Secure your NetScaler GSLB configuration

NetScaler GSLB

Recently I was working on a couple of NetScaler Global Server Load Balancing (GSLB) configurations. One of these customers put NetScaler on the edge of the network. Although I always recommend to put NetScaler behind a firewall, this customer had a good reason to not follow my advise, simply because the workload is to heavy and will cause to much traffic on their current firewalls.

So for this reason we had to secure and protect this environment as much as possible with the tools we have available within NetScaler.

In this blogpost i’m not going to explain how to setup a GSLB configuration, there are plenty guides out there…. This post will pure focus on how to secure the GSLB setup with or without a firewall in front of NetScaler.

Secure Metric Exchange Protocol

The Metric Exchange Protocol (MEP) within a GSLB setup is used for checking the availablity of the other site(s). MEP is also used to exchange service load of the remote site. By default when configuring a GSLB site a GSLB site IP address is added as a RPC endpoint to NetScaler. By default this communication is unsecured and take place via TCP port 3011.

NetScaler unsecure RPC

batch Command:
add gslb site remotesite *IP GSLB SITE IP* -publicIP *IP GSLB SITE IP*

To encrypt and secure this traffic simply check the secure option on each RPC endpoint.

NetScaler Secure RPC

batch Command:
set rpcNode *IP ADDRESS* -secure yes

After that we’ve enabled the secure option RPC traffic will now flow encrypted via TCP port 3009.

Control Metric Exchange Protocol via ACL

The Metric Exchange Protocol traffic needs to flow via the external path to determine if the other site is healthy. For this customer where NetScaler was placed on the edge this means that everybody could connect to MEP TCP 3009 port. Although this traffic is encrypted we want to block as much as possible and only allow the other NetScaler patners to connect.

We came up with the idea to build a simple NetScaler ACL to block all traffic to port 3011 and 3009 exempt the source IP of the other NetScaler partners. The following ACL was built:

NetScaler ACL RPC MEP

batch Command:
add ns acl deny_mep_tcp3009 DENY -destPort = 3009 -protocol TCP -priority 1000
apply acls

After the ACL was applied we were still able to connect to port 3009 and the ACL wasn’t hit.

NetScaler ACL Hits

After some troubleshooting we find out we first need to disable the network layer 3 parameter “Enable Implicit ACL Allow”.

NetScaler l3feature

batch Command:
set l3Param -implicitACLAllow disabled

After this setting is disabled we are able to control TCP port 3008-3011 via custom ACLs. Now we can create our ACLs to allow and deny traffic on port 3009 and 3011. This is easilty done via CLI:

ALLOW:

batch Command:
add ns acl allow_gslb_mep_netscaler_tcp3009 ALLOW -srcIP = *IP PARTNER GSLB SITE IP* -destIP = *IP GSLB SITE IP* -destPort = 3009 -protocol TCP -priority 100

DENY: 

batch Command:
add ns acl deny_gslb_mep_default_deny_tcp3009 DENY -destPort = 3009 -protocol TCP -priority 1000
add ns acl deny_gslb_mep_default_deny_tcp3011 DENY -destPort = 3011 -protocol TCP -priority 1010

APPLY:

batch Command:
apply acls

After we’ve added and applied these firewall rules we finally see hits on the deny policy.

NetScaler ACL Hits

Keep in mind, if you have a firewall in front of NetScaler you can already make a whitelist there.

Global Server Load Balancing DNS

GSLB relies on DNS, the system will send the client to the specific VIP based on DNS queries. This is why each NetScaler that is part of the GSLB system hosts a Authoritive DNS server (ADNS). The NetScaler needs to have port 53 for DNS open on a public IP address. This can also be the GSLB Site IP but this is not a requirement.

Now since NetScaler act as a ADNS server you can query NetScaler for DNS records. NetScaler only responds to DNS entries that are hosted on NetScaler and will not forward records to other name servers by default. This means that any client can query all records that are available in the NetScaler DNS system. Also records that you do not want to have available outside your premises.

NetScaler GSLB DNS Query

As you can see i have created a internal record in my NetScaler DNS configuration. This record i only want to have available for the NetScaler system and not for any outside ghosts.

To solve this we have to restrict the DNS queries on the ADNS service. Restrict to only the GSLB service we are publishing outside. Therefore we start with creating a kind of NetScaler array called a pattern set which contain all the service we offer via GSLB to the outside world.

NetScaler Pattern Set

batch Command:
add policy patset ps_external_gslb_dns_records
bind policy patset ps_external_gslb_dns_records *GSLB Service FQDN1*
bind policy patset ps_external_gslb_dns_records *GSLB Service FQDN2*

Then we need to configure a responder action and policy to use this pattern set.

Responder Action:

NetScaler DNS Responder Action

batch Command:
add responder action rsp_act_block_internal_dns_response respondwith DNS.NEW_RESPONSE

Responder Policy

NetScaler DNS Responder Policy

batch Command:
add responder policy rsp_pol_block_internal_dns_response "CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8).NOT && DNS.REQ.QUESTION.DOMAIN.CONTAINS_ANY(\"ps_external_gslb_dns_records\").NOT" rsp_act_block_internal_dns_response

Pay attention to the CLIENT.IP.SRC_SUBNET().NOT part where allow internal clients to query any DNS record that is available.

After we created both action and policy we need to bind it to NetScaler global reponder policy engine.

NetScaler DNS Responder Policy Binding

batch Command:
bind responder global rsp_pol_block_internal_dns_response 100 END -type DNS_REQ_DEFAULT

Conclusion

In this blogpost I showed you how you can secure your NetScaler GSLB configuration by:

  • Securing your Metric Exchange Protocol RPC traffic
  • Restricting your Metric Exchange Protocol RPC traffic via ACLs
  • Limiting DNS queries from the outside world

Leave a Reply

  

  

  

Visit Us On TwitterVisit Us On Linkedin