Jump to content
Welcome to our new Citrix community!
  • Take a proactive approach to CVE-related security for your NetScaler ADC

    • Validation Status: Validated
      Has Video?: No

    Take a proactive approach to CVE-related security for your NetScaler ADC

    Submitted November 8, 2021

    Author: Marissa Schmidt


    This blog post was co-authored by Sanyukta Nadkarni, Senior Product Manager at Citrix.

    Did you know there’s an attack by a hacker every 39 seconds and that hackers steal 75 data records every second?

    No matter how good software developers are and how carefully they follow security guidelines to ensure their code is solid, there will always be hackers who are trying to break in. It’s critical for organizations to be proactive with their infrastructure by keeping it up to date and making sure security is layered throughout all the environments where traffic flows.

    What does it mean to be proactive with NetScaler ADC?

    NetScaler Application Delivery Management (ADM) service helps manage and monitor NetScaler ADC and NetScaler Gateway instances. This service receives telemetry data from all managed ADC instances across all your environments and collates it centrally. It also analyzes the traffic passing through the managed ADCs and can tell what’s happening to the applications that sit behind them.

    Recently, we added security advisory features to NetScaler ADM service. These features highlight NetScaler CVEs that may put your ADC instances at risk and recommend mitigations/remediation.

    By default NetScaler ADM scans your NetScaler ADC systems once a week, and you can initiate a manual scan (which is on-demand) when required to assess the current security posture. This is especially useful after you’ve applied remediation, so you can check that your security fixes are up to date.

    It also supports an ADC configuration scan for CVE vulnerability assessments. In some cases, a CVE may require both an upgrade of your NetScaler ADCs, as well as configuration changes. This NetScaler ADM capability provides a CVE remediation workflow that shows where an ADC needs an upgrade, as well as recommended configuration changes.

    Figure 1 below shows that the NetScaler ADM service is aware of all the CVEs that affect the NetScaler ADCs and maintains a CVE repository, which is updated with new items automatically once they are announced in NetScaler security bulletins. The CVE repository tab in the NetScaler ADM service GUI gives a detailed view of all the ADC-related CVEs announced by NetScaler since December 2019. From here, you can understand the CVEs under the security advisory scope and get more details about the remediation and mitigation of each.

    Figure 1 (Click to view image larger.)

    After the ADM service scans through your managed ADC instances, it will highlight the CVEs to which your ADC instances are vulnerable and also highlight the remediation.

    Figure 2 below shows the Current CVEs tab highlighting the impact of all the CVEs on your infrastructure and all the vulnerable ADC instances and suggests suitable remediation. Use this information to review and follow through on the remediation workflow as suggested in the “remediation” column to fix the security risks. The remediation workflow can either be a one-step remediation requiring only an upgrade of the ADC firmware image or two-step remediation requiring an upgrade and a config job execution.

    Figure 2 (Click to view image larger.)

    Figure 3 shows how easy it is to take action. You can select one or more CVEs and click on View affected instances to see which ADC instances are vulnerable to the selected CVEs.

    Figure 3 (Click to view image larger.)

    Now that you know which ADCs are affected, you can select one or more ADC instances, click Proceed to upgrade workflow, as shown in Figure 4, and initiate the remediation upgrade.

    Figure 4 (Click to view image larger.)

    Depending on the remediation steps suggested for the specific CVE, you might need to complete the additional step related to configuration job execution on the vulnerable ADC instance(s).

    Leveraging the new security advisory features in NetScaler ADM service will not only help you be more proactive with the security posture in your infrastructure, it will also give you peace of mind that you have the latest protection from attacks.

    Check out our ADC best practice guide for security for additional guidance on strengthening your security. Learn more about NetScaler ADM’s security advisory features in our documentation.

    If you’re not using NetScaler ADM service yet, check out this documentation to get started. With a NetScaler ADM service Express account, you don’t need an additional license. Learn more about the NetScaler ADM Service Express account.

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...