About the talk
Explore the major security features that Citrix ADC offers and some deployment techniques to implement them in your organization. Citrix ADC is a security engineer’s Swiss Army knife and you will discover tools you may not know about, including Web Application Firewall, GeoIP and bad IP reputation blocking. You’ll also hear about Citrix ADC denial of service (AppQoE) protections along with SmartAccess, multifactor authentication and more. If your Citrix ADC is acting as a gateway, join this session to see how it can further secure your Citrix deployment.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.
I think we're getting close here guys. All right. We are ready to rock and roll first off. Thank you for coming right. Everyone has had a long week has watched hundreds. If not thousands of power points lines and may have had adult beverages. So I know this is like almost the end of the road here. We're in between you and lunch. So let's get this thing on. That's right. All right. So if you can see this is what we do. I must security nerd Ava run us through security consulting company called B is a cry just focus on
vdi security I break into things I click and type things and I draw sticks and bubbles on power on whiteboards. So are the group and working on yfn descaler. It's not more announcements coming here to school. All right. So our agenda is basically dive into the main security components within the Citrix ATC portfolio and practical things that you can do to actually deploy these things and also get your brain wrapped around how to plan to deploy these things. So to start off give you guys a quick update on where Citrus is going with a security before you head over to Patrick. So the
overarching problem is as many of us know is that the tide of vulnerabilities and ability to execute Attacks Internet is overwhelming, right? 92% What we see is that applications ati's are organizations most valuable assets and you can see from these places here that there are alarmingly high percentages of organizations that I feel that this is out of control problem for them. So what we need to do with the app security portfolio is to continue to add additional value for
our customers and partners to give you guys more tools to leverage that she's going to go over some the ways. You can leverage ATC today. I just give me this. Security update on what we're doing with wife and firewall SSL. We have a signature team extended logging is a place as of 12. 1 onwards. There's an RC compliance check and we've also recently been icsa certified for the MPX platforming that actually flies to all platforms. So a lot of new stuff here on laugh firewall in General
Security. And we're also making Headway on content inspection. So I tap the process of sending traffic over to an IPS or IGA for example to inspect it for vulnerabilities or for violating traffic. Is there in line device integration of Port mirroring as well. So these are all things that are there right now today. But we're also excited to NAS this this was in the keynote, but maybe you guys may have missed it. I walked so excited to announce that we're developing a bot management platform.
That's part of the Citrus ATC So ba bass we need anything that's automated or scripted right and it can be a kid in his dorm with a python python script or can be a nation-state sophisticated attack. Right? It's a very wide range of capabilities as intensification platform games to do is to control unwanted automated traffic to website. So features device fingerprinting over twenty-six hundred signatures as well as the rate based in Behavior based detections who is coming out in Q3.
And there's a little swirly animation to stay home so that all paint over to Patrick cuz I think some more valuable for you guys to hear from a road warrior who's done this for many years on how to implement the best security practices ABC. Thanks Frank. Alright, so back in 2006. I thought net scalars were cool. And I don't know how many times I'm going to say netscaler could be another Drinking Game Force energy right now to hopefully you just have water to rehydrate for your drive and fly home, but once I got in past the Gateway, I realize there was so much more it could do it was
the Swiss army knife of being able to secure things and make things more highly available. And of course MacGyver would have one right if he has a Swiss army knife. That is his Network Swiss army knife. So First thing is do you have any DC? Yes, let's get ready to rumble. If you don't Sad Panda, right? It's a very powerful Appliance. And if you don't have one and you have a surgery compliment, you've definitely missing a lot of features and especially when it comes to security and availability, but if you do have one, it's what version do you have? Right? So
obviously, we have standard Advanced and premium what used to be platinum. So we like to change name to keep it exciting for all of us. But Platinum you get all the goodies, right and then something between most people even standard edition you have denial service protection. You should use it right and we'll kind of go into that. So let's eliminate these threats together and be happy about it. Right cuz it's going to be super fun night. So first thing I'm Just Three Amigos of protection the kind of the core Foundation of netscaler security is geoip if I can eliminate a couple
billion IP addresses with just a single checkbox, that's exact. Play reducing my attack service by anywhere from 40 to 60% Now. If you have people that are jet-setters, they're going all over the world. You're going to have to include other companies and it could get kind of annoying right because it's a gigantic CSV file and you have to Define IP ranges and IP ranges are sold and bought and traded and they become this country than that country. But it's at least you're trying to do something right a lot of things in security or not. Absolute. All we're trying to do is reduce risk,
right so we can reduce Risk by doing this and that will do it. Right. So from there, this is kind of the process. So if you screenshot this or even go to that CTX article, that isn't how you turn on Geo IP blocking exactly. It is not a complicated process. It is 5 Steps and basically want you imported it is a signing it to Most important thing to note on this overarching every fit every bit that were talking about and all the cool things. We want to turn on. I want you to go back to your home and I want you to right click your gateway. I want you to right click your storefront very poly
to right click something. I want you to copy it. I don't want to do this to production only to make a new IP address that has these things turned on and guess what test it right? No one's going to know about this new event, except you so when we kind of go through this this is basically what it looks like from the command line where you can see how many records there are four that CSV and we kind of stepped through this and we are entering these commands were making a responder policy. We can see what we want to name it. We're dropping by country or dropping there. A lot of this stuff is
up to you and label policy something that makes sense. Just say g y p because most likely it's going to be a geode i p - not this country. Not that country. Not that country right or just us and then once you've actually made that responder policy and go to policy manager. You can find it to your top-secret is server and then if it doesn't work, guess what you can unbind it, right? These are not absolute things. This is the easy way for you to roll it out very safely and provide a lot of protection to your company and then you just hit bind and bought a bing. Now if it comes from
those IP ranges, it's not allowed to come to your site what that allows to is. It saves you a lot of bandwidth internally processing request a lot of CPU and RAM that's wasted doing bad request for other deployments. So it's good. So obviously geoip databases March 2018 is how that's how big it was there and it's continually growing and shifting. If you really go down this road. You're probably going to want to get one of these subscriptions and that way it's more up-to-date automatically dish right just like most things in this is what it looks like right now.
It shows you which country which IP start range and then basically a sequential number and then you can't talk about DUI pee without bad eye peas, cuz there's a guy pees all over the And there's bad guy pees everywhere else around then then you can't have that without a bad reputation from Taytay, right? You got to respect her. I'm so you know, she does have a bad reputation big reputation. Right? So basically what this does is this is just we've already eliminated a couple billion IT addresses. Now, we're going to eliminate a couple hundred million IP addresses is your IP addresses that
are on bought networks anonymizers. Tor exit nodes things. Maybe you don't want that your business users to be coming through on so it's a good way to block and it's kind of a comes in from Webroot. And basically it looks through that XML file and says, hey you're shady. You're not allowed to connect right? And so when we do this, this is yet another very simple thing, but you need to make sure your netscaler can get to the Internet. So depending on if you've done a very good job firewall on your NSI peas, you're going to need to open up some stuff right and don't open up the
internet just open it up two very specific DNS names, right? Which could get in. In some cases, but it's a lot safer than just saying you're nuts go to get to the internet kind of the same thing is a very simple process you turn on reputation you click a box like this is literally how he says and then we had okay and then we go back to that responder policy that we just made for g l i p and we make one for bad IP. And we do the exact same thing we're going to say is malicious. We can also do many other filter as you can see so that we can just block certain types of sites that are malicious.
You don't have to go all in and block all of them. You might not want that many in there. So then and now we've got DUI IP blocking and now we have bad IP blocking and basically you can look here and you can see if you can get to it or not get to it right. There's a couple command line the CTX article the very beginning of this can actually talk about that. So now we've eliminated billions of IP addresses from talking to us a couple hundred million more IP addresses to talk to us. And now what we want to do is fine-tune that with quality service. We want to make sure that we know how big
things are and how fast things can go and there have been gigantic multi terabit attacks of denial service and the terrible denial of actor also a great way to knock the door down and you're dealing with the denial service while there's a persistent attacker. Sometimes these things are very coordinated. They're not by random. They're not by accident when someone wants to spend a bunch of money to denial-of-service attack you it's usually for a good reason for them. So let's think about how we need to put our brains around how to turn on after you a Wii into Dell service protection.
Our internet circuit is 1 gigabit are ATC Uplink is 10 gigabit are external VIP dose limit. What should it be? Maybe .75 gigs maybe less than that. If your internet is only 100 mags your Vape should not be set the 10 gigs. Where does that make sense? Right so let's go ahead and turn those down and guess what all of you if you have a secret ATC can do this. This isn't a platinum feature is a very simple way to do it. And if we have internal website is kind of the same thing, even
though that use or might have a gigabit or maybe 480 bit or 480 megabits cuz they're on 802 11 right there on Wi-Fi. Maybe it needs to be even lower than that. Maybe it just needs to be a hundred megabits. This is where if you don't have Moss installed it's going to be kind of hard for you to do some of this these are kind of this in the cheat sheet. You need to think about what's the average number of users especially were talking about Gateway Friday so we can limit Things based on that. But then how many responses for a second this is where Moss comes in where you can be able to
look at your existing dip and go. Hey I get about 7 million packets per second. Okay, maybe I'll make it ten million because if it was 20 million something really bad is going on, right? We just doubled our company size overnight. Someone is actually attacking us, right. Then from there, what's our throughput? What's our big throughput limits? So this is where you're going to look in Moss or even on the netscaler and Analysis chapter and Reporting you'll be able to see that and that max amount of bandwagon. The number of clients. You can also Bluemont things by the number of
connections. If you know, you only have 33,000 connections don't allow 2.7 million, right? There's any default values, especially when it comes to the net scalars made for performance. So a lot of these counters are all is zero maximum throttle Scotty, right? Like we're going Warp 7 night was do this masses are ATM. If you don't know that that's their management analytic services. And basically it is a sweet way to be able to visualize what's going on your netscaler one being a Pinot picture's worth a thousand
words and a graph is worth a thousand to write. So when you see gigantic Peaks and valleys you conceive real usage and it's also a great way to correlate all your sis login. It's also a great way to backup all your net scalars and get configuration to be able to restore it. So if you have more than one netscaler and you have HIV Perry, you should have Moss deployed. And yeah, it's so net-net. You literally come in here and you can see those are the things you need to know before you start doing this make them really big and then start training
turning them down right make them safe. You don't want to cause an outage in this is why we're also doing this on a test that we're not doing on on the production dip. And guess what's cool about this we all were doing so far as we're making 3 responder policies and when we're done we go to production and we just apply one. Let it marinate for a week apply to let it marinate for a week apply the third one little marinade for weeks. We've eliminated eliminated over three billion IP address is 100 million bad IP addresses and we've eliminated Someone actually crashed the netscaler or
that back in website and just three responder policies. This is not high tech super, you know hacker Matrix stuff here. Now testing a denial-of-service. This can get kind of shady if you're going to do this these all work. This is what I use to test an owl service protection policies. Running in VM run at sandboxed. Be careful where you put it on your network. This is very old software. It's Shady. So treated Shady right but it's the only way you're going to make it tilt right? There's other there's other applications out there that can do
it. There's ways you can custom rights in Powershell scripts, but these work like no problem, but you need to protect yourself. So danger Will Robinson dropping invalid packets is also another great way. These are just a couple commands that dropped pin drop literally billions of Ip packets a day from your Appliance means it doesn't have to process them anymore. It does have to figure out like Hey, where's this go that goes to this dip that goes to this fit drop things that are not right? If someone sending you a malformed packet, it's for a reason right there attempting to exploit you
they're attempting to turn the doorknob of your access Gateway your owa site your whatever right? So you can block those and then strict transport protocol. Someone's giving you some bogus HTTP traffic. We don't want that either. It's part of invalid packets, but we want to make sure we're processing things in a safe Manner and as we keep going through this for eliminating threats every single one of these responder policies and every time we hit and run in here as you can see some of these the way you apply them is the same way. It's just a chat box on a dip. This is not something
that takes days weeks months to do do it on a test strip. Right? Don't go don't go running with Scissors and you can actually see to what's the maximum age and if you can see that that's like basically forever is what that it means a netscaler that means it trust it forever. So you can adjust that and if you see here, this is where you should also be looking underneath protocol. This is where you need to be paying attention to your SSL, right? Tlf 100 I wouldn't think so. One one maybe one too. Cuz he have to 13 you want to be ready, right? So depending on
where you're at in your Citrix Receiver life and work space app is how far you can go with that send cookies or another great way to attack people, but the good thing the next killer has a built-in protection policy and it just blocks and right off the bat you guys can read that could be monsters not happy with an S Keeler, right? So it's it's what it is. So you look at it. It's just more stuff on how a Cindy OS Works versus a regular denial service. And so probably be literally the most powerful security feature. The Citrix has when it comes to the ATC Appliance is
the wife and Egger Ryan District web application firewall. And so if you're not a network person or security person, you usually don't get to pick the applications applications pick up, right? We don't cook it we deserve it. And so when that happens we need web application firewall and it's because it goes beyond just opening up Port 80 and 443 like all the firewall guy and then that is done but that means anything is literally allowed at Port 80 and 443. Right? So we want eliminate that and so anything that I value most likely if it's behind your ATC it is how I value most likely if it's
publishing Citrix is high valued business-critical is revenue impacting right? So almost everything could be determined for that eliminate those but the key is remember is before just allowing those ports up and only takes one security defect from any of your application portfolio to cause someone to be able to get in. Right. And so this is where wife really starts to shine and this is like a more visual visual way to look at it your app forgot your regular firewall is only blocking just three layers of that model and so, you know restrictions are happening on what types of packets and
protocols they can come across their malformed packets bad things payloads bite sizes how big the packets are in to use is just all unlimited. So when we put a ATC wife in front of it, then we are expecting those things and we are the man in the middle so we can apply much more granular policies than that far walk in and you paid good money for your ATC. So you definitely want to use that so they're on their seventh generation of firewall. So depending if you're over 200 gigabit throughput so there's literally no reason for any of us mere mortals other than maybe Google or
Apple that need like 72 of these cuz they're doing like a couple terabit II There is an app firewall Paula appliances going to support your traffic rights. That's a good thing and when we get to hear this is kind of how it works. This is like a Navy at this point. It has negative mode. I know what bad things are and I'm going to block bad things is cross-site scripting certain types of strict and some slow and fast attacks and sending tax and then positive we put the thing in learning mode, right? So it's going to learn what good traffic is this is where most people make mistakes they don't
give it all the traffic at needs. Someone did not go through the whole workflow that application save data patient application. We're all we're doing is uploading insurance cards. We need the whole car to get uploaded. We need multiple times of people going through that application to see the good behavior. So the netscaler knows that if someone sends me a XML file and it's 1024k that's good. So anything bigger than that is no right. So we combine those two we get into hybrid. We're blocking. The bad things and we're all so we only allow the good things what this
does is a zero-day protection. It means that when something bad is attempted. It's completely dropped and if we've listened and we kind of picking up what we're doing we've eliminated so many threats until this slide billions of IP addresses can't even talk to this wack Appliance write hundreds of millions of bad IP addresses can't do it millions and millions of requests that are not correct can't talk to it. And now once it's here where The Gatekeepers so that is the the good way and most important right there One does not simply turn this on without testing
one thing. That's when you go down this wife Road. It is a journey and it's going to be a lifelong partner. So you no respect it accordingly right by anniversary gifts because one thing is going to happen is you patch this system is application that's behind there. You may have to go back into learning mode cuz the Can literally change they change their packet sizes. They change their rates. They change the way they talk to change the ports. So you're going to need to constantly test this so you need to have a test with zip in front of your test application. Hopefully have a test
application. We're not just testing and prod, you know with scissors running around that move with the fire, right? So hopefully not but wife is just as easy to implement. Basically, we turn it on Phase 1 and week on that bip and then we run the wizard and we keep testing it and so as we keep going through this policy, those are the things that it's allowing us to do the good thing about laugh if you turn on logging, it doesn't block anything and that way you can look through the logs and see what would have been blocked. If you been to my session about application
whitelisting and stuff like that. You want to turn on auditing mode first you want to know what it would have blocked. You don't want to just turn this on and hope for the best right Living on a Prayer is a song. No way to live when you talk about this, right so you can see these are all types of different types of known bad attacks and you basically check the box multi-factor authentication. This is probably the best filtration I can show you and how important it is. When I do penetration testing break into people's offices externally internally in Every
Witch Way. I only need a username and password. If you just give me with no MFA, I literally just need one piece of information and there's number 6 billion records on D hash. Calm and have I been pwned that are easily searchable. So With that if you just have MFA maybe not the best MFA, right? Cuz there's obviously varying levels you need at least three to five things stolen acquired from your target before you can attack now is this a completely infallible know-nothing and security is infallible. It just takes pressure and time. It only takes usually about 2
minutes for me to go past most nfa's appointment and it's just social engineering. It just takes a couple minutes phone call to talk to someone and say hey, how's it going today? I see Frank's out. Have you been having problems with your token know my tokens? Good while Frank told me I needed to call and he was really worried that you can't get in. Okay. Well, can you help me out and just tell me what your token is real quick. Okay. Perfect. Thank you. Have a great day. I'll let Frank know when he comes back from vacation done just logged in and if they defeated right why is
that well because the personal social media post Exactly where they were it was all updated and correlated with LinkedIn so I can see the organization. I know who works there. I know who's in the same department and within just that little piece of social information. I was able to exploit that and so if you're not doing good social engineering and fishing training, this is the same thing will happen to you. There's been many attack for NFA has been done by that. So the way I like to do MFA is the opposite of most everyone that ever does MFA especially if you called do or
Azure you say I'd like some in faith. They say just give it to all the users that is the exact opposite of what you want to do first. You want to start with i, t you guys need to be comfortable with it. You need to know what it does. You need to know how it works next. We need to go to the CEOs. I know we don't like them. They don't like computers but we have to do it. We want to go from the top down right? We don't want to go from the bottom up. We want them to be there who can transfer $800,000 on a Tuesday and it doesn't look anything out of the normal the c-suite. People in finance
people in purchasing also don't forget their assistance and their secretaries they can send millions and millions of dollars with just a single email and that happens all the time. If anyone paid attention to some fake pio's that went down for Google and Facebook over 100 million dollars was transferred to the incorrect company. Because of an email that's all it takes right then we're going to go down to leadership. We want DPS directors. We want everybody all the way down the team leads because if you're going to roll out some new technology you want someone that can help be
your Champion, right? And they need to understand the importance to it. You can also just show the Google and Facebook story. We don't want to lose a hundred million dollars on a Tuesday because someone sent a bad email right? We're trying to defend ourselves. And then once you have done that top down then it's time to get the rest. We don't need to boil the ocean. We want to do it at a gradual Pace make sure everyone's familiar with it cuz it is an annoying process. If you work in the healthcare industry and people are in and out of systems all the time or even Banking and tell her you're
probably going to need to invest in some proximity cards. That means at least I have to have two or three things to log into somebody even without proxcard. It's not as vast as MFA but it's at least something and we were talking about MFA. I don't recommend any SMS basis. When's if you can help it because there is a thing called stem swapping which means I can become your sim number and then I'm getting the text with the 4 digit code to login as you write. So it just eliminates a lot of other things so you got to go in there. So if you don't have it enabled definitely take a look at it.
There's lots of good partners. I've seen kind of everywhere and even think about one time passwords and other things. Those are also great ways to prevent Bots from attacking right and many other ways to add just one more layer of authentication and some of these are completely free. We don't need to spend hundreds of millions of dollars to do this. So a dcips kind of foundational make sure they're actually on the network that secure night. Make sure you're using HTTP every single time you log into it and make sure you replace that default certificate every single time.
You're doing your day-to-day it life and you hit accept don't worry about it Advanced accepted allow exceptions. You just allowed a man-in-the-middle. That's what you just did. I can be in there wi-fi pineapple and you logged into vcenter you logged in your sister Sadie C. I just got the clear text password, right and that's what happens very often. So you need to replace as default certificate so that when that bar turns red you Run to the Hills because something is wrong. Someone is in the middle of your connection. You'll never going to know it because you keep hitting accept accept accept
accept every single day probably turn in 20 times a day. You've got a red bar and you've done all types of work and Hopefully no one's in the middle. Right? So make sure you bind it to ldap still so many places don't use ldap and they're still using NS route. What does that mean? No one has any accountability when something bad happens who broke it? I don't know and approve did well who knows in a true tall 72 people cool. Alright. Well who wants to raise their hand was going to raise their hand. All right. Well, we'll just move on right was just an outage was lost a couple million
dollars. No big deal. So make sure you're finding a doctor directory and then change my default password people that are on S the X's or the worst offenders Abyss because they made their one golden template and they make like three or four instances for this application that application and they have the same password. NS route NS route. I've been in places that made the billions of dollars and they had in this route in a shrewd on a very production very dangerous VPX and cents on a Sta-Rite so changed those passwords and then make sure you're logging.
Who here even logs? There's just log on their Nets Gathers. Is a good crowd I like you guys usually it's like one person and then one person that doesn't want to raise their hand cuz I'm hacker dudes talking about it. Right so you don't to do that kind of awkward, but you want to do this. If you don't log you're never going to find out you're never going to be able to insert a responses. I've been into the responses that they said. Oh, we just got breached. We come in we look at it and we find out that the log into just rolled off a week ago because they have so much
traffic AAA debug completely full right. So get logs. There's free ways to do that. There's elk and many other things obviously there's paid solution, but hopefully that doesn't so we're kind of The Final Countdown here. We went a little bit faster, which is good. And you know, this is a final countdown, right so final thoughts just like we talked about layered security defense-in-depth start with Geo IP Then go to bed. I pee then you go to app to away then go to strict protocols right hsts work your way down. You're eliminating threats every
single checkbox, you're eliminating threats every single policy. We're doing it on a test. If we make sure it works. We promote that dip into production and we do it right and if you can you use it, but make sure you understand the relationship you're getting yourself into right as updates happen. I've seen lots of play pool have updates over the weekend and the whole site goes down and that's because learning mode is blocking stuff because it never seen it before it's very very common and then make sure you're using MFA pretty pretty pretty please write
everywhere. You can now even if it just has to be admin. I know a lot of places especially State local federal government and nonprofits and stuff like that. We can't afford to get all 75,000 users access MFA At least do I T at least through the c-suite at least do anyone anyone that can move millions of dollars a money, right? Let's list assess our users and apply the appropriate controls for them replace those default certificates. Don't allow exceptions anymore. Right? There is guides after guys after gods of how to replace a default certificate for
everything that has a certificate of use those it can be annoying. What I suggest is make sure it's a three to five years so you don't have to do it that long put it on your calendar say one month before replace the certificate right now. Maybe you're not there in five years, but you know you tried night. So there's lots of features there's lots of things as adding and so, you know, the most important thing for us is make sure if you like kind of technical deep. There's a lot more deeper week ago. This was a high level of all the major features and we didn't really even get into some of the
access control and analytics and all the other things that go on. I'm so if you like this kind of session make sure you do your survey tweet out and if there's any questions, we got plenty of time and if you are not from America and you've never had a goo goo cluster, there's a pile of them up here. They can change your life and their chocolate coated and marshmello goodness with some caramel and pecans. They're amazing. And if you like stickers, I have two sizes at if you like me a little bit. There's little stickers and be like me a lot. There's big stickers for eyes though,
depending on which ever way Frank you got anything else. I think you can keep your netscaler brain turned on. These are the remaining ATC presentations that you guys can go to and you're not visit the booths to a lot of great demonstrations of Citrix technology down there and I'm definitely excited about a lot of the bot Network stuff. If you're not familiar and you know part of that bad IP the bought Network really dump tells into that. And so when that feature comes that she's going to be more Protection, so it's
going to eliminate millions and millions of IP addresses from being able to talk to you also. So if y'all have any other questions, let us know. We'll be up here and y'all have a great day. Thank you. Thank you.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.