NetScaler Security – Protecting against malicious attacks

So in this blog post we are going to look into what options exist in order to protect against malicious attackers, DDoS attacks etc. in an environment with NetScaler Application Delivery Controller as a front-end for business web applications.
Furthermore we will look into additional steps to tighten and optimize security in a NetScaler environment.

Can NOT guarentee that with these initiatives in place you will NOT get attacked, that is NOT the message here but more a guideline approach to remediation techniques which should be in implemented to increase security level.
We certainly can reduce the attack surface and make it more difficult for malicious users to use us as a target. Additionally we should have Security Insight when delivering business critical apps. Therefore monitoring is also vital step as a part of implementing these security initiatives.

On a “Basic” level

  • Pre-authenticate users with 2-factor authentication before accessing business web apps externally.
  • Implement Rate Limiting
  • Implement IP Reputation
    • Use this feature to block for known malware hosts, botnets etc.
  • Optimize and implement SSL Hardening
    • Use High security SSL Ciphers with highest priority
    • Disable use of older SSL Protocols – SSLv3 etc, aim after TLS 1.2
  • Remove exposure of sensible HTTP Header information from backend server responses
  • Implement Secure HTTP Headers
  • Have a central syslog server with suitable retention period of data and perhaps also archiving syslog data.

On a more Advanced level

  • Implement NetScaler Application Firewall and Security Insight within NetScaler Management and Analytics (NMAS)
  • Implement Certificate Pinning to prevent Man-In-The-Middle on SSL traffic (MITM Attacks)

Even better

Combine these security initiatives.

Security should always be implemented as a layered approach, not solely depending on a single solution but supply with security remediation tools, processes and procedures in all layers.

In the next sections and parts we will look into configuration guidelines for implementing higher security.

Internal links

Configuration guide for implementing HTTP Header security in NetScaler.

HTTP Header Security – NetScaler

Configuration guide for Layer 4-7 protection against DDoS and BruteForce.

Layer 4-7 DDoS Protection

Leave a Reply