This post has already been read 4600 times!
Continuing down the ethical hacking journey I was recently asked to provide a geographical security baseline to a Citrix ADC setup. The request was something flexible enough to provide security quickly and easily but also something that was simple to manage.
I have know about using the Geo IP Database on Citrix ADC’s for a while but when I was asked about this there were a couple of requests.
- Have the ability to globally lock out certain regions from ANY service that resides on the ADC
- Have a more granular control of specific services that are running on the ADC
- Have the ability to quickly lock out a region from accessing ALL or INDIVIDUAL services immediately
The rest of this post will address how to achieve this on a Citrix ADC as well as walking you through configuring this for use within your own environment.
NOTE: If licensed I would put this in as a default setting even with ALL regions allowed. This means that the framework would already be in place for you to quickly and easily lock out regions should your security team request it from you.
First lets cover off the technologies we will be using to achieve this:
Geo IP Database
I will start with this as this is fundamental to the remaining policies working correctly.
NOTE: Starting from Citrix ADC 11 and up the firmware you deploy comes with a built in Geo IP database. This makes deploying this far easier as you no longer need to convert and import your database.
Navigate to AppExpert -> Location -> Static Databases and click Add
Then navigate to /var/netscaler/inbuilt_db
Here you will see the in build Geo IP Databases included with Citrix ADC and you can go ahead and select the relevant one and click Open
You will now see that your Geo IP Database is there and (almost) ready to use
If you are using a firmware version after 11.1 Build 53.11 you will need to enable wildcard search. Open up a putty session to your ADC and enter the following command
set locationParameter -matchWildcardtoany YES
So now you are ready to test that your Geo IP database is imported correctly and working as expected.
From the putty session type the following
Here you can see the Wildcard qualifier is all set up and the Geo IP database is ready to go. Lets just test that its getting the right data back from the database.
Type in the following then enter any public IP (I am using my public IP my ISP has assigned me)
nsmap -d –t
Here you can see the ADC knows that I an in Europe (yes – we are still in the EU – for the moment), I am in Great Britain and in England.
Great, that’s the Geo IP Database installed and working, lets move onto locking your ADC down.
Citrix Application Firewall
So now the Geo IP Database is up and running lets get into locking down access based on location.
First thing I want to do is lock down access globally to all but the 2 regions that the business operates from. In this case its:
- United Kingdom
- United States of America
Access from ALL other regions will need to be blocked, however, I want to have the ability to easily onboard another location should the need arise.
Before I get into this I want to point out an invaluable resource. Its called the ISO 3166 Country Codes and it has ALL the country codes that the Geo IP database is built on. You can find it here:
So, looking into this I can see that I want to allow access from the following 2 codes. US for United Stated and GB for United Kingdom.
Head over to Security -> Citrix Web App Firewall -> Policies -> Firewall and click on Add
Give your new profile a name and select the built in APPFW_DROP profile. The in the expression you want to put the following
CLIENT.IP.SRC.MATCHES_LOCATION("*.GB.*.*.*.*").NOT && CLIENT.IP.SRC.MATCHES_LOCATION("*.US.*.*.*.*").NOT
What this does is block ALL traffic with the exception of GB and US public IP’s. You may think there should be an OR statement here (so did I) but trial and error showed that you need the and (&&) to make both work.
Click OK and create your new policy
Then click on the policy manager Botton at the top of the page
Click to continue through override global
Click on Add Binding and select your new policy from the list provided
Click on Done and that’s it. You have just blocked all traffic to your ADC with the exception of GB and US traffic. Go ahead and try getting to your Citrix Gateway – It should still work fine.
So for the purpose of testing this I am going to remove the GB expression and retest to ensure that my traffic is blocked
There it is. Blocked.
So you now have the ability to easily block or allow FULL ADC access to any region, just update the app firewall expression and you are good to go.
Let’s put it back to GB and US and move onto the specific lockdown of the Citrix Gateway.
Citrix Gateway and Responder Policies
So now we have access ONLY from the US and GB regions but we have been asked to lock down the Citrix Gateway to ONLY be accessed via the GB region as the US use other Virtual Servers on the ADC and not the gateway.
We can achieve this via Responder policies. But first lets think of the error page.
I know this sounds weird but when we block via Responder we are going to display a nice page stating they are denied access rather than a “Page Cannot Be Displayed”
Head over to AppExpert -> Responder -> HTML Page Imports and click add to create a new HTML Page.
NOTE: You cannot put links to images in your page here, if you want to put an image in your HTML page you will need to convert the image to a Base64 string first and reference that in the HTML. This can take a bit of time to get right but stick with it until you get this right – your users will appreciate the effort you put in!
Here is my error page HTML and below what it looks like for real
You have your HTML error page done, now head over to AppExpert -> Responder -> Actions and click new to create an action. Give the action a name, select Respond With HTML and select your new HTML page from the list
Click ok then head over to AppExpert -> Responder -> Policies and click Add the create a new Policy. Give your policy a name, select your new Action and put the following into the expression
This states that you want to display your error page to ALL traffic except from the GB region. Remember the App Firewall policies earlier. In essence ONLY US and GB traffic can get through but ONLY GB traffic can access the gateway
Click ok then bind this new policy to your Citrix Gateway as a REQUEST type.
Lets test – first try the gateway from my machine here in the UK
Works fine – now to test from the US. Thanks here to my buddy Jarian Gibson for quickly jumping on and testing this whilst doing his Thanks Giving prep (or just drinking coffee on the sofa!)
There we go.
So we have locked down global access to our ADC using Citrix App Firewall and specific access to our Gateways using Responder.
We can quickly lock out regions globally by removing them from the App Firewall Policy or grant new regions by adding them. Finally we can edit specific access to the Citrix Gateways by editing the responder policies assigned.
Hope this gives you a quick insight into how you can use Geo IP and ADC to secure your remote access by region.