Solved

Citrix Netscaler weak ciphers

Posted on 2011-03-24
6
1,627 Views
Last Modified: 2016-10-25
My PCI compliance test failed with weak and medium ciphers.
I suspect the problem is with the netscaler vpx we are using

NS9.2: Build 48.6.cl,

Can someone walk me through to check i am using ssl v3 only and where i can disable weak ciphers and use only strong ones from the netscaler web interface?

I need a step by step as i am not familiar with configuring the netscaler

Thanks
0
Comment
Question by:mrbrain646
6 Comments
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35214101
@mrbrain646

Sounds like your ASV has politely "shafted" you here IMHO. When identifying vulnerabilities, they should also supply a solution or mitigation - you or anyone could do the scan yourself if you only had to find holes!

Did they give you a report? (Not asking you to share it, it's confidential). Within it there should be information on the weak cipher support, and what port it was found on, leading you to the affected service, and the suggested solution should be there.

If not, I think you'll have to contact the vendor (so try to confirm it is Citrix first if you're unsure). They should either be able to advise of a fix, or provide one - and remember if it's causing you to fail PCI-DSS compliance, you won't be alone, so a fix should be forthcoming.
If this were Windows/IIS or similar, the change can be made in the registry, but not likely to work in this case.

For reference we had this issue with one product - HP System Management Homepage, part of the core SmartStart stuff lobbed on a HP server during build. The only solution was to get rid of it because teh vendor couldn't provide instructions on how to drop weak cipher support. Much easier to do with superfluous management tools than what you're talking about though!

Best of luck - if I can help further just ask.
0
 
LVL 3

Expert Comment

by:Danny_Phillips
ID: 35939702
Hi,

Would it be possible to paste the result of "sh lic" from the cli,  You can find access to this from "System - diagnostics - command line interface" if you are using the gui.

This will let us know if the virtual device has been licensed correctly.  Due to export laws, the NetScaler doesn't enable all of the encryption cyphers until it has been licensed.

Regards

Danny
0
 
LVL 4

Accepted Solution

by:
mrbrain646 earned 0 total points
ID: 36417493
Security Metrics has excluded the weak ciphers from the scan as a false positive

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 36902232
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Join & Write a Comment

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now