Citrix Netscaler and SSL3 “poodle” exploit

Earlier today, Google published a article regaring how hackers can exploit a vulnerability in the SSL 3.0 protocol. Which you can read more about here –> http://googleonlinesecurity.blogspot.no/2014/10/this-poodle-bites-exploiting-ssl-30.html

You can also read more about the specific attack in detail here –> https://www.openssl.org/~bodo/ssl-poodle.pdf

Microsoft recommends that you disable SSL 3.0 using Group Policy on Windows Computer, since it is by default enabled, you can read more about it here –> https://technet.microsoft.com/en-us/library/security/3009008.aspx

UPDATE::: Citrix has added a article on this exploit as well –> http://support.citrix.com/article/CTX200238

AND NOTE THAT IN THE SCREENSHOT DENY SSL RENEGOTIATION IS SET TO NO, THIS SHOULD BE PUT TO YES TO PROTECT AGAINST BEAST ATTACK.

Citrix Netscaler we can be fore flexible. For Netscaler Gateway we can define which type of SSL profiles or protocols which are going to be enabled for the session. We can create a new front-end SSL profile which we can attach to the Netscaler Gateway. Front end policies are used when a client is connecting to a vServer

image

Here I define that TLSv1 is enabled, and that the client cannot use SSLv3. (This is a screenshot from a VPX) and therefore TLSv1.1 and 1.2 cannot be enabled for this profile, and by default Citrix Receiver only supports TLS1 not the newer versions.

After I created the protocol I can bind it to a Gateway vServer

image

Now If I have other load balanced vServer I can also disable SSL for these vServers, but it is important to check if the clients that are connecting actually support TLS.

NOTE: I have not verified that this works for most browsers but I verified that my client can connect to the gateway vServer using TLS and not SSL3.

Netscaler Gateway and content switching

today is the day! Citrix annonced earlier today a new enhacement release for Netscaler Gateway which allows us to use Netscaler Gateway together with Content Switching.

This means that we can have a Gateway vServer together with content switching policy. So when we create a Netscaler gateway together with content switching we need to define content switching policies. For instance if we have the vServer gateway 10.0.0.1 and we have two content switching policies for the URLS /zm/ and /xm/ will point to a load balanced vServer. Others urls which are not being catched by a content switching policy will be redirected to the Gateway vServer.

So the content switching rules are checked first, before it goes on with session policies for the gateway vServer.

Now another thing that is cool with this release is that it supports SSO to RD solutions.

So this is the new screen when we create a new vServer.

image

We have the RDP info setup directly here. And we can also define CS policy bindings. So I can add a new content switching policy and add it to the vServer

image

And as I mentioned these rules will be evaluated before session policies.

But note that this is an enhacement build, and should/can be used for testing you can read more about the e versions here –> http://blogs.citrix.com/2013/03/29/citrix-access-gateway-demystifying-the-e-releases/

You can download the new build from citrix downloads here —> https://www.citrix.com/downloads/netscaler-adc/virtual-appliances/netscaler-vpx-release-105e.html

Software defined Storage? Dell’s got you covered

Earlier I’ve discucced a bit on Software defined storage and how this is an growing market with new vendors appearing all the time. Some of the concept behind SDS is the ability to move features that have previously only been available to the hardware solutions into the software stack. http://msandbu.wordpress.com/2014/05/20/software-defined-storage-and-delivering-performance/

Now as I mentioned there are a lot of different vendors here, some focus on delivering high performance, some on delivering adequate I/O on commodity hardware, some on flexibility, and many in between.

So what do we choose ? Since there are so many different vendors here it might be a hard choice to choose one over the other. The big question is what do I need ? Do I need to run big OLTP databases running on an average 200,000 IOPS, do I need to have a hyper-v cluster setup using commodity hardware in order to have a low cost on my Storage? Do I have existing Vmware infrastructure that I want to improve my IOPS on ? Looking to buy new hardware to have next generation VDI platform ? Do I have a bunch of different backend NAS / DAS and SAN I want to pool into a large unit of storage?

So the question is what do I have, what do I want and where do I need to go

And as the title mentiones, when you are looking for a new solution/ platform for software-defined storage, well then Dell’s got you covered.

Dell is one of the few hardware vendors who is certified for most of the different SDS solutions such as.

VSAN: http://www.vmware.com/resources/compatibility/search.php?deviceCategory=vsan

Storage Spaces: http://www.windowsservercatalog.com/results.aspx?&chtext=&cstext=&csttext=&chbtext=&bCatID=1642&cpID=16445&avc=79&ava=0&avq=0&OR=1&PGS=25&ready=0

EVO: RAIL http://www.vmware.com/products/evorail

Dell also has a strategic partnership with Nutanix (which is going to be Dell hardware shipping with Nutanix Software) called the XC-series

http://www.dell.com/learn/us/en/uscorp1/press-releases/2014-06-24-dell-software-defined-storage-portfolio

Also Dell has partnership with both Nexenta and Atlantis

http://www.dell.com/learn/us/en/04/campaigns/dell-nexenta-storage

http://en.community.dell.com/techcenter/extras/m/mediagallery/20439148/download

Dell has also included a partnership with SanDisk in 13th generation servers which allows for simple SSD tiering on servers –> http://www.sandisk.com/about-sandisk/press-room/press-releases/2014/sandisk-das-cache-software-now-available-for-next-generation-dell-poweredge-servers/

So Dell has many different SDS options on their solutions, and also their SC-series, Equallogic, Compellent for running traditional workloads.

Veeam Endpoint backup free

Today at the VeeamON conference, they announced a new tool called Veeam Endpoint Backup free. This tool which will ship H1 next year http://www.veeam.com/blog/announcing-veeam-endpoint-backup-free.html. Allows us to take backup of physical servers, computers, laptops and such.

It can integrate with existing Veeam repositories or to a NAS share. The best part it of course that it is going to be free! Smilefjes

Stay tuned as the preview comes later in November, but this allows us to lastly do backup av Physical servers in a Veeam enviroment without the need to buy more licenses.

Netscaler masterclass presentation Oktober 2014

Today I presented on the Netscaler masterclass on the subject,  System Center and Netscaler and here is my presentation –> https://www.slideshare.net/secret/uSy62iG3eeoaFY

My talk consisted about using the different integrations between System Center and Netscaler, primarly on

* Virtual Machine Manager and Netscaler (Using the load balancer extention to deploy load balancing rules for service templates)
* Operations Manager and Netscaler (How to setup monitoring for Netscaler and use it together with Distributed Applications)
* Orchestrator and Netscaler (How to setup automation tasks against Netsacler using the NITRO SDK)

And as promised in the presentation here is my scripts that I use for the different tasks.

 

Add-Server activity (Note that this requires that the SDK is added to C:\SDK folder and that the different DLL files are added to the global assembly cache.

Set-location «c:\sdk»
[System.Reflection.Assembly]::Load(«System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a»)
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall(«C:\sdk\lib\Newtonsoft.Json.dll»)

(ADD THE DLL files to the global assembly for Orcehstrator to use for reference)

 

Add-Server

$path1 = Resolve-Path «C:\sdk\lib\Newtonsoft.Json.dll»
[System.Reflection.Assembly]::LoadFile($path1)
$path = Resolve-Path «C:\sdk\lib\nitro.dll»
[System.Reflection.Assembly]::LoadFile($path)

$user = «»
$pass = «»
$nsip = «»

(NOTE THAT THE CODE ABOVE NEEDS TO BE ADDED TO EACH ACTIVITY)

$nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,”http”)
$session = $nitrosession.login($user,$pass)

$server1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.server
$server1.name = «»
$server1.ipaddress = «»
$ret_value=[com.citrix.netscaler.nitro.resource.config.basic.server]::add($nitrosession,$server1)

Add-Service

$service1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.service
$service1.name = «»
$service1.servicetype = «»
$service1.monitor_name_svc = «»
$service1.port= «»
$service1.servername= «»
$ret_value=[com.citrix.netscaler.nitro.resource.config.basic.service]::add($nitrosession,$service1)

Create Load balanced Service

$nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,”http”)
$session = $nitrosession.login($user,$pass)

$lbvserver1 = New-Object com.citrix.netscaler.nitro.resource.config.lb.lbvserver
$lbvserver1.name=»»
$lbvserver1.servicetype=»»
$lbvserver1.port=»»
$lbvserver1.ipv46=»»
$lbvserver1.lbmethod=»»
$lbvserver1.servicename=»»
$ret_value=[com.citrix.netscaler.nitro.resource.config.lb.lbvserver]::add($nitrosession,$lbvserver1)

$lb_to_service = New-object com.citrix.netscaler.nitro.resource.config.lb.lbvserver_service_binding
$lb_to_service.name = «»
$lb_to_service.servicename = «»
$ret_value=[com.citrix.netscaler.nitro.resource.config.lb.lbvserver_service_binding]::add($nitrosession,$lb_to_vserver)

MVP another year for Enterprise Client Management

I received an email today, saying that I am MVP for another year. I am honored since this represents many of the elite it-pros all around the world

Also on the same day, Microsoft released vNext previews of Windows Server and System Center also Windows 10. Alot of documentation has been released, but remember its a preview (alpha or beta stage)

But it can be downloaded from MSDN for those who have access there, I will add another blogpost when I have more information about the different releases.

Using Netscaler Application firewall to protect against ShellShock

With the recent announcement of the ShellShock vulnerability many vendors have done a great job with coming with patching / fixes to close the vulnerability. Citrix has released an knowledge article which shows what Citrix products are affected here –> http://support.citrix.com/article/CTX200217

But! Citrix has also released an update to AppFirewall signature to include fixes to services which are exposed via Netscaler. For instance if we have an load balanced service which is load balanced via Netscaler, and the services running in the back are affected or vulnerable we can use AppFirewall to protect them from the attack.

First we need to update the signature files (Citrix released an update yesterday) (Update version)
shellshock1

Then we can see that the new signature files include fixes for shellshock.

shellshock2

The actions are by default set to block. So when creating an appfirewall policy we can bind this to an particular vServer or URL.

image

Important to set signature action to block

image

image

But note that these rules only apply to services that are exposed via the Netscaler, and not the netscaler itself. Refer to the document which is posted above.

System Center Configuration Manager 2012 R2 CU3

Today Microsoft released CU3 version of ConfigMgr 2013 R2, and there are some minor bugfixes but there is also one important new change here!

That is the ability to define allowed Management Points for a client to communicate with,

This cumulative update introduces a new registry key on clients that will restrict which management point (MP) a client can communicate with. This can be useful in environments with multiple MP’s in different forests, and the clients are only able to communicate with a subset of them. Setting the registry value to only those MP’s reachable by the client can improve overall efficiency. The new registry value is AllowedMPs, a REG_MULTI_SZ (multi-string) type under HKEY_LOCAL_MACHINE\Software\Microsoft\CCM

Each entry is the Fully Qualified Domain Name of the management point(s) with which the client is allowed to communicate. This value does not affect the selection of any other site systems such as distribution points, software update points, etc.; it only affects the primary site MP selection. Note: Once defined, there is no “fallback” or other method for clients to communicate with other MP’s. It is not intended for mobile clients.”

From the KB  http://support.microsoft.com/kb/2994331

New book project, Azure IaaS free ebook

This is something that I have been thinking about for some time, since I have written two books for publisher in the last year. Now and I saw that when writing the books that much of the stuff I wrote about became outdated pretty fast after the books were released.

So therefore I came up with an idea, what if I wrote it as an ebook and was responsible for the distribution myself ? This would make it alot easier to keep it up to date since I didn’t need to have a publisher to keep “control” over the source, and since it is only in ebook form I can easily update the content to keep it “up-to-date”

So therefore I present my current ebook project,

Azure – IaaS Getting started

this book will cover the basics about the most, but will deep dive into the IaaS features of Azure. I am about 20% in the writing process so it is not ready for release yet, since I’m only one guy.

If you are above average skilled in Azure and want to contribute to the writing process, please get in contact with me on msandbu@gmail.com my whole goal with this book is to make it easier to get the “whole” picture of Azure and having up to date content.

So stay tuned for the release!

Pricing difference between vCloud Air and Microsoft Azure

Now lately I’ve seen alot of blogpost talking about how cheaper one of them is compared to the other. Now most of the time I don’t read them as much, but this time I’ve decied to write a post about it to do a comparison.

Note I am not being prejudice even if I have a MVP logo, I’m trying to get a clear picture of what the pricing actually is. If anyone has any feedback to this post I would really appriciate getting feedback in the comment field below.

For the comparison I’m going to show difference between Virtual Private Cloud offering from Vmware and Virtual Machines from Microsoft Azure.

First of Virtual Private Cloud offering from Vmware is more of a cloud container you gain access to a set of resources and you define yourself what you want to do with those resources, while Microsoft Azure is based upon virtual machines, you have a predefined size based upon the template.

So let us define for this example that we have 5 virtual machines with 2 GHZ each and 4 GM RAM. (Note there are no sizes in Azure that are the equal size so I’m going with Medium based instances which have about 3,5 GB RAM and 2x 1,6 GHZ) and I’m only comparing with the information that I can find on the vendors websites.

SLA:

First of Virtual Private Cloud from VMware has an 99.9% SLA for virtual machines
Microsoft Azure has 99,9% SLA for single virtual machines and 99,95% for multiple role instances. (NOTE: f you deploy a single VM instance within an availability set, you will receive no advanced warning or notification of platform maintenance)

Other features:

The base configuration from Virtual Private Cloud from Vmware contains

10 GHz
vCPU 20 GB vRAM
2 TB of Standard Storage

10 Mbps of Bandwidth (this is official bandwidth for connections out of the data center)

2 Public IP Addresses + support

This is for the price of €727 a month. So for this I can configure 5 virtual machines with 2 GHZ and 4 GB of RAM each and with ~400 GB of disks each.

From Azure I can configure 5x Medium virtual machine instances (Linux based since I don’t want a licensing discussion here)

This will cost about €332.44 a month, and for 2 TB of storage for page blobs is about €74.47 a month. (Locally redundant) + Support which is €223.41 a month (Note that since the support is so different from the vendors, I will choose to exclude it from the price comparison) Public Ip addresses are given from a cloud service and can be one or more adresses. I also need to add storage transactions since all IO to the Blob storage is considered a transaction. So 200 million storage transactions each month equals to €7,45 a month

I also need to define bandwidth usage, for Azure I can define the bandwidth usage to for instance 100GB which costs about €8.49 a month(Note that this bandwidth cost is for US + Europe egress) (Vmware does not charge for data transfer). This sums up to €422,5 euro a month.

Performance: Principled Technologies did a test on virtual machine instaces on both Azure and Vmware and they concluded that the CPU performance is about 2x the performance in vCloud compared to Azure (Note that this is pr vCPU)

http://www.slideshare.net/PrincipledTechnologies/v-chs-cpuperformance0714

Which means that if we have 10 GHZ in vCloud (We would need atleast 20 GHZ in Azure to have the similiar performance CPU-wise)

vCloud Air Azure
10 GHz
vCPU 20 GB vRAM
2 TB of Standard Storage

10 Mbps of Bandwidth
2 Public IP Addresses

5x Medium Instances =
2 x 1.6GHz CPU * 5 = 16 GHZ
2x 3,5 GB RAM * 5 = 17,5 GB
2 TB Page blobs
200 Million storage transactions
100 GB Bandwidth usage
Cloud services public adresses
€644 each month €422,85 each month

Note that this price for Azure is if we use the virtual machines 24/7, we use all 2 TB of storage, we use all the 100 GB bandwidth. If we do not use this much the cost each month will be lower. NOTE: All medium instances have 200mbps bandwidth)

Now, both of them have other options for prepaid 12 months options since this is a cheaper option I going to add them to the option in the table.

Prepaid 12 Month Vmware Prepaid 12 Month Azure
€8,203 (Where €8724 is normal) cost €3805 (€5074 is the normal cost)

Its clear to see that Azure is cheaper over the long run, since it has a really good discount when buying for certain amounts prepaid. http://azure.microsoft.com/en-us/offers/commitment-plans/

But it does not perform as well as Vmware. If we were to compare performance/cost we would have another calculation. Since as I mentioned we would need atleast twice the amount of CPU power to be able to have the same amount of performance and in this case I would need to add another virtual machine instance.

vCloud Air Azure
10 GHz
vCPU 20 GB vRAM
2 TB of Standard Storage
6x Medium Instances =
~20 GHZ
21 GB RAM
€644 each month €489.33 each month

This takes the CPU/memory calculation in the mix but it does not say anything about storage performance. Note that Azure Datadisks for medium instances have max 500 IOPS. (While a storage account can have up to 20.000 IOPS) and the maximum size of a blog disk is 1 TB. And Medium instance can have up to 4 Datadisks and therefore a max amount of 2000 IOPS.

Now as I see it, we can’t compare these two solutions equally. So it is not an apple vs apple comparison. vCloud has the flexibility that you “purchase” a bunch of resources and you can form and mold them as you want. It has better performance since it is mostly a IaaS platform, while on the other hand you have Azure which has different forms and shapes that you can purchase depending on what the customers needs.

Also important to note that vCloud Air (Is as I have read about) that it is priced upon recourses you buy, not what you use so If you have bought 10GHZ and only use 50% you still need to pay the same amount, while Azure is based upon what you use.

Also the options around the ecosystem is also completely different. So I appriciate any feedback here! If I have done a wrong calculation or if statements are wrong.

Følg

Få nye innlegg levert til din innboks.

Bli med 48 andre følgere