Securing the pass-through traffic on NetScaler

Infrastructure mode settings can be used to the secure pass-through traffic on NetScaler. These infrastructure mode settings provide a basic level of security without breaking any applications. The following list summarizes the available infrastructure mode settings.

• Session state protection
• Session fixation protection (enable HTTP Only)
• HSTS (enable HTTP Strict Transport Security (HSTS))
• Strong authentication
• End-to-end SSL preferred
• Proxy HTTPS / Deny all other traffic

Session state protection:

Recommendation: Enabled NetScaler: Enabled by default for most entities

The Session state protection setting is enabled by default and requires no specific configuration. When NetScaler is configured to proxy a connection. For example, when the flow selects a configured virtual server or service of type TCP or above, NetScaler creates a stateful session. NetScaler continues to maintain the state of these connections and only packets that fall in to this state machine are processed. Other packets are either dropped or reset.

The following service-type entities achieve this stateful behavior on NetScaler.

• ADNS_TCP
• DIAMETER, DNS_TCP
• FTP-c
• GRE-c
• HTTP
• MYSQL, MSSQL
• NNTP
• ORACLE
• PUSH, PPTP
• RTSP, RDP
• SIP_SSL, SIP_TCP
• SMPP
• SSL, SSL_BRIDGE, SSL_DIAMETER, SSL_PUSH
• SSL_TCP, SYSLOG_TCP
• TCP
• ADNS_TCP
• RNAT (rnat_tcpproxy is ENABLED)

Session fixation protection (by enabling the HttpOnly flag or by adding a rewrite policy):

Recommendation: To enable HttpOnly for cookies set by NetScaler or back-end server
NetScaler: Enabled by Default for the NetScaler inserted cookies, possible via Rewrite for cookies set by the back-end server.

HttpOnly: When you tag a cookie with the HttpOnly flag, it indicates to the browser that this cookie must be accessed only by the server. Any attempt to access the cookie from the client script is strictly forbidden. HttpOnly cookies, if properly implemented, makes huge classes of common cross-site scripting attacks much harder to pull off.

The following is an example of a cookie with the HttpOnly flag set:

Set-Cookie: ASP.NET_SessionId=ig2fac55; path=/; HttpOnly
<!--NeedCopy-->

The cookies inserted by NetScaler for Cookie Insert persistence, by default, set the HttpOnly flag to indicate that the cookie is nonscriptable and must not be revealed to the client application. Therefore, a client-side script cannot access the cookie, and the client is not susceptible to cross-site scripting.

To enable the HttpOnly flag setting by using the command line interface:

At the command prompt, type:

set lb parameter -HttpOnlyCookieFlag (ENABLED)  
<!--NeedCopy-->

Using rewrite policy to insert Secure and HttpOnly for cookies:

The rewrite policy inserts Secure and HTTP only for cookies sent by the back-end server.

Note: Secure and HttpOnly cookies together can be done for SSL VIPs. For non-SSL VIPs one can insert the HttpOnly flag.

With NetScaler, one can include HTTP only and Secure flags for cookies set by the server.

• HttpOnly - This option on a cookie causes the web browsers to return the cookie using the HTTP (or HTTPS) protocol only; the non-HTTP methods such as JavaScript document.cookie references cannot access the Cookie. This option helps in preventing Cookie theft due to cross-site scripting.
• Secure - This option on a cookie causes the web browsers to return only the cookie value when the transmission is encrypted by SSL. This option can be used to prevent cookie theft through connection eavesdropping.

Create a rewrite policy by using the CLI

1. Enable the Rewrite feature, if not already enabled.

   enable feature REWRITE
   <!--NeedCopy-->
   

2. Create a rewrite action (this example is configured to set both Secure and HttpOnly flags. If either one is missing, modify it as necessary for other combinations).

   add rewrite action <action name> replace_all http.RES.full_Header "\"path=/; Secure; HttpOnly\"" -search "regex(re!(path=/\\; Secure; HttpOnly)|(path=/\\; Secure)|(path=/\\; HttpOnly)|(path=/)!)" -bypassSafetyCheck YES
   <!--NeedCopy-->
   

   Example:

   add rewrite action act_cookie_Secure replace_all http.RES.full_Header "\"path=/; Secure; HttpOnly\"" -search "regex(re!(path=/\\; Secure; HttpOnly)|(path=/\\; Secure)|(path=/\\; HttpOnly)|(path=/)!)"
   
   or
   
   add rewrite action act_cookie_Secure replace_all http.RES.full_Header "\"path=/; Secure; HttpOnly\"" -search "regex(re!(path=/\\; Secure; HttpOnly)|(path=/\\; Secure)|(path=/\\; HttpOnly)|(path=/)!)" -bypassSafetyCheck YES
   <!--NeedCopy-->
   

   Note:

   Starting from NetScaler release 13.1, the bypassSafetyCheck parameter is not applicable. However, for releases before 13.1, this parameter is supported.

3. Create a rewrite policy to trigger the action.

   add rewrite policy <policy name> "http.RES.HEADER(\"Set-Cookie\").EXISTS" <action name>
   <!--NeedCopy-->
   

   Example:

   add rewrite policy rw_force_secure_cookie "http.RES.HEADER(\"Set-Cookie\").EXISTS" act_cookie_Secure
   <!--NeedCopy-->
   

4. Bind the rewrite policy to the virtual server to be secured (if the Secure option is used, an SSL virtual server must be used).

   bind lb vserver <vserver name> - <policy name> -priority <priority number> -gotoPriorityExpression NEXT -type RESPONSE
   <!--NeedCopy-->
   

   Example:

   bind lb vserver mySSLVServer -policyName rw_force_secure_cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
   <!--NeedCopy-->
   

   For more information, see https://support.citrix.com/article/CTX138055.

HSTS (enable HTTP Strict Transport Security (HSTS)):

To enable HSTS by using the NetScaler command line:

At the command prompt, type:

add ssl vserver <vServerName> -HSTS ( ENABLED ) maxage <positive_integer> -IncludeSubdomains ( YES | NO)
<!--NeedCopy-->

OR

add ssl profile <name> -HSTS ( ENABLED ) -maxage <positive_integer> -IncludeSubdomains ( YES | NO )
<!--NeedCopy-->

For more information, see the following topics.

• Configure support for HTTP strict transport security (HSTS).

• https://support.citrix.com/article/CTX205221

Strong authentication:

Strong Authentication (or multifactor authentication – MFA) must be enabled for all access to sensitive data, apps, and administration.

For details on how sensitive apps can be set up for multifactor authentication, see Multi-Factor (nFactor) authentication.

End-to-end SSL preferred:

It is recommended to have SSL both on the front end and back end. Older unsecure protocol versions, such as SSLv3, TLS 1.0, and TLS 1.1 can be disabled on SSL entities. You can only have TLS 1.2 and TLS 1.3 enabled. It can either be done at the SSL entity level or at the profile level and all the SSL entities inherit the SSL settings from the profile.

Disable unsecure and enable secure protocol versions on SSL entities by using the CLI

At the command prompt, type:

set ssl vserver <vServerName> -ssl2 DISABLED   -ssl3  DISABLED   -tls1   DISABLED   -tls11   DISABLED    -tls12   ENABLED    -tls13   ENABLED

set ssl service <vServiceName> -ssl2 DISABLED   -ssl3  DISABLED   -tls1   DISABLED   -tls11   DISABLED    -tls12   ENABLED    -tls13   ENABLED
<!--NeedCopy-->

If SSL profile is enabled, use the following command:

set ssl profile <frontend profile> -ssl3  DISABLED   -tls1   DISABLED  -tls11  DISABLED   -tls12   ENABLED    -tls13   ENABLED

set ssl profile <backend profile> -ssl3  DISABLED   -tls1   DISABLED  -tls11  DISABLED   -tls12   ENABLED    -tls13   ENABLED
<!--NeedCopy-->

**Note:

We recommend enabling TLS 1.3 using the profile instead of enabling it on virtual server entities. For more information, see Support for TLS 1.3 protocol.

NetScaler recommended cipher suites:

The following ciphers supported by NetScaler do not include any components on the “mandatory discard” list. These ciphers are organized by key-exchange (RSA, DHE, and ECDHE) then by placing the higher performing ones at the top with the higher security ones at the bottom:

Recommend RSA Key Exchange Cipher suites:

• TLS1-AES-128-CBC-SHA
• TLS1-AES-256-CBC-SHA
• TLS1.2-AES-128-SHA256
• TLS1.2-AES-256-SHA256
• TLS1.2-AES128-GCM-SHA256
• TLS1.2-AES256-GCM-SHA384

Recommend DHE Key Exchange Cipher suites:

• TLS1-DHE-RSA-AES-128-CBC-SHA
• TLS1-DHE-RSA-AES-256-CBC-SHA
• TLS1.2-DHE-RSA-AES-128-SHA256
• TLS1.2-DHE-RSA-AES-256-SHA256
• TLS1.2-DHE-RSA-AES128-GCM-SHA256
• TLS1.2-DHE-RSA-AES256-GCM-SHA384

Recommend ECDHE Key Exchange Cipher suites:

• TLS1-ECDHE-RSA-AES128-SHA
• TLS1-ECDHE-RSA-AES256-SHA
• TLS1.2-ECDHE-RSA-AES-128-SHA256
• TLS1.2-ECDHE-RSA-AES-256-SHA384
• TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
• TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

Recommend Cipher suites in the order of preference:

The following list of ciphers includes RSA, DHE, and ECDHE key exchanges. It provides the best compromise between security, performance, and compatibility.

1. TLS1.2-AES128-GCM-SHA256
2. TLS1.2-AES-128-SHA256
3. TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
4. TLS1.2-ECDHE-RSA-AES-128-SHA256
5. TLS1-ECDHE-RSA-AES128-SHA
6. TLS1.2-DHE-RSA-AES128-GCM-SHA256
7. TLS1.2-DHE-RSA-AES-128-SHA256
8. TLS1-DHE-RSA-AES-128-CBC-SHA
9. TLS1-AES-128-CBC-SHA

SSL secure profile and secure ciphers:

We recommend that you bind the secure front-end profile (ns_default_ssl_profile_secure_frontend) to your SSL virtual server. A secure cipher alias is added and bound to the secure front-end profile. To list the ciphers that are part of this alias, at the command prompt type:

show cipher SECURE

    1) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 Priority : 1
           Description: TLS 1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc030
    2) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 Priority : 2
           Description: TLS 1.2 Kx=ECC-DHE  Au=RSA  Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02f
    3) Cipher Name: TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384            Priority : 3
           Description: TLS 1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(256) Mac=AEAD   HexCode=0xc02c
    4) Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256            Priority : 4
           Description: TLS 1.2 Kx=ECC-DHE  Au=ECDSA Enc=AES-GCM(128) Mac=AEAD   HexCode=0xc02b
Done
<!--NeedCopy-->

For more information about the secure front-end profile, see Secure front-end profile.

Protocols lower than TLS 1.2 are disabled on the SSL internal services. If the default (enhanced) profile is enabled, then the ns_default_ssl_profile_internal_frontend_service profile is bound to the SSL internal services and SSLv3, TLS 1.0, TLS 1.1, and TLS 1.3 protocols are disabled in the profile.

Proxy HTTPS / deny all other traffic:

Wherever feasible have SSL VIPs for better encryption of data, by using secure SSL versions (TLS 1.2 or TLS 1.3) and secure ciphers. The SSL TPS and SSL throughput must be considered while enabling SSL for the VIPs and back-end SSL services.