NetScaler Physical Security:

LOM Port:

Some NetScaler appliances have an Intelligent Platform Management Interface (IPMI), also known as the lights out management (LOM) port, on the front panel of the appliance. You can use the LOM port to remotely monitor and manage the appliance, independently of the NetScaler software.

Connect the LOM port to a dedicated channel that is separate from the data channel, to maintain connectivity to the appliance even if the data network is down. You eliminate the data cable and data network as a single point of failure.

You can access the LOM port through a browser and use the GUI (GUI) for most tasks. All tasks can be performed through the NetScaler shell.

NetScaler Network Security:

Do not expose the NetScaler NSIP to the network, but we want to put it behind a stateful packet inspection firewall.

The NetScaler default SSL certificate must be replaced. During the initial configuration of the NetScaler appliance, the default TLS certificates are created. Now, these certs are not intended for use in production deployments and they must be replaced.

Cloud software group recommends that customers configure the NetScaler appliance to use certificates either from a reputable certificate authority or appropriate certificates from your enterprise CA.

We also must be leveraging HTTPS, HTTP over TLS whenever we’re accessing the GUI and make sure that we have disabled HTTP on the interface.

SSH port forwarding should also be disabled. Now, this is not required by the NetScaler appliance. If you don’t want to use this functionality, then CSG recommends that you disable it using the following steps. Navigate to the CLI to etc/sshd_config and add the following line AllowTcpForwarding no. Save the file and, copy it to /nsconfig directory and reboot. We can also restart the SSH process by using the following command: “kill -HUP cat /var/run/sshd.pid”

Network traffic to the NetScaler management interface should be separated either physically from the normal network traffic or logically. Now, the recommended best practice is to have three VLANs. We have an outside internet VLAN, a management VLAN, and an inside server VLAN. It is recommended to configure the network to make the LOM port part of the management VLAN.

NetScaler Access Control Lists:

Access Control Lists (ACLs) are essential for filtering IP traffic and protecting your network from unauthorized access. An ACL consists of a set of criteria that the NetScaler evaluates to decide whether to grant access. For instance, the Finance department may wish to restrict access to its resources from other departments like HR and Documentation, which also seek to limit access to their own data.

When the NetScaler receives a data packet, it checks the packet’s information against the conditions defined in the ACL to either permit or deny access. The organization’s administrator can configure ACLs to operate in the following modes:

• ALLOW: Process the packet.
• BRIDGE: Forward the packet to its destination without processing it, using Layer 2 and Layer 3 forwarding.
• DENY: Discard the packet.

ACL rules serve as the first line of defense on the NetScaler.

NetScaler supports two types of ACLs:

1. Simple ACLs: These filter packets based on their source IP address and, optionally, their protocol, destination port, or traffic domain. Any packet matching the specified criteria in the ACL is dropped.

2. Extended ACLs: These provide more granular filtering based on multiple parameters, including source IP address, source port, action, and protocol. An extended ACL outlines the conditions a packet must meet for the NetScaler to process, bridge, or drop it.

Terminology

In the NetScaler user interfaces, “simple ACL” and “extended ACL” refer specifically to ACLs that handle IPv4 packets. An ACL that processes IPv6 packets is designated as a simple ACL6 or extended ACL6. This documentation may collectively refer to both types as simple ACLs or extended ACLs when discussing them together.

ACL Precedence

When both simple and extended ACLs are configured, incoming packets are first compared against the simple ACLs.

The NetScaler identifies whether the incoming packet is IPv4 or IPv6, then checks the packet’s characteristics against either simple ACLs or simple ACL6s. If a match is found, the packet is dropped. If no match is found, the packet is then compared to extended ACLs or extended ACL6s. If a match occurs, the packet is processed according to the ACL’s specifications, which may involve bridging, dropping, or allowing the packet. If no match is found, the packet is permitted.