+ All Categories
Home > Technology > Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

Date post: 15-Jan-2015
Category:

Technology
Upload: david-mcgeough
View: 1,273 times
Download: 4 times
Download Report this document
Share this document with a friend
Description:
This session will cover some of the industry-standard OWASP Top 10, a list describing the most prevalent security attacks on production environments. We will cover the Citrix NetScaler appliance and its role in shutting down these common vulnerabilities, and how to effectively do so through the use of the Application Firewall and protection features. What you will learn - How to protect against security attacks with Application Firewall - How to reinforce your environment through NetScaler protection features - How to simulate a vulnerable web server environment for testing
Popular Tags:
http header xcitrix
storefront configuration
storefront settings
ip storefront
deployments of storefront
authentication netscaler
callback fqdn storefront
netscaler gateway step
61
How To Troubleshoot Deployments of StoreFront and NetScaler Gateway Citrix Synergy, May 2014 Juan Zevallos, Escalation Engineer Tweet about this session with hashtag #SYN401 and #citrixsynergy
Transcript
Page 1: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

How To Troubleshoot Deployments of StoreFront and NetScaler Gateway

Citrix Synergy, May 2014

Juan Zevallos, Escalation Engineer

Tweet about this session with hashtag #SYN401 and #citrixsynergy

Page 2: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.2

Prevent issues during configuration

Narrow down the issue

Tools to troubleshoot the issue

Agenda

DISCLAIMER: Examples used in this presentation are from a test internal lab environment and is not affiliated with any outside entities

Page 3: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.3

“” Alexander Graham Bell

“Before anything else, preparation is the key to success.”

Page 4: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

StoreFront Configuration3 steps

Page 5: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.5

Enable Pass-through from NetScaler GatewayStep 1

Page 6: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.6

Add the GatewayStep 2

Page 7: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.7

Add the GatewayStep 2

Page 8: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.8

Enable Remote AccessStep 3

Page 9: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.9

What is the Discovery file?

Automatically configure the Store Account into Receiver – receiverconfig.cr

Page 10: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.10

How Do I Access the Discovery file?

Receiver for Web site StoreFront management console

Page 11: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.11

What’s in a Discovery file?

Page 12: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.12

StoreFront’s BaseURL

Page 13: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

NetScaler Gateway ConfigurationQuick Configuration Wizard

Page 14: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.14

How To Access the Wizard?

Page 15: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.15

Create the Gateway

Page 16: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.16

Bind SSL Certificate

Page 17: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.17

Select the Authentication Settings

Page 18: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.18

Configure StoreFront Settings

Page 19: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.19

“” Coco Chanel

“Success is often achieved by those who don’t know that failure is inevitable.”

Page 20: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.20

Understanding the Flow

StoreFront

NetScaler

INTERNET INTERNAL NETWORKDMZ

443443/80

443

XenAppXenDesktop

Active Directory

389/636

ICA 1494/2598STA 80/8080

ICA

443

Page 21: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.21

Authenticating the End User

NetScaler

443

Active Directory

389/636

INTERNET INTERNAL NETWORKDMZ

Page 22: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.22

Failed to Authenticate

Page 23: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.23

Common Reasons for Authentication to Fail

Communication issue from NSIP or SNIP to the Domain Controller

Bad Service Account used for LDAP Bind

Misconfigured Base DN

Invalid credentials

Page 24: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.24

Troubleshoot Authentication with Aaad.debughttp://support.citrix.com/article/CTX114999

> shell

Run the following command to change to the /tmp directory:cd /tmp

Run the following command to start the debugging process:cat aaad.debug

Page 25: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.25

Troubleshoot Authentication with Aaad.debughttp://support.citrix.com/article/CTX114999

start_ldap_auth attempting to auth juanz @ 10.12.33.216

recieve_ldap_bind_event receive ldap bind event

recieve_ldap_user_search_event built group string for juanz of:Domain Admins

send_reject sending reject to kernel for : juanz

Page 26: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.26

Internal Server Error 29

Page 27: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.27

Accessing StoreFront After Authentication

NetScaler

443

Active Directory

389/636

INTERNET INTERNAL NETWORKDMZ

StoreFront443/80

Page 28: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.28

Receiver for Web vs Receiver Session Policy

Receiver Session Policy

Receiver for Web Session Policy

Page 29: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.29

How To See Policy Hitshttp://support.citrix.com/article/CTX138840

> shell

 

Run the following command to start viewing Policy hitsNsconmsg -d current -g pol_hits

Page 30: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.30

How To See Policy Hitshttp://support.citrix.com/article/CTX138840

1 7001 30 1 0 pol_hits Policy(192.168.2.10_LDAP_pol)

3 0 28 1 0 pol_hits Policy(PL_WB_192.168.200.10)

Page 31: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.31

Priority of Policies

The numerical priority takes precedence regardless of where the policy is bound. 

Priority Order

User (highest priority)

Group

Virtual Server

Global (lowest priority)

Priority Number

Page 32: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.32

Policy for the Web Browser

Page 33: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.33

Accessing StoreFront After Authentication

NetScaler

443

Active Directory

389/636

INTERNET INTERNAL NETWORKDMZ

StoreFront443/80

443

Page 34: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.34

Gateway logon page

StoreFront logon page

Page 35: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.35

Remote Access is NOT Enabled

Page 36: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.36

How Single Sign-On is Invoked on StoreFront

Page 37: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.37

HTTP Header X-Citrix-ViaEnable StoreFront Verbose Logging - CTX139592

Page 38: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.38

Cannot Complete Your Request

Page 39: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.39

How Callback Can Fail

StoreFront cannot resolve the Callback FQDN

StoreFront does not have network connectivity to the Gateway virtual server Port or IP

StoreFront does not trust the Gateway virtual server SSL Certificate

Page 40: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.40

Verify the Certificate Chainhttp://digicert.com/help

Page 41: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.41

StoreFront Callback URL Dilemma

NetScaler 1ag1.webteam.com

NetScaler 2ag1.webteam.com

StoreFront

? ?

Page 42: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.42

Configuring StoreFront with Multiple GatewaysAn example of two Gateways configured with the same URL but unique Callback URLs

NetScaler 1 NetScaler 2

192.168.200.10 192.168.200.11

https://callback1.webteam.com https://callback2.webteam.com

Page 43: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.43

DebugView and HTTP Headers

Page 44: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.44

A New Header: X-Citrix-Via-VIP

https://callback1.webteam.com

X-Citrix-Via-VIP 192.168.200.10

X-Citrix-Via-VIP 192.168.200.11

https://callback2.webteam.com

NetScaler 1ag1.webteam.com

NetScaler 2ag1.webteam.com

StoreFront

Page 45: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.45

DebugView and Callback Service

Page 46: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.46

Apps Enumerated

Page 47: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.47

Accessing StoreFront After Authentication

NetScaler

443

Active Directory

389/636

INTERNET INTERNAL NETWORKDMZ

StoreFront443/80

443

STA 80/8080

443ICA

XenAppXenDesktop

Page 48: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.48

DebugView and STA Ticket Request

Page 49: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.49

DebugView and STA Ticket Response

STA ID

STA Ticket

Page 50: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.50

Analyze the Default.ica Values

40 = Port 259810 = Port 1494 STA ID STA Ticket

Page 51: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.51

NetScaler Gateway and STA

STA ID

UP State

Page 52: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.52

NetScaler Trace and STA

> shell

nstcpdump.sh -A host <IP address or FQDN> and port <port number>

Page 53: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.53

NetScaler Request STA Ticket

<RequestData>

<Ticket ticketType="STAv4">

5F9EC00DA0ED19CCA447DEFDA802765A

</Ticket>

<TicketVersion>40</TicketVersion>

</RequestData>

Page 54: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.54

NetScaler Response STA Ticket

<TicketData>

<Value name="Refreshable">false</Value>

<Value name=… ServerAddress;192.168.2.28:1494…;UserName;juanz;… UserDomain;webteam;…ApplicationName;Calculater…</Value>

<Value name="CGPAddress">192.168.2.28:2598:localhost:1494</Value>

<Value name="ICAAddress">192.168.2.28:1494</Value>

</TicketData>

Page 55: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.55

Accessing StoreFront After Authentication

NetScaler

443

Active Directory

389/636

INTERNET INTERNAL NETWORKDMZ

StoreFront443/80

443

ICA 1494/2598

443ICA

XenAppXenDesktop

Page 56: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.56

Communication from NetScaler to 1494/2598

Page 57: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.57

What About Receiver?Supported Platforms

Windows 7/8/RT/Phone

Mac

Linux

Blackberry

Android

iOS

Page 58: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.58

Common issues for Receiver

The StoreFront Store is inaccessible (internally)

Misconfigured StoreFront BaseURL in Session Profile for Receiver

Internal Beacon is reachable externally

Customizations on the Gateway logon page

iOS Receiver does not support SHA256 SSL Certificates

Android does not support SAN SSL Certificates

Enable Windows Receiver logging – CTX134101

http://support.citrix.com/article/CTX134101
Page 59: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.59

Resources

How To Configure NetScaler Gateway with StoreFront – CTX139963

SSL Certificate Tester – Digicert Tool

How To Troubleshoot Authentication on NetScaler - CTX114999

How To Verify Policy Hits on NetScaler - CTX138840

How To Enable Verbose Tracing/DebugView on StoreFront - CTX139592

How To Enable STA Logging on XenApp - CTX120589

How To Capture nstrace from NetScaler CLI - CTX120941

http://support.citrix.com/article/CTX139963
http://digicert.com/help
http://digicert.com/help
http://support.citrix.com/article/CTX114999
http://support.citrix.com/article/CTX138840
http://support.citrix.com/article/CTX139592
http://support.citrix.com/article/CTX120589
http://support.citrix.com/article/CTX120941
Page 60: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.60

Before you leave…

Conference surveys are available online at www.citrixsynergy.com starting Thursday, May 8 at 9:00 a.m. • Provide your feedback by 6:00 p.m. that day to be entered to win one of many prizes

Download presentations starting Monday, May 19 from the My Event Planning tool

http://www.citrixsynergy.com/
Page 61: Citrix TechEdge 2014 - How to Protect Against the Top 10 Web Security Issues with NetScaler

© 2014 Citrix. Confidential.61

WORK BETTER. LIVE BETTER.


Recommended
Advanced Troubleshooting of Citrix NetScaler

Advanced Troubleshooting of Citrix NetScaler

Documents

Citrix Hybrid Cloud - IT Conferencesitconferences.net/wp-content/uploads/2016/11/Citrix-Hybrid-Cloud.pdf · Citrix Hybrid Cloud ... NetScaler NetScaler ADC NetScaler SD WAN Xen Family

Citrix Hybrid Cloud - IT Conferencesitconferences.net/wp-content/uploads/2016/11/Citrix-Hybrid-Cloud.pdf · Citrix Hybrid Cloud ... NetScaler NetScaler ADC NetScaler SD WAN Xen Family

Documents

Citrix NetScaler Application Firewall - Insight · Citrix NetScaler Application Firewall Datasheet citrix.com Citrix NetScaler Application Firewall Delivers PCI-DSS v.1.2 (section

Citrix NetScaler Application Firewall - Insight · Citrix NetScaler Application Firewall Datasheet citrix.com Citrix NetScaler Application Firewall Delivers PCI-DSS v.1.2 (section

Documents

Citrix NetScaler 1000V ReleaseNotes...Citrix NetScaler 1000V ReleaseNotes Citrix NetScaler 11. - . 1 First Published: 201 -0 - THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS

Citrix NetScaler 1000V ReleaseNotes...Citrix NetScaler 1000V ReleaseNotes Citrix NetScaler 11. - . 1 First Published: 201 -0 - THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS

Documents

Customize citrix web interface | Citrix NetScaler Access Gateway

Customize citrix web interface | Citrix NetScaler Access Gateway

Technology

Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and XenDesktop

Citrix TechEdge 2014 - Citrix Group Policy Troubleshooting for XenApp and XenDesktop

Technology

Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetScaler Appliances

Citrix TechEdge 2014 - Advanced Tools and Techniques for Troubleshooting NetScaler Appliances

Technology

Citrix NetScaler 1000V Release Notes, Release 10 · Citrix NetScaler 1000V Release Notes Citrix NetScaler 10.1 April 10, 2015. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS

Citrix NetScaler 1000V Release Notes, Release 10 · Citrix NetScaler 1000V Release Notes Citrix NetScaler 10.1 April 10, 2015. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS

Documents

Citrix NetScaler 1000V Command Reference · citrix netscaler 1000v command reference citrix netscaler 10.1 october 3, 2013. the specifications and information regarding the products

Citrix NetScaler 1000V Command Reference · citrix netscaler 1000v command reference citrix netscaler 10.1 october 3, 2013. the specifications and information regarding the products

Documents

8 reasons why Citrix NetScaler beats F5 · PDF file8 reasons why Citrix NetScaler beats F5. 2 Citrix NetScaler White Paper Executive summary Application delivery controllers (ADC)

8 reasons why Citrix NetScaler beats F5 · PDF file8 reasons why Citrix NetScaler beats F5. 2 Citrix NetScaler White Paper Executive summary Application delivery controllers (ADC)

Documents

NetScaler 10 Getting Started with VPX - Citrix.com · Getting Started with Citrix NetScaler VPX 6. 7 Citrix NetScaler Virtual Appliance Overview The NetScaler virtual appliance product

NetScaler 10 Getting Started with VPX - Citrix.com · Getting Started with Citrix NetScaler VPX 6. 7 Citrix NetScaler Virtual Appliance Overview The NetScaler virtual appliance product

Documents

CNS-205 Citrix NetScaler 10.5 Essentials and Networking · 2016. 7. 22. · CNS-205 Citrix NetScaler 10.5 Essentials and Networking Course Overview The objective of the Citrix NetScaler

CNS-205 Citrix NetScaler 10.5 Essentials and Networking · 2016. 7. 22. · CNS-205 Citrix NetScaler 10.5 Essentials and Networking Course Overview The objective of the Citrix NetScaler

Documents

Citrix NetScaler – A foundation for next-generation ...citrix-download.com/EMEA/NetScaler_Security_0513/UK_WP_Next... · Citrix NetScaler, the best application delivery controller

Citrix NetScaler – A foundation for next-generation ...citrix-download.com/EMEA/NetScaler_Security_0513/UK_WP_Next... · Citrix NetScaler, the best application delivery controller

Documents

Citrix NetScaler 1000V Release Notes, Release 10.5-61 · Citrix NetScaler 1000V Release Notes Citrix NetScaler 10.5-61.11 First Published: 2016-02-18. THE SPECIFICATIONS AND INFORMATION

Citrix NetScaler 1000V Release Notes, Release 10.5-61 · Citrix NetScaler 1000V Release Notes Citrix NetScaler 10.5-61.11 First Published: 2016-02-18. THE SPECIFICATIONS AND INFORMATION

Documents

Integrating PingFederate with Citrix NetScaler as SAML SP · Citrix NetScaler as SAML SP ... Integrating PingFederate with Citrix NetScaler as SAML SP ... PingFederate by enabling

Integrating PingFederate with Citrix NetScaler as SAML SP · Citrix NetScaler as SAML SP ... Integrating PingFederate with Citrix NetScaler as SAML SP ... PingFederate by enabling

Documents

Citrix NetScaler - NDM Technologies · Citrix NetScaler Datasheet citrix.com Citrix NetScaler Make web applications run five times better. Citrix® NetScaler® is a web application

Citrix NetScaler - NDM Technologies · Citrix NetScaler Datasheet citrix.com Citrix NetScaler Make web applications run five times better. Citrix® NetScaler® is a web application

Documents

Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway

Citrix TechEdge 2014 - How to Troubleshoot Deployments of StoreFront and NetScaler Gateway

Technology

Citrix Netscaler

Citrix Netscaler

Documents