My last blog about securing Netscaler VPX was about Netscaler 10.5.57, which was the first firmware with TLS 1.1 and TLS 1.2 support. After the update and activating TLS 1.1/TLS1.2 (and disabling SSLv3 of course) the rating at https://www.ssllabs.com/ssltest/ is an „A“ with is pretty good, but also gives us room for more optimization.

 

Custom Ciphers

The first thing we should optimize are the used ciphers. My suggestion here is to start with an new custom cipher suite.

Add the secure and supported ciphers on a VPX (this list may change if you are working on a hardware appliance. Important is to take care about disabling RC4 ciphers).

 

Bind the group to your SSL vServer:

 

 

eccCurves

To support the ECDHE cipher you also need bind the eccCurves  with the following command:

 

HTTP Strict Transport Security (HSTS)

Another thing SSL labs takes care about is HTTP Strict Transport Security (HSTS) which is supported by default in the latest browsers. You can insert this with a simple rewrite rule in the response (!) headers of your web server:

 

DH-Key

Of course all the „default“ settings are still valid. So to get a real secure vServer you still need to create a DH-Key for your appliance and bind it to your vServer:

 

Secure Renegotiation

You should also implement the workaround to a security vulnerability in Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols

 

That’s it. With these optimizations you should be able to get the prefered rating of „A+“. But it’s strongly recommended to test your environment after these changes.

 

 

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.