that happens all the time. If anyone paid attention to some fake pio's that went down for Google and Facebook over 100 million dollars was 25:05 transferred to the incorrect company. Because of an email that's all it takes right then we're going to go down to leadership. We want DPS 25:14 directors. We want everybody all the way down the team leads because if you're going to roll out some new technology you want someone that can help be 25:23

your Champion, right? And they need to understand the importance to it. You can also just show the Google and Facebook story. We don't want to lose a 25:30 hundred million dollars on a Tuesday because someone sent a bad email right? We're trying to defend ourselves. And then once you have done that top 25:37 down then it's time to get the rest. We don't need to boil the ocean. We want to do it at a gradual Pace make sure everyone's familiar with it cuz it 25:44 is an annoying process. If you work in the healthcare industry and people are in and out of systems all the time or even Banking and tell her you're 25:51

probably going to need to invest in some proximity cards. That means at least I have to have two or three things to log into somebody even without 25:59 proxcard. It's not as vast as MFA but it's at least something and we were talking about MFA. I don't recommend any SMS basis. When's if you can help 26:07 it because there is a thing called stem swapping which means I can become your sim number and then I'm getting the text with the 4 digit code to login 26:17 as you write. So it just eliminates a lot of other things so you got to go in there. So if you don't have it enabled definitely take a look at it. 26:24

There's lots of good partners. I've seen kind of everywhere and even think about one time passwords and other things. Those are also great ways to 26:33 prevent Bots from attacking right and many other ways to add just one more layer of authentication and some of these are completely free. We don't 26:41 need to spend hundreds of millions of dollars to do this. So a dcips kind of foundational make sure they're actually on the network that secure 26:49 night. Make sure you're using HTTP every single time you log into it and make sure you replace that default certificate every single time. 26:58

You're doing your day-to-day it life and you hit accept don't worry about it Advanced accepted allow exceptions. You just allowed a man-in-the-middle. 27:08 That's what you just did. I can be in there wi-fi pineapple and you logged into vcenter you logged in your sister Sadie C. I just got the clear text 27:18 password, right and that's what happens very often. So you need to replace as default certificate so that when that bar turns red you Run to the Hills 27:27 because something is wrong. Someone is in the middle of your connection. You'll never going to know it because you keep hitting accept accept accept 27:36

accept every single day probably turn in 20 times a day. You've got a red bar and you've done all types of work and Hopefully no one's in the middle. 27:43 Right? So make sure you bind it to ldap still so many places don't use ldap and they're still using NS route. What does that mean? No one has any 27:52 accountability when something bad happens who broke it? I don't know and approve did well who knows in a true tall 72 people cool. Alright. Well who 28:02 wants to raise their hand was going to raise their hand. All right. Well, we'll just move on right was just an outage was lost a couple million 28:11

dollars. No big deal. So make sure you're finding a doctor directory and then change my default password people that are on S the X's or the worst 28:16 offenders Abyss because they made their one golden template and they make like three or four instances for this application that application and they 28:25 have the same password. NS route NS route. I've been in places that made the billions of dollars and they had in this route in a shrewd on a very 28:32 production very dangerous VPX and cents on a Sta-Rite so changed those passwords and then make sure you're logging. 28:42

Who here even logs? There's just log on their Nets Gathers. Is a good crowd I like you guys usually it's like one person and then one 28:52 person that doesn't want to raise their hand cuz I'm hacker dudes talking about it. Right so you don't to do that kind of awkward, but you want to do 29:02 this. If you don't log you're never going to find out you're never going to be able to insert a responses. I've been into the responses that they 29:09 said. Oh, we just got breached. We come in we look at it and we find out that the log into just rolled off a week ago because they have so much 29:16

traffic AAA debug completely full right. So get logs. There's free ways to do that. There's elk and many other things obviously there's paid solution, 29:23 but hopefully that doesn't so we're kind of The Final Countdown here. We went a little bit faster, which is good. And you know, this is a final 29:32 countdown, right so final thoughts just like we talked about layered security defense-in-depth start with Geo IP Then go to 29:42 bed. I pee then you go to app to away then go to strict protocols right hsts work your way down. You're eliminating threats every 29:52

single checkbox, you're eliminating threats every single policy. We're doing it on a test. If we make sure it works. We promote that dip into 30:02 production and we do it right and if you can you use it, but make sure you understand the relationship you're getting yourself into 30:08 right as updates happen. I've seen lots of play pool have updates over the weekend and the whole site goes down and that's because learning mode is 30:18 blocking stuff because it never seen it before it's very very common and then make sure you're using MFA pretty pretty pretty please write 30:26

everywhere. You can now even if it just has to be admin. I know a lot of places especially State local federal government and nonprofits and stuff 30:35 like that. We can't afford to get all 75,000 users access MFA At least do I T at least through the c-suite at least do 30:45 anyone anyone that can move millions of dollars a money, right? Let's list assess our users and apply the appropriate controls for them replace those 30:54 default certificates. Don't allow exceptions anymore. Right? There is guides after guys after gods of how to replace a default certificate for 31:03

everything that has a certificate of use those it can be annoying. What I suggest is make sure it's a three to five years so you don't have to do it 31:12 that long put it on your calendar say one month before replace the certificate right now. Maybe you're not there in five years, but you know you tried 31:21 night. So there's lots of features there's lots of things as adding and so, you know, the most important thing for us is make sure if you like kind of 31:30 technical deep. There's a lot more deeper week ago. This was a high level of all the major features and we didn't really even get into some of the 31:38

access control and analytics and all the other things that go on. I'm so if you like this kind of session make sure you do your survey tweet out and 31:47 if there's any questions, we got plenty of time and if you are not from America and you've never had a goo goo cluster, there's a pile of them up 31:54 here. They can change your life and their chocolate coated and marshmello goodness with some caramel and pecans. They're amazing. And if you 32:03 like stickers, I have two sizes at if you like me a little bit. There's little stickers and be like me a lot. There's big stickers for eyes though, 32:12

depending on which ever way Frank you got anything else. I think you can keep your 32:18 netscaler brain turned on. These are the remaining ATC presentations that you guys can go to and you're not visit the booths to a lot of great 32:28 demonstrations of Citrix technology down there and I'm definitely excited about a lot of the bot Network stuff. If you're not familiar and you know 32:37 part of that bad IP the bought Network really dump tells into that. And so when that feature comes that she's going to be more Protection, so it's 32:44

going to eliminate millions and millions of IP addresses from being able to talk to you also. So if y'all have any other questions, let us know. We'll 32:51 be up here and y'all have a great day. Thank you. Thank you. 32:59

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN221 - How to protect your Citrix deployments and modern applications with...”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN221 - How to protect your Citrix deployments and modern applications with...”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content