Introduction
In my spare time I like to test software/appliances that I work with, for security flaws.
Since the heartbleed bug has made news headlines around the world, I take extra measures to secure everything that needs SSL to work.
NOTE:
Kemp has released a firmware that patches the Hearbleed vulnerability. Please download it and apply it to your Kemp LoadMaster.
I will be designing and implementing an Unified Communications solution very soon. Lync 2013 requires a reverse proxy for the Lync mobility feature. Before I can give an unbiased advise on the reverse proxy setup that we need, I like to take each solution for a test drive.
My list of reverse proxy solutions are:
– KEMP LoadMaster VLM-100
– Windows Server 2012 with IIS 8.0 acting as a reverse proxy
Let’s start with Kemp LoadMaster and it’s default security implementation.
Kemp LoadMaster
Default behaviour (out-of-the-box not that secure)
By default, the Kemp LoadMaster accepts all kind of security protocols and ciphers, as shown by this screenshot:
This default behaviour results in a combined score of C on Qualys SSL Labs :
This behaviour is correct, because Kemp gives you all the freedom to select the ciphers and protocols that you need to loadbalance your workload. It’s the responsibility of the administrator/IT Pro to select the correct security ciphers and protocols.
Hardening the Kemp LoadMaster
In order to harden the Kemp LoadMaster, you need to disable weak protocols and ciphers. These weak protocols and ciphers are needed for older operating systems (Windows XP)and web browsers (IE6,IE7,IE8). This can be done in the web user interface of the Kemp LoadMaster.
Step one
Select your virtual service that needs to be hardened. In my case I select “Lync Reverse Proxy HTTPS”.
Click on the “modify” button and you will be presented with a screen like this:
note that the Assigned Ciphers are empty and thus using all default protocols and ciphers. Let’s change that.
Step two
Assign the following cyphers to the Assigned Ciphers box:
1) ECDHE-RSA-AES256-SHA384
2) ECDHE-RSA-AES256-SHA
3) ECDHE-RSA-AES128-SHA
4) AES128-SHA256
5) AES256-SHA256Click on the button “Set Ciphers” and the new ciphers will be set and operational.
Step three
Run a new SSL test at Qualys SSL Labs and after a few seconds you should see the new results:
Windows 2012 with IIS 8.0 + ARR 3.0
Windows 2012 with IIS 8.0 + ARR 3.0 is recommended by Microsoft as a supported reverse proxy configuration for Lync 2013 and other workloads (Exchange 2013 and Sharepoint 2013).
With this information, I installed a windows 2012 virtual machine. Afterwards I activated the IIS role in windows 2012. The last step was to install ARR 3.0. From here I created the correct URL Rewrite Rules for Lync 2013.
Qualys SSL Labs rates this default configuration with an A
Not bad Microsoft, not bad
The next question comes to my head: “How can I make this setup even better (more secure)” ?
The answer is quite simple:
– Run a simple powershell script, courtesy by: http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
– Run IIS Crypto 1.4 : https://www.nartac.com/Products/IISCrypto/Default.aspx
NOTE: You have to choose one option to improve the security of IIS 8.0. Applying both solutions will result in mixed results. Chose either to run the powershell script or the IIS Crypto tool.
Both options will secure your IIS 8.0 setup. I chose to run the simple powershell script and I’m happy to share the improved results:
Conclusion
After the heartbleed fiasco, security is on everybody’s mind. It makes sense to check your SSL appliances in your perimeter network for their SSL implementation. If you happen to have a KEMP LoadMaster in your network, please install the latest firmware (7.0-14b). The latest firmware version fixes the heartbleed vulnerability.
Another important aspect that I want to highlight is that we (IT pro’s) are solely responsible to implement the best possible security options on our perimeter appliances. This includes selecting the appropriate ciphers and protocols.
I’m glad to find out that windows 2012 server with IIS 8.0 is secure enough to be implemented as a reverse proxy/load balancer for various workloads. By changing a few options, you can make a windows 2012 with IIS8.0 reverse proxy server, very secure.
KEMP LoadMaster’s SSL implementation is not that secure by default. The administrator has to select the correct ciphers and protocols that he wants to use in order to achieve the highest possible rating and security. I would prefer that KEMP put a note in their product guide to alert IT pro’s about this minor inconvenience.
By no means at all I’m trashing KEMP and their LoadMaster. I just would like to see that their LoadMasters are secured by default. Besides this minor security inconvenience, I like KEMP Loadmaster very much because they are simple to install and to operate. It’s the best cost effective load balancer that won’t break the bank.
Login