Secure Citrix ADC Gateway and Web Services using Geo IP

Secure Citrix ADC Gateway and Web Services using Geo IP

Secure Citrix ADC Gateway and Web Services using Geo IP

This post has already been read 451 times!

Continuing down the ethical hacking journey I was recently asked to provide a geographical security baseline to a Citrix ADC setup. The request was something flexible enough to provide security quickly and easily but also something that was simple to manage.

I have know about using the Geo IP Database on Citrix ADC’s for a while but when I was asked about this there were a couple of requests.

  • Have the ability to globally lock out certain regions from ANY service that resides on the ADC
  • Have a more granular control of specific services that are running on the ADC
  • Have the ability to quickly lock out a region from accessing ALL or INDIVIDUAL services immediately

The rest of this post will address how to achieve this on a Citrix ADC as well as walking you through configuring this for use within your own environment.

NOTE: If licensed I would put this in as a default setting even with ALL regions allowed. This means that the framework would already be in place for you to quickly and easily lock out regions should your security team request it from you.

First lets cover off the technologies we will be using to achieve this:

Geo IP Database

I will start with this as this is fundamental to the remaining policies working correctly.

NOTE: Starting from Citrix ADC 11 and up the firmware you deploy comes with a built in Geo IP database. This makes deploying this far easier as you no longer need to convert and import your database.

Navigate to AppExpert -> Location -> Static Databases and click Add

Then navigate to /var/netscaler/inbuilt_db

inbuilt_db

Here you will see the in build Geo IP Databases included with Citrix ADC and you can go ahead and select the relevant one and click Open

file

You will now see that your Geo IP Database is there and (almost) ready to use

static

If you are using a firmware version after 11.1 Build 53.11 you will need to enable wildcard search. Open up a putty session to your ADC and enter the following command

set locationParameter -matchWildcardtoany YES
cli

So now you are ready to test that your Geo IP database is imported correctly and working as expected.

From the putty session type the following

show locationparameter
params

Here you can see the Wildcard qualifier is all set up and the Geo IP database is ready to go. Lets just test that its getting the right data back from the database.

Type in the following then enter any public IP (I am using my public IP my ISP has assigned me)

shell
nsmap -d –t
geotest

Here you can see the ADC knows that I an in Europe (yes – we are still in the EU – for the moment), I am in Great Britain and in England.

Great, that’s the Geo IP Database installed and working, lets move onto locking your ADC down.

Citrix Application Firewall

So now the Geo IP Database is up and running lets get into locking down access based on location.

First thing I want to do is lock down access globally to all but the 2 regions that the business operates from. In this case its:

  • United Kingdom
  • United States of America

Access from ALL other regions will need to be blocked, however, I want to have the ability to easily onboard another location should the need arise.

Before I get into this I want to point out an invaluable resource. Its called the ISO 3166 Country Codes and it has ALL the country codes that the Geo IP database is built on. You can find it here:

So, looking into this I can see that I want to allow access from the following 2 codes. US for United Stated and GB for United Kingdom.

Head over to Security -> Citrix Web App Firewall -> Policies -> Firewall and click on Add

Give your new profile a name and select the built in APPFW_DROP profile. The in the expression you want to put the following

CLIENT.IP.SRC.MATCHES_LOCATION("*.GB.*.*.*.*").NOT && CLIENT.IP.SRC.MATCHES_LOCATION("*.US.*.*.*.*").NOT 

What this does is block ALL traffic with the exception of GB and US public IP’s. You may think there should be an OR statement here (so did I) but trial and error showed that you need the and (&&) to make both work.

Click OK and create your new policy

af_pol

Then click on the policy manager Botton at the top of the page

pol_man

Click to continue through override global

af_pol_man

Click on Add Binding and select your new policy from the list provided

bindings

Click on Done and that’s it. You have just blocked all traffic to your ADC with the exception of GB and US traffic. Go ahead and try getting to your Citrix Gateway – It should still work fine.

working

So for the purpose of testing this I am going to remove the GB expression and retest to ensure that my traffic is blocked

reedit_bind
broken

There it is. Blocked.

So you now have the ability to easily block or allow FULL ADC access to any region, just update the app firewall expression and you are good to go.

Let’s put it back to GB and US and move onto the specific lockdown of the Citrix Gateway.

Citrix Gateway and Responder Policies

So now we have access ONLY from the US and GB regions but we have been asked to lock down the Citrix Gateway to ONLY be accessed via the GB region as the US use other Virtual Servers on the ADC and not the gateway.

We can achieve this via Responder policies. But first lets think of the error page.

I know this sounds weird but when we block via Responder we are going to display a nice page stating they are denied access rather than a “Page Cannot Be Displayed”

Head over to AppExpert -> Responder -> HTML Page Imports and click add to create a new HTML Page.

NOTE: You cannot put links to images in your page here, if you want to put an image in your HTML page you will need to convert the image to a Base64 string first and reference that in the HTML. This can take a bit of time to get right but stick with it until you get this right – your users will appreciate the effort you put in!

html

Here is my error page HTML and below what it looks like for real

disabled

You have your HTML error page done, now head over to AppExpert -> Responder -> Actions and click new to create an action. Give the action a name, select Respond With HTML and select your new HTML page from the list

res_act

Click ok then head over to AppExpert -> Responder -> Policies and click Add the create a new Policy. Give your policy a name, select your new Action and put the following into the expression

CLIENT.IP.SRC.MATCHES_LOCATION("*.GB.*.*.*.*").NOT

This states that you want to display your error page to ALL traffic except from the GB region. Remember the App Firewall policies earlier. In essence ONLY US and GB traffic can get through but ONLY GB traffic can access the gateway

res_pol

Click ok then bind this new policy to your Citrix Gateway as a REQUEST type.

bindings

Lets test – first try the gateway from my machine here in the UK

working

Works fine – now to test from the US. Thanks here to my buddy Jarian Gibson for quickly jumping on and testing this whilst doing his Thanks Giving prep (or just drinking coffee on the sofa!)

Jarian

There we go.

So we have locked down global access to our ADC using Citrix App Firewall and specific access to our Gateways using Responder.

We can quickly lock out regions globally by removing them from the App Firewall Policy or grant new regions by adding them. Finally we can edit specific access to the Citrix Gateways by editing the responder policies assigned.

Hope this gives you a quick insight into how you can use Geo IP and ADC to secure your remote access by region.

Thanks,

Dave

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.