NETSCALER GATEWAY SECURITY 101 – HOW TO GET FROM GRADE C TO GRADE A+ IN 4 STEPS

This post has already been read 5611 times!

A bit of a hot topic right now is security and rightly so.

I will keep this simple. You are allowing access into your environment externally using a NetScaler Gateway. Let’s make sure we secure this beast and get an A result in your Qualys SSL Labs tests. Actually no, let’s go for the A+.

I don’t need to go into all the security jargon here, I will leave that up to your own research, plus, it is very dry reading. I will supply links at the bottom of this post for those wishing to know more. What I will show you is the last in my series of the overlooked-but-somewhat-familiar and delve in to NetScaler Gateway security.

Some environments I have witnessed just have an SSL certificate on the appliance and that is that. If that gets you to sleep at night, that is fine but, you really can do a lot better on security matters and it will not impress the boss when he looks at the results of those penetration tests.

The Four Steps to Success

My NetScaler was configured with an SSL cert and the bare-bones configuration for it to work so I could log in and launch my applications externally.

I decided to see what grade I would get by using Qualys SSL Labs Checker Tool.

https://www.ssllabs.com/ssltest/

Just your everyday C grade. That for me is not going to set my boss’s expectations on fire but it isn’t bad.

STEP 1 – DEAL WITH SECURITY PROTOCOLS /CIPHERS

Remove SSL3 off your NetScaler Gateway and add Custom Ciphers, setting the ECDH protocols at the top.

Set ECDHE at top priority shown below within your custom ciphers.

 

Surely my grade will improve.

Ok a B grade and we got rid of that pesky…

 

STEP 2 – THE CHAIN (NOTHING TO DO WITH FLEETWOOD MAC)

The next action was to import the intermediate Certificate in my certificate chain on to the NetScaler appliance. I used the Intermediate SHA2 server certificate obtained from my trusted CA. I installed this on to my NetScaler appliance and linked my NetScaler Gateway Server Certificate to the intermediate.

Link server certificate to Intermediate certificate as shown here.

 

Click OK and now your certficate chain is linked.

Shall we see what the scores are?

So now we all understand we should never break the chain 😉.

We are close but no cigar yet. I want A+, remember.

STEP 3 – AVOID SSL RENEGOTIATION DENIAL OF SERVICE ATTACKS

Open up a putty shell and log on to your Netscaler.

Type in the following command:

set ssl parameter -denySSLReneg FRONTEND_CLIENT

Congratulations on your A!

Remember that teacher in school that was never satisfied with your efforts? I had many such teachers, but now I will follow suit and say we can do better than that! I have one more trick up my sleeve.

STEP 4 – CONFIGURE HTTP STRICT TRANSPORT SECURITY (HSTS)

Open up putty and SSH to your NetScaler. Once logged in, type the command below.

Add rewrite action insert_STS_header insert_http_http_header Strict-Transport-Security “\”max-age=157680000\””

Add rewrite policy enforce_STS true insert_STS_header

Now bind the rewrite policy to your NetScaler Gateway:

bind vpn vserver Name_of_NetScaler_vServer -policy enforce_STS -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

Congratulations, my friend, on achieving a tremendous result on securing your Netscaler appliance!

 

CONCLUSION

This article is not meant to go into the technical waffle on security. What I want to show you here is how easy it is to secure your NetScaler Gateway appliances in 4 steps within a matter of minutes.

Yes, there are other security settings you can add, but to be fair, I am happy with an A+ and your boss will be too when those penetration tests come in.

For those who wish to know more and fill in the blanks check out these resources:

https://www.citrix.com/blogs/2016/06/09/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-2016-update/

https://discussions.citrix.com/topic/374534-netscaler-chain-incomplete/

https://www.antonvanpelt.com/make-your-netscaler-ssl-vips-more-secure-updated/

https://www.us-cert.gov/ncas/alerts/TA14-290A

https://www.derekseaman.com/2013/05/import-iis-ssl-certificate-to-citrix-netscaler.html

https://blog.qualys.com/ssllabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks

https://support.citrix.com/article/CTX121149

https://support.citrix.com/article/CTX205221

This will be the end of my introductory series on overlooked settings. There is so much more on this topic, but the aim was just to highlight 3 seperate strategies that are simple, effective yet overlooked.

Application Groups

Out of the Box Printing 

Netscaler Gateway Security

I hope you have enjoyed my initial CTA posts and more will follow.

Follow me on Twitter:

@CitXen

CITXEN BLOG

Carpe Diem

Leave a Reply

Your email address will not be published. Required fields are marked *