Making a NetScaler Gateway on NetScaler 11 a bit more secure

M

last update February 7th 2017

There are never versions about SSL-settings

We have previously created a NetScaler Gateway on our NetScaler 11. That’s great! Time to check if it’s secure. I usually use SSL labs SSL test, a widely used tool to test the security of a website.

I have an other blog about NetScaler virtual servers (contentswitching and loadbalancing SSL offloading servers). There is much more theory about SSL in that one. They do basically the same. This one may be great if you are interested in a bit more theory.

Let’s give it a try:

NG_ssl-labs1

I agree, this is a disastrous result! Just a C- rating? C means: an insecure appliance, there are well known attacks that may compromise this appliance’s security!

Is a NetScaler a piece of shit?

Of course it’s not! However this wizard sets compatibility over security. Compatibility to old versions of Java, that’s why. So we’ll have to fix it!

First issue clearly has to be the POODLE issue as it degraded our rating to C! This one is an easy one: just simply disable SSL V3. Go to NetScaler Gateway -> Virtual servers, open up your gateway, and check SSL parameters:

NG_ssl-default

You see: SSL v.3 is enabled, and SSL v.3 is not considered to be secure. Just simply disable it: click on the pen i the top left corner of this section and uncheck SSL V.3

NG_ssl-new

a new check with SSL labs is by far better:

NG_ssl-labs2

B means good. There are no well known attacks that could harm our NetScaler. Good is not good enough. What’s wrong now? “The server accepts RC4 cyphers”. RC4 is no more considered to be secure. I suggest removing all RC4 based cyphers from the list of supported cyphers. I removed all cyphers but the best we could use so far:

NG_SSL-cyphers

Make sure there are no other cyphers. Keep away from “Export” cyphers as these cyphers are really bad, keep away from RC4 cyphers. Also keep away from GCM cyphers as long as you did not upgrade to latest versions (11.1 Build 51.21,11.0 Build 69.12/69.123 or 10.5 Build 65.11). There is a big problem about GCM cyphers (see CTX220329 or here). Give it an other try:

 

NG_ssl-labs3

Ah! A-. A is very good. A- is still very good, however there may be some minor issues. I have two issues: First my certificate is a SHA1 certificate (and will get updated to SHA2 shortly), and 2nd I don’t support Forward Secrecy. I have already written a blog about this issue, so I don’t go into this. There is also a good one by Citrix how to get the highest rating, an A+ (outstanding security).

My 2 ciphers are not supported by Windows XP! This may turn out to be an issue! SSL Labs will list issues like that. I can go with it, so I don’t care about it.

Our NetScaler Gateway can now be considered to be secure.

Attention!

I’d suggest checking security of your gateway on a regular base. Your NetScaler may drop down to D (there is an actual security thread affecting this site) or even worse if new issues arise. I’ll keep an eye on it and will continue reporting how to fix issues!

Next thing might be enabling NetScaler Gateway HDX Proxy mode (formally known as ICA Proxy mode)

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

5 comments

Leave a Reply to Enabling ECDHE ciphers in NetScaler 10.5 – JustAnotherCitrixBlog Cancel reply

By Johannes Norz

Recent Posts

Recent Comments