Mastering NetScaler Console: Zero to hero in 31days - Day 7

Security Advisor

Hello, my name is Andrew and I tend to get a lot of questions about NetScaler Console. The purpose of this series is to offer some pointers on what it is, what it can offer and why you should take some notice. This is the seventh post in a set which is designed to cover the top topics that will get you trained up.

Knowledge is power, right? ????????

31 days seems an arbitrary number. Naturally, I need to complete this before you all head off on holiday!

Today is all about NetScaler Console Security advisor.

How does this normally come up?

I spoke with Customer X, we talked at length about the various NetScaler’s they will be deploying. During the discussion, I typically ask something like this:

As you have a few NetScaler’s in this setup, what tools do you have to help with the management of the firmware versions that the instances are running in this design? Especially, when there is a CVE that needs addressing…

The answer is NetScaler Console. The next question might require a focus on the options to track specific versions on specific appliances across an estate, and how to manage that. This piece will show you how that can be achieved with NetScaler Console, whichever flavour you have( on-premises or service).

Who would be interested in this?

Any Network Admin with multiple NetScaler’s deployed, or any customer looking at the new Universal hybrid Multi-cloud (UHMC from now on) offering from Cloud Software Group.

UHMC needs NetScaler Console to provide the licensing function to the NetScaler appliances. It is not optional, it's a requirement. One of the big benefits of UHMC is that customers can take a look outside the Citrix bubble and maybe look at new use cases for NetScaler.

Mastering sounds 'heavy'?

Ultimately, this is Linkedin, who would be crazy enough to write technical content on this platform??

What are the key tasks I need to keep tabs on?

The last few posts have covered Infrastructure management, this post is designed to help a NetScaler admin when a security vulnerability drops in NetScaler Firmware. When that happens things get ‘busy’, as there are key things you need to get to grips with quickly to get to a good position.

What are those steps then?

1. What versions have we got deployed?
2. How many on that specific build?
3. What are the details of the vulnerability?
4. Are we actually effected?
5. How do we get from where we are?

That seems like a lot to find out, but there is a module on the NetScaler Console specifically designed to help with all of this.

Does the NetScaler Deployment effect my options?

It used to be the case that Security Advisory was only available in the NetScaler Console Service. Last December a new release included the option to do Security Advisor for on-prem deployments too. So there are no excuses.

To cover questions 1-5 - What do I have deployed & what is the risk from CVE x?

I have used Security Advisor and it has scanned my three NetScaler appliances and it has said that I have a low risk CVE to address.

The output of this is, I can do a firmware update to fix it, or potentially deploy a config job to change my appliance setup. This is significant, not all ‘fixes’ need a new software. Naturally, different engineers might have set things up differently, this will pull that out. There was a issue with a CVE on another system recently, it was fixed with just a simple setting of MaxClients in the ns.conf.

The other point from this appliance scan is that we now have sight of the level of risk from the scan. Captain security can make a call on how quickly this needs to be addressed based on a few factors.

File Integrity monitoring

One of the other issues with CVE’s can be that there have been ‘changes’ in the files system, Console can check for that too. It will flag new files and those that have been changed or added

In my case, I have a mix of the two. It tells me what has been modified and the file name and location. It looks like this:

Scan log and CVE repo

The scan log is self explanatory, it can scan for CVE’s or file system changes. Naturally, you can do both also. The last item is the CVE repository, this shows all the CVE’s and their severity with direct links to the type of issues and what is needed to fix it.

If it is not clear, here is a scenario.

Bob and Alice have been using NetScaler Console Service in the scenarios for the last few days.?

Alice wants Acme to have view of what Bob has setup on his appliances, does he have the same level of security as the setup in the US?

She could ask Bob, but if Bob is out (Florida Keys were calling his name), she can quickly check herself.

Alice confirms that there are some that need a config update and schedules the necessary work with Console.?Happy days, as this allows Bob and Alice to focus time on other tasks that are important to Acme.

The Call to Action

Let me know if this piece raises any questions/comments, drop them into the space below. I will endeavour to answer directly or update the post to better address the question(s).

Summary

Buckle up. The NetScaler Console is the best tool for many different jobs when working in conjunction with the NetScaler Appliance. They are the perfect tag team. ??. The NetScaler Console can offer a one-stop shop to see all your appliances from one place, and track which of those need CVE’s addressed and potentially which you can leave alone.

Let me show you how to make the most of it!

Have a good one.