Pages

Wednesday, February 26, 2020

Securing Citrix ADC (formerly known as NetScaler VPX) to score A+ rating on SSL Labs - February 2020

It has been a while since I’ve updated my previous posts for securing a Citrix ADC (formerly known as Citrix NetScaler) due to my absence from the work force so this post serves to provide the configuration required to published a virtual server to score an A+ on Qualys SSL Labs for the following test:

https://www.ssllabs.com/ssltest/

This post will demonstrate the process on a Citrix ADC NS13.0 47.24.nc via the command line.

Without any additional configuration, a newly published VPN Virtual Server for Citrix Virtual Apps Desktops published by a Citrix ADC typically scores a B or lower:

image

**Note that SSL Profiles allow the packaging of several SSL settings to be configured and applied to SSL-based Virtual Servers and Services but will not be demonstrated in this post.

Step #1 – Confirm that Deny SSL Renegotiation is configured as FRONTEND_CLIENT

The newer versions of the Citrix ADCs typically have the Deny SSL Renegotiation already configured appropriately but it is always good practice to confirm.

Navigate to Traffic Management > SSL > Change advanced SSL settings:

image

Confirm that the Deny SSL Renegotiation setting is set to FRONTEND_CLIENT:

image

Step #2 – Confirm that all available ECC Curves are bound to the virtual server

SSL Virtual Servers created on newer versions of the Citrix ADC such as the version I listed above will automatically have ECC Curves bound to them. However, if the appliance was upgraded from an older version, then the ECC Curves might not be bound.

Navigate into the properties of the virtual server:

image

Scroll down to the ECC Curve section and confirm that all the available options are bound to the virtual server:

image

image

Step #3 – Turn off SSLv3, TLSv1, TLSv11 and enable TLSv12 and TLSv13

The first step is to turn off SSLv3, TLSv11 and TLSv12, TLSv13 on your Load Virtual Server(s) and NetScaler Gateway Virtual Servers. For the purpose of this post, we will use a Virtual Server under the Citrix Gateway (also known as a VPN Virtual Server) for the configuration.

The following screenshots shows where the settings are in the GUI for the VPN Virtual Server:

image

SSLv3 used to be enabled in the older appliances but the later ones have TLSv1, TLSv11 and TLSv12 enabled by default:

image

Either uncheck the support for TLSv1, TLSv11 and enable TLSv12 and TLSv13 in the GUI or execute the following command in the CLI:

set ssl vserver <vpn server name> -ssl3 disabled

set ssl vserver <vpn server name> -tls1 disabled

set ssl vserver <vpn server name> -tls11 disabled

set ssl vserver <vpn server name> -tls12 enabled

set ssl vserver <vpn server name> -tls13 enabled

image

The configuration should look as such once the appropriate protocols are enabled or disabled:

image

Repeat the same process for the other Virtual Servers in the environment.

Step #4 – Create new custom Ciphers

The following is the set of SSL Ciphers that would allow us to score an A+ SSL scan on a Citrix ADC appliance but note that these need to be continually updated over time what is secure today may be vulnerable tomorrow:

TLS1.3-AES256-GCM-SHA384 -cipherPriority 1

TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2

TLS1.3-AES128-GCM-SHA256 -cipherPriority 3

TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256

TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384

TLS1.2-ECDHE-ECDSA-AES128-SHA256

TLS1.2-ECDHE-ECDSA-AES256-SHA384

TLS1-ECDHE-ECDSA-AES128-SHA

TLS1-ECDHE-ECDSA-AES256-SHA

TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

TLS1.2-ECDHE-RSA-AES-128-SHA256

TLS1.2-ECDHE-RSA-AES-256-SHA384

TLS1-ECDHE-RSA-AES128-SHA

TLS1-ECDHE-RSA-AES256-SHA

TLS1.2-DHE-RSA-AES128-GCM-SHA256

TLS1.2-DHE-RSA-AES256-GCM-SHA384

TLS1-DHE-RSA-AES-128-CBC-SHA

TLS1-DHE-RSA-AES-256-CBC-SHA

TLS1-AES-128-CBC-SHA

TLS1-AES-256-CBC-SHA

Attempting to use the GUI to create and add the ciphers in can be time consuming and prone to errors. A more efficient way would be to use the CLI and execute the following to create a group named Custom-VPX-Cipher with the ciphers listed above:

add ssl cipher Custom-VPX-Cipher

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-ECDSA-AES128-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-ECDSA-AES256-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-128-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-256-CBC-SHA

image

With the above commands successfully executed, we should now see the following Cipher Group created:

image

image

image

Step #5 – Bind new custom Ciphers to Load Balancing Server(s)

With the new cipher group created, proceed with binding them to the Load Balancing Virtual Server(s) and Citrix Gateway Virtual Server(s):

bind ssl vserver www.contoso.com_internal -cipherName Custom-VPX-Cipher
bind ssl vs <vpn server name> -eccCurveName ALL

image

With the new cipher group binded to the virtual servers, we can use the following commands to review the bindings:

show ssl vserver <vpn server name>

image

With the new custom CIPHER list bounded, unbind the DEFAULT list that gets bounded to all the virtual servers with the command:

unbind ssl vserver <vpn server name> -cipherName DEFAULT

image

Browsing to the SSL Ciphers heading for the virtual server should now display the custom Cipher list configured:

image

Step #6 – Create a Deffie-Hellman (DH) key for Forward Secrecy

The following screenshots shows where to create the Deffie-Hellman (DH) key in the GUI of the NetScaler:

Traffic Management > SSL > Create Diffie-Hellman (DH) key

image

image

The CLI command to execute to create the Deffie-Hellman (DH) key is as follows:

create ssl dhparam /nsconfig/ssl/dhkey2048.key 2048 -gen 2

image

**Note that the process could take a few minutes before completing so wait until the green cursor display changes to a >.

Reviewing the /nsconfig/ssl directory on the NetScaler should now show the dhkey2048.key key that was created:

image

Step #7 – Assign Deffie-Hellman (DH) key for Forward Secrecy to Virtual Server

With the Deffie-Hellman (DH) key successfully created, proceed with assigning it to the virtual servers.

The following screenshots shows where the settings are in the GUI:

image

Execute the following command to assign the DH Key via the CLI:

set ssl vserver <vpn server name> -dh ENABLED -dhFile "/nsconfig/ssl/dhkey2048.key" -dhcount 1000

image

Step #8 – Configure Policy for Strict Transport Security – 2 Options

Option #1 – Enable on Virtual Server

As of version 12.0.35.6, a -HSTS ENABLED flag that became available for the Strict Transport Security as shown here:

image

You can either apply the configuration directly onto the virtual server as such:

image

Executing the following CLI command would configure the HSTS setting as shown above:

set ssl vserver <vpn server name> -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES

image

Option #2 – Create a Rewrite Action and Policy for Strict Transport Security

Another option is to create a rewrite action, policy and then bind it to the virtual server as shown in the following:

Execute the following to create a Rewrite Action for Strict-Transport-Security:

add rewrite action act_sts_header insert_http_header Strict-Transport-Security q/"max-age=157680000"/

image

With the command above successfully executed, you should now see the following action created:

image

image

Execute the following to create a policy and assign the Rewrite Action for to the policy:

add rewrite policy pol_sts_header TRUE act_sts_header

image

image

image

With the Strict Transport Security policy created, proceed with binding them to the virtual servers with the following commands:

bind vpn vserver <vpn server name> -policy pol_sts_header -priority 100 -gotoPriorityExpression END -type RESPONSE

image

With the command above successfully executed, we should now see the Response Rewrite policy bounded to the virtual servers:

image

image

Having completed all the steps outlined above should now allow the NetScaler site to score an A+:

image

There are additional steps that will allow you to obtain a perfect score as the above rating indicates the Key Exchange and Cipher Strength falls just short. The Key Exchange can be updated to use a certificate that is of 4098bit rather than the 2048bit DH Key we used and the Cipher support can be adjusted to remove 128-bit support but the latter change may sacrifice compatibility. Security is a perpetual challenge so the best approach is to constantly update the security hardening configuration on the Citrix ADC to address newly uncovered issues or outdated configuration.

Also note that having less ciphers supported equates to less browser support so it is important to scroll down to the results and review the Handshake Simulation heading that list handshake failures so you are aware of what browsers will no longer be able to access the web application published:

image

No comments:

Post a Comment