Make your NetScaler SSL VIPs more secure 9

A ratingTHIS ARTICLE HAS BEEN UPDATED: https://www.antonvanpelt.com/make-your-netscaler-ssl-vips-more-secure-updated

Nowadays just securing your webserver with a SSL certificate isn’t secure enough. Recently the POODLE man in the middle attack makes the SSLv3 officially unsecure.

I know this is not the first post written on hardening NetScaler, Neil Spelling and Marius Sandbu wrote very good articles on this topic. In this blogpost I want to show you how to quickly make the NetScaler SSL VIPs as secure as possible.

IMPORTANT: I will provide settings that will fit in most scenarios. I can imagine that there are scenarios where you need to support old browsers that rely on SSLv3 and don’t support TLS. Same for SSL renegotiation there are scenarios where denying renegotiation won’t fit.

 

Basically we can adjust the following settings on a SSL virtual server: SSL Protocol, SSL Ciphers and SSL Renegotiation.

SSL Protocol:
While the POODLE attack officially shows the vulnerability of the SSLv3 protocol we better disable this protocol on our NetScaler SSL VIPs (including NetScaler Gateway):
disable sslv3

batch Command:
set ssl vserver {VIP name} -ssl3 DISABLED

 

SSL Ciphers
Actually the SSL cipher forms the encryption level on the SSL connection. NetScaler assigns the DEFAULT cipher suite to a SSL based virtual server. Especially with older NetScaler firmware versions the DEFAULT cipher suite contains a lot of weak ciphers. In this example im using the SSL cipher suite HIGH what is a good starting point. Feel free to create your own cipher suite.
ssl cipher high

batch Command:
bind ssl cipher {VIP name} ORD HIGH

 

SSL Renegotiation
Before NetScaler 10.5 SSL Renegotiation was allowed by default. Make sure to disable SSL Renegotiation or at least set this value to “FRONTEND_CLIENT” I will come back on this later.
ssl renegotiation

batch Command:
set ssl parameter -denySSLReneg All

 

SSL Profile
Via a SSL Profile we are able to create a template for various SSL settings. We are also able so specify the SSL Protocol and SSL Renegotiation options. After the profile is created it can be binded to a SSL based Virtual Server.

ssl profile

batch Command:
add sslprofile more_secure -tls1 enABLED -tls11 enABLED -tls12 enABLED -ssl3 disABLED -denySSLReneg FRONTEND_CLIENT

 

How to use the SSL Profile
ssl profile on vip

batch Command:
set ssl vserver cs_vs_citrix_sharefile-extern -sslprofile more_secure

 

NetScaler MPX vs. NetScaler VPX
When we disable the SSLv3 protocol only communication via the TLS protocol is possible. Keep in mind that NetScaler VPX only supports TLS1.0. NetScaler MPX supports TLS1.1 and TLS1.2 as well. TLS1.1 and TLS1.2 are only supported on NetScaler MPX because of the SSL Cavium chips that don’t exist in NetScaler VPX.
Test your SSL VIP
Via a SSL server test we can verify if the NetScaler VIP is secured. In this blogpost i will use the following SSL test: https://www.ssllabs.com/ssltest/

Depending on your NetScaler firmware version the test result can end up with a status F (unsecure)

pentest_F_2
When optimising a NetScaler VIP on SSL Protocol, SSL Ciphers and SSL Renegotiation we will get a much better status A-.

pentest_A-

SHA-1 vs. SHA-2
When requesting a new SSL certificate make sure  you order a SHA-2 (SHA256) certificate. SHA-2 offers a more secure signature on the SSL Certificate then SHA-1. After 1st of January 2016 its not possible to order a SHA-1 based certificate anymore. And after 1st of January 2017 the industry will stop trusting SHA-1 based certificates. The following website shows information on SHA256 compatibility: https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility

Conclusion
In this blogpost I gave you some quick tips on how to make your NetScaler VIPs more secure. Like I said before: There are situations where you can’t disable SSLv3 or offer a SHA-2 based certificate. Remember this is just a template.

9 thoughts on “Make your NetScaler SSL VIPs more secure

  1. Reply Jeremy Jan 6,2015 6:36 pm

    Thanks for the article! Extremely helpful! To bad VPX does not support TLS1.2..

  2. Reply Peter Jan 19,2015 11:12 am

    Thanks, excellent article on SSL security problems and how to tweak this in Netscaler.
    However since TLS 1.0 and 1.1 are also not regarded “secure”, this means that we are obliged to go for the MPX, as the VPX and SDX versions of the Netscaler don’t support TLS 1.2 … bummer …

  3. Reply tester Mar 31,2015 11:54 pm

    can I have a SHA-2 certificate being server from a server that still has to support SSLv3? please advice. thank you

  4. Reply Helmut Hauser May 22,2015 1:55 pm

    The latest Build build-10.5-57.7_nc does support TLS 1.1 and 1.2.

  5. Reply Darren Bennett Feb 24,2016 5:38 am

    I see the latest SSL Labs test has changed the baseline and A+ is now B! I’ll be looking at this later today to see if I can get it back to A+!

  6. Reply Geir Sandstad Feb 25,2016 2:38 pm

    Just ran a test on a Netscaler-hosted site, and received an A+, partly based on settings in this article. Use DH keys (1024 or 2048 bit), check your cipher suites and STS rewrite, and you should be pretty much good to go.

Leave a Reply

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Visit Us On TwitterVisit Us On Linkedin