Jump to content


Photo

NetScaler - Nessus Pro vulneravility accessment

Started by Didier Caamano , 11 September 2017 - 04:53 PM
5 replies to this topic

Didier Caamano Members

Didier Caamano
  • 4 posts

Posted 11 September 2017 - 04:53 PM

Hello,

 

I recently added a Netscaler (NetScaler Express for testing purposes) to our DMZ network, the idea is to test one of our outdated Apache servers (running on windows); we moved the server to our internal network and placed the netscaler on the DMZ.  The VIP on the NetScaler is the same IP the server previously had.

 

The thing is that when I run a vulnerability scan against the VIP on the NetScaler using Nessus Pro, it gives me the same results as if I was running the vulnerability scan on the server.  

 

I have disabled SSL v2 and v3 and TLS 1.0 on the netscaler VIP, I have also changed the cipher from default to to the high cipher profile.

 

My question is, when I do a vulnerability scan on the NetScaler VIP, does the netscaler send the information to the server, thus bypassing all the configuration on the netscaler, I was under the impression the users only hit the VIP, therefore all the security done in the VIP will suffice.

 

As a note, we take security very serious, this particular server is running an old version of apache, php and mysql on windows and in time we will migrate the application to .NET, but I wanted to have a workaround during the time it takes to do the migration.

 

Any help is appreciated, thank you and have a great day



Kai Thorsrud Members

Kai Thorsrud
  • 50 posts

Posted 11 September 2017 - 07:47 PM

Beware of false positives. Provide more details. When configured correct this statement is valid: I was under the impression the users only hit the VIP, therefore all the security done in the VIP will suffice.

Carl Stalhood CTP Member

Carl Stalhood
  • 12,283 posts

Posted 11 September 2017 - 08:29 PM

The VIP was setup with SSL protocol and not SSL_BRIDGE protocol?

Carl Stalhood CTP Member

Carl Stalhood
  • 12,283 posts

Posted 11 September 2017 - 08:30 PM

NetScaler will handle SSL connection. That's it. All HTTP requests are simply forwarded to the back end.

You can enable the App Firewall feature to filter the HTTP requests.

Didier Caamano Members

Didier Caamano
  • 4 posts

Posted 11 September 2017 - 08:40 PM

My setup is very basic 1SNIP for DMZ and 1 SNIP for internal, one server object in internal network, one service group for the SSL protocol pointing to the server (using SSL not SSL_BRIDGE) and on VIP with DMZ IP pointing to the service group.

 

Understanding that NetScaler will handle the SSL connection and forward the HTTP requests to the server, if I do a penetration test to the VIP it should not forward the penetration tests to the server in the internal network, it should respond with the SSL version and protocols used at the VIP level  not the server, unless I am not properly understanding how NetScaler Traffic Manager works.

 

Edit:  I'm currently using NetScaler VPX Express and it does not have App firewall licensed.

 

Thank you all for your replays.



Paul Blitz Members

Paul Blitz
  • 4,004 posts

Posted 13 September 2017 - 04:06 PM

(I'll assume you have an SSL vserver, with an SSL service: so SSL -> plaintext on NS -> encrypted again to Apache

 

When you do a vulnerability scan, the SSL is negotiated between the client and the Netscaler, but any actual content will get passed to the Apache server.... so if your testing goes beyond simply testing the SSL settings, and does things like web server attacks (think SQL injection and all that stuff) then Netscaler won't protect you: the HTML content is just passed through to the Apache server.

 

All the Netscaler is doing for you is to improve your SSL settings (as tested by SSL Labs etc).

 

To protect against application level attacks, you need a Web Application Firewall (= Netscaler with Ent / Plat licence) and other similar protections.

 

Can you be more specific about the vulnerability scan you are doing?