Introduction to best practices for Citrix ADC MPX, VPX, and SDX security 编辑

A Citrix ADC MPX appliance is an application delivery controller that accelerates websites, provides L4-L7 traffic management, offers an integrated Citrix Web App Firewall, and offloads servers. A Citrix ADC VPX instance is a virtual appliance that has all the features of a Citrix ADC MPX appliance, runs on standard servers, and provides a higher availability for web applications including Citrix XenDesktop and XenApp. A Citrix ADC SDX appliance provides advanced virtualization for all the flexibility of VPX with the performance of MPX. Using MPX, VPX, and SDX, an organization can deploy the flex or true-multitenancy solution that optimizes your web-application delivery infrastructure by separating high-volume shared network services from processor-intensive, application-specific services. A Citrix ADC appliance also provides the seamless integration with Citrix OpenCloud Access that can extend the data center with the power of the Cloud.

To maintain security through the deployment lifecycle, Citrix recommends reviewing the following considerations for:

• Physical Security
• Appliance Security
• Network Security
• Administration and Management

Different deployments might require different security considerations. This document provides general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.

Important:

Starting from software version release 12.1, NetScaler is rebranded to Citrix ADC. For more information, see https://www.citrix.com/about/citrix-product-guide/.

Deployment guidelines

When deploying a Citrix ADC, consider the following physical and appliance security best practices:

Physical security best practices

Deploy the Citrix ADC appliance in a secure location

The Citrix ADC appliances must be deployed in a secure location with sufficient physical access controls to protect the appliances from unauthorized access. At the minimum, access to the server room must be controlled with a lock, electronic card reader, or other similar physical methods.

Other measures can include the use of an electronic surveillance system, for example CCTV, to continuously monitor the activity of the room. In the event of an unauthorized intrusion, the output from this system must notify security personnel. If there is CCTV, the recorded footage is available for audit purposes.

Secure access to the appliance front panel and console port

The Citrix ADC appliance or VPX hosting server must be deployed in a rack or cage that can be locked with a suitable key, or other physical methods. The locking prevents access to the physical ports of the Citrix ADC appliance or, in a VPX deployment, the virtualization host console.

Power supply protection

The Citrix ADC appliance (or hosting server) must be protected with a suitable uninterruptible power supply. In the event of a power outage, the uninterruptible power supply ensures continued operation of the appliance, or allows a controlled shutdown of physical or virtual Citrix ADCs. The use of an uninterruptible power supply also aids in the protection against power spikes.

Cryptographic key protection

If extra protection is required for the cryptographic keys in your deployment, consider the use of a FIPS 140-2 Level 2 compliant appliance. The FIPS platform uses a hardware security module to protect critical cryptographic keys in the appliance from an unauthorized access.

Citrix ADC appliance security best practice

Perform appliance software updates

Citrix strongly recommends that, before deployment, customers ensure that their appliances have been updated with the latest firmware versions. When carried out remotely, Citrix recommends that customers use a secure protocol, such as SFTP or HTTPS, to upgrade the appliance.

Customers are also advised to review security bulletins that relate to their Citrix products. For information on new and updated security bulletins, see the Citrix Security Bulletins webpage https://support.citrix.com/securitybulletins and consider signing up for alerts for new and updated bulletins https://support.citrix.com/user/alerts.

Secure the operating system of servers hosting a Citrix ADC VPX appliance

A Citrix ADC VPX appliance can run either a virtual appliance on a standard virtualization server or as a virtual appliance on a Citrix ADC SDX.

In addition to applying normal physical security procedures, you must protect access to the virtualization host with a role-based access control and strong password management. Also, the server must be updated with the latest security patches for the operating system when they become available, and deploy an up-to-date antivirus software on the server, if applicable to the type of virtualization. Customers using the Citrix ADC SDX platform to host Citrix ADC VPX must ensure that they are using the latest firmware version for their Citrix ADC SDX.

Reset the Citrix ADC lights out management (LOM)

Citrix recommends that, before configuring the LOM for use in a production deployment, you perform a factory reset of the LOM to restore the default settings.

1. At the Citrix ADC shell prompt, run the following command:

   >ipmitool raw 0x30 0x41 0x1
   <!--NeedCopy-->