KEMP LoadMaster vs IIS 8.0 ARR: a note on security

Reading Time: 5 minutes

Introduction

In my spare time I like to test software/appliances that I work with, for security flaws.

Since the heartbleed bug has made news headlines around the world, I take extra measures to secure everything that needs SSL to work.

NOTE:

Kemp has released a firmware that patches the Hearbleed vulnerability. Please download it and apply it to your Kemp LoadMaster.

Link

I will be designing and implementing an Unified Communications solution very soon. Lync 2013 requires a reverse proxy for the Lync mobility feature. Before I can give an unbiased advise on the reverse proxy setup that we need, I like to take each solution for a test drive.

My list of reverse proxy solutions are:

– KEMP LoadMaster VLM-100

– Windows Server 2012 with IIS 8.0 acting as a reverse proxy

 

Let’s start with Kemp LoadMaster and it’s default security implementation.

 

Kemp LoadMaster

Default behaviour (out-of-the-box not that secure)

By default, the Kemp LoadMaster accepts all kind of security protocols and ciphers, as shown by this screenshot:

KEMP_SSL_Security_1

This default behaviour results in a combined score of C on Qualys SSL Labs :

KEMP_SSL_Security_2

KEMP_SSL_Security_3

This behaviour is correct, because Kemp gives you all the freedom to select the ciphers and protocols that you need to loadbalance your workload. It’s the responsibility of the administrator/IT Pro to select the correct security ciphers and protocols.

Hardening the Kemp LoadMaster

In order to harden the Kemp LoadMaster, you need to disable weak protocols and ciphers. These weak protocols and ciphers are needed for older operating systems (Windows XP)and web browsers (IE6,IE7,IE8). This can be done in the web user interface of the Kemp LoadMaster.

Step one

Select your virtual service that needs to be hardened. In my case I select “Lync Reverse Proxy HTTPS”.

KEMP_Improved_SSL_Security_1

Click on the “modify” button and you will be presented with a screen like this:

KEMP_SSL_Security_1

note that the Assigned Ciphers are empty and thus using all default protocols and ciphers. Let’s change that.

Step two

Assign the following cyphers to the Assigned Ciphers box:

1) ECDHE-RSA-AES256-SHA384
2) ECDHE-RSA-AES256-SHA
3) ECDHE-RSA-AES128-SHA
4) AES128-SHA256
5) AES256-SHA256

KEMP_Improved_SSL_Security_3

Click on the button “Set Ciphers” and the new ciphers will be set and operational.

Step three

Run a new SSL test at Qualys SSL Labs and after a few seconds you should see the new results:

KEMP_Improved_SSL_Security_4

KEMP_Improved_SSL_Security_5

KEMP_Improved_SSL_Security_6

 

 

 

 

Windows 2012 with IIS 8.0 + ARR 3.0

Windows 2012 with IIS 8.0 + ARR 3.0 is recommended by Microsoft as a supported reverse proxy configuration for Lync 2013 and other workloads (Exchange 2013 and Sharepoint 2013).

With this information, I installed a windows 2012 virtual machine. Afterwards I activated the IIS role in windows 2012. The last step was to install ARR 3.0. From here I created the correct URL Rewrite Rules for Lync 2013.

Qualys SSL Labs rates this default configuration with an A

default_iis_security_1

default_iis_security_2

Not bad Microsoft, not bad Winking smile

The next question comes to my head: “How can I make this setup even better (more secure)” ?

The answer is quite simple:

– Run a simple powershell script, courtesy by: http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

– Run IIS Crypto 1.4 : https://www.nartac.com/Products/IISCrypto/Default.aspx

NOTE: You have to choose one option to improve the security of IIS 8.0. Applying both solutions will result in mixed results. Chose either to run the powershell script or the IIS Crypto tool.

Both options will secure your IIS 8.0 setup. I chose to run the simple powershell script and I’m happy to share the improved results:

default_iis_security_3

default_iis_security_4

default_iis_security_5

 

Conclusion

After the heartbleed fiasco, security is on everybody’s mind. It makes sense to check your SSL appliances in your perimeter network for their SSL implementation. If you happen to have a KEMP LoadMaster in your network, please install the latest firmware (7.0-14b). The latest firmware version fixes the heartbleed vulnerability.

Another important aspect that I want to highlight is that we (IT pro’s) are solely responsible to implement the best possible security options on our perimeter appliances. This includes selecting the appropriate ciphers and protocols.

I’m glad to find out that windows 2012 server with IIS 8.0 is secure enough to be implemented as a reverse proxy/load balancer for various workloads. By changing a few options, you can make a windows 2012 with IIS8.0 reverse proxy server, very secure.

KEMP LoadMaster’s SSL implementation is not that secure by default. The administrator has to select the correct ciphers and protocols that he wants to use in order to achieve the highest possible rating and security. I would prefer that KEMP put a note in their product guide to alert IT pro’s about this minor inconvenience.

By no means at all I’m trashing KEMP and their LoadMaster. I just would like to see that their LoadMasters are secured by default. Besides this minor security inconvenience, I like KEMP Loadmaster very much because they are simple to install and to operate. It’s the best cost effective load balancer that won’t break the bank.