One Click-Tick to SSL Profiles
It’s estimated more that 70% of today’s internet traffic uses Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), to secure communications. With the new data breach laws having come in to effect ensuring that connexions to your environment are fully secured is, now more than ever, a critical part of your business. When it comes to Citrix NetScaler services, TLS plays a very big role in securing the end to end communications. SSL profiles are a major component of the configuration in securing communications but are often misconfigured or misapplied.
When configuring services on a NetScaler there are many parameters such as virtual servers, services, service groups, profiles, policies, etc. Collectively these make up the definition of an overall service and ensure its security. A SSL profile is a collection of these parameters that you can apply from single template built to your business requirements to many different services. This template can include protocol enablement and disablement, cipher groups, certificates, SSL and ECC parameters.
What is an SSL Profile?
Before we dive into SSL profiles, let’s have a quick overview on the cryptographic protocols. Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between a web server (think NetScaler) and a browser (think client device).
An SSL Profile is a great manageability enhancement and simplifies configuration and control of multiple NetScaler services such as virtual servers, services, service groups, monitors and internet services, from a single configuration item.
The image below describes the services on a NetScaler with different components.
These are:
- Ciphers
- Cipher groups
- SSL Parameters
- ECC Curves
- SSL Certificates
It takes a lot of time to apply all of these parameters to all your virtual servers, services, service groups etc… as they need to be manually and individually changed which can also introduce human error. This is where a SSL Profile shines as you can configure once and apply many times!
When SSL profiles are used, management is only performed on one entity and then applied as a configuration item to the services. Let’s say you need to update the Frontend Profile to remove TLS 1.1, rather than open every configuration and adjust the security settings, you can update the profile and any changes that you make will be updated to all virtual servers that this profile is bound to. That’s it! This will save you time but most importantly, minimises any errors and keeps consistency across services.
Enabling SSL Profiles
If you’re not using SSL Profiles in your NetScaler, here’s how to enable it:
Logon to your NetScaler and go to System – Profiles – SSL Profile
You can edit the existing profiles or create custom profiles based on the requirements of the services they will protect.
Further, one great configuration option that is included with NetScaler 12.1 or above is the ability to use Secure SSL. This is an inbuilt SSL Profile that will give you an A+ score once bound to you virtual servers.
To enable this, ensure the below profile is used.
So, if you are looking to update the security on your NetScaler devices or to address security concerns on sites presented to the external world you should be looking to take advantage of using SSL profiles, which at a minimum will provide you with:
- Simplified and improved management of your environment
- Ability to make a large number of changes to SSL endpoints from a single location
- Ability create custom SSL Profiles to suit your needs
- New entities can automatically get the settings from the custom or default assigned SSL Profile, ensuring consistency and security
Thanks for reading
