Thursday, 12 January 2023 11:00

Your PKI infrastructure is worthless if ...

A common mistake IT organizations make, is having a well-designed Public Key Infrastructure (PKI), but at the same time having client devices, such as monitoring agents for your Citrix NetScalers, which accept to set up any encrypted connection, to any device, no matter what certificate they are presenting.

In this case, you basically allow connections to be made to devices you do not know whether they can be trusted. This makes you vulnerable for 'spoofing'. Your PKI infrastructure has become worthless for your NetScaler devices.

Image

Make sure you only allow monitoring agents to set up encrypted connections to NetScaler devices which use valid certificates and have been issued by one of your trusted Certificate Authorities (CA). 

MetrixInsight for NetScaler SCOM Management Pack provides the option to force your SCOM Agents to only trust network traffic with NetScaler devices which use valid certificates and have been issued by your trusted root, or intermediate Certificate Authority (CA).