Securing A+ with NetScaler VPX 11.0 64.34.nc

All traffic will pass through the NetScaler appliance which is secured using HTTPS on 443! Yeah that’s correct! Oh wait, what’s the security team’s audit report stating – my netscaler is not secured it has several gaps found.

Hmm yeah thats correct, I have come across several deployments in my experience where consultants completely miss to secure the netscaler gateway hosting various services such as Exchange/CAS, ADFS SSON, reverse proxy for several web apps, content switching …..list goes on which are vulnerable to various attacks! Enough said,

With this blog, I share my experience with you on how to efficiently secure NetScaler to score A+ on the security report radar!

Couple of reasons for writing the blogs are:

  • NetScaler VPX has some limitations around ciphers and hence scoring A+ is a bit tricky
  • Different build/version of NetScaler requires different ways to obtain higher grades

Note:

As per Citrix documentation, http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/customize-ssl-config/config-ecdhe-ciphers.html – The following table lists the ciphers supported on VPX instances and MPX appliances.

However note that for NetScaler 11.0 64.34.nc build, cipher AES-GCM\SHA2 is NOT supported and hence needs to be removed as part of the A+ steps as mentioned at a later step in this blog:

Cipher Suite

VPX

MPX

TLS1-ECDHE-RSA-RC4-SHA

YES

YES

TLS1-ECDHE-RSA-DES-CBC3-SHA

YES

YES

TLS1-ECDHE-RSA-AES128-SHA

YES

YES

TLS1-ECDHE-RSA-AES256-SHA

YES

YES

TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

NO

YES

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

NO

YES

TLS1.2-ECDHE-RSA-AES-128-SHA256

NO

YES

TLS1.2-ECDHE-RSA-AES-256-SHA384

NO

YES

Steps taken on the NetScaler VPX 11.0 64.34.nc:

  • Perfect Forward Secrecy (PFC) has been configured

Perfect Forward Secrecy protect a session from being decrypted when server key became compromised. For more details, https://en.wikipedia.org/wiki/Forward_secrecy

Configure Diffie-Hellman key (Perfect Forward Secrecy):

Navigate to Traffic Management > Load Balancing > SSL.

Go To Tools > Create Diffie-Hellman (DH) key.

ns1

DH Path: /nsconfig/ssl/dhkey2048.key

  • Size: 2048
  • DH Generator: 2

ns2

Configure DH:

Navigate to NetScaler Gateway Virtual Servers.

Edit your vServer and go to SSL Parameters. Check Enable DH Param.

Browse to the previously created DH Key.

ns3

Alternatively, you can configure  Diffie-Hellman (DH) key from shell:

set ssl vserver <VSERVERNAME> -dh ENABLED -dhFile "/nsconfig/ssl/dhkey2048.key"
  • HTTP Strict Transport Security (HSTS) with long duration deployed Strict Transport Security

STS or HSTS prevents a website for being accessed on another protocol than HTTPS. For more info: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Create Rewrite Action:

ns4

Create Rewrite Policy:

ns5

Bind Rewrite Policy to NetScaler Gateway virtual server:

ns6

  • Unsupported cipher keys such as AES-GCM\SHA2 have been removed from this VPX 11.0 64.34.nc build

ns7

  • Rivest Cipher 4 (RC4) stream cipher has been removed from the cipher suites as it is no longer recommended and have multiple vulnerabilities found recently.

In 2015, there were speculation that some state cryptologic agencies may possess the capability to break RC4 when used in the TLS protocol. IETF has published RFC 7465 to prohibit the use of RC4 in TLS; Mozilla and Microsoft have issued similar recommendations.

  • Cipher Suites with lower bits such as 112 have been removed from the virtual server configuration.
  • The order of the Cipher Suites has been rearranged to ensure effectiveness and priorities of each cipher keys

ns8

  • Lastly ensure TLS1.1/1.0, SSL versions are disabled in your gateway virtual server

ns10

Rescan (with clear cache) your netscaler gateway URL in qualys ssl labs and voila!

ns9

Also, I would highlight the following folks who have already shared their tips through their blogs:

Scoring an A+ at SSLlabs.com with Citrix NetScaler (the sequel)

Scoring an A+ on SSLLABS.COM with NetScaler 11 VPX

Advertisements

About cloudray

Predominantly based around Virtualization, but will include other technology related information and anything else I find interesting and feel the need to share with you. I also use this Blog as both a place to store useful information that I think that will come in handy to me at some point in the future, and also a place to help aid my learning. I find a great way to learn about something is to research about it and then write it up in my own words. I'm Pushpal Ray, from India. As a certified VCP3/4/5 professional, I am currently working as an Independent Consultant. Over 10 years of IT-industry experience, currently focused around the Desktop Virtualization(End-User Computing). I also have extensive experience in Windows Administration, Datacenter Migration, Workload profiling & benchmarking. At my leisure, I enjoy hiking, running, photography, spend hours in my fav coffee shop & spend quality time with my wife. Occasionally, catch up with few friends for a drink!
This entry was posted in Enterprise Virtualization. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s