My last blog about securing Netscaler VPX was about Netscaler 10.5.57, which was the first firmware with TLS 1.1 and TLS 1.2 support. After the update and activating TLS 1.1/TLS1.2 (and disabling SSLv3 of course) the rating at https://www.ssllabs.com/ssltest/ is an „A“ with is pretty good, but also gives us room for more optimization.

 

Custom Ciphers

The first thing we should optimize are the used ciphers. My suggestion here is to start with an new custom cipher suite.

add ssl cipher SECURE-Ciphers

Add the secure and supported ciphers on a VPX (this list may change if you are working on a hardware appliance. Important is to take care about disabling RC4 ciphers).

bind ssl cipher SECURE-Ciphers -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 1
bind ssl cipher SECURE-Ciphers -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 2
bind ssl cipher SECURE-Ciphers -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 3
bind ssl cipher SECURE-Ciphers -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 4
bind ssl cipher SECURE-Ciphers -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 5
bind ssl cipher SECURE-Ciphers -cipherName TLS1-AES-128-CBC-SHA -cipherPriority 6
bind ssl cipher SECURE-Ciphers -cipherName SSL3-DES-CBC3-SHA -cipherPriority 7

 

Bind the group to your SSL vServer:

bind ssl vserver myNetscalerGateway -cipherName SECURE-Ciphers

 

 

eccCurves

To support the ECDHE cipher you also need bind the eccCurves  with the following command:

bind ssl vs myNetscalerGateway -eccCurveName ALL

 

HTTP Strict Transport Security (HSTS)

Another thing SSL labs takes care about is HTTP Strict Transport Security (HSTS) which is supported by default in the latest browsers. You can insert this with a simple rewrite rule in the response (!) headers of your web server:

add rewrite action rew_act_strict_transport insert_http_header Strict-Transport-Security "\"max-age=15768000\""
add rewrite policy Pol_Rew_strict_transport_sec true rew_act_strict_transport
bind cs vserver CS_vServername -policyname Pol_Rew_strict_transport_sec -priority 100 -gotoPriorityExpression END -type RESPONSE

 

DH-Key

Of course all the „default“ settings are still valid. So to get a real secure vServer you still need to create a DH-Key for your appliance and bind it to your vServer:

create ssl dhparam Key-DH-1 2048 -gen 5
set ssl vserver CS_vServername -dh ENABLED -dhFile "/nsconfig/ssl/Key-DH-1"

 

Secure Renegotiation

You should also implement the workaround to a security vulnerability in Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols

set ssl parameter -denySSLReneg Frontend_Client

 

That’s it. With these optimizations you should be able to get the prefered rating of „A+“. But it’s strongly recommended to test your environment after these changes.

 

 

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.