Secure Tenant Configuration and Hardening
The following sections provide guidance to make your Netskope tenants and Publishers secure.
This document describes how to secure a tenant by checking and changing settings for features and functions in the Netskope UI.
Tenant Access
The following steps explain how to quickly set up your tenant.
Set up a global admin that will only be used with proper change management controls. Log in to Netskope and go to Settings > Administration > Admins > New Admin. For more info, see: Create Administrators.
Enable Single Sign On (SSO) with your current SSO provider. Log in to Netskope and go to Settings > Administration > SSO. For more info, see: SSO Settings.
Create and assign roles for restricted admins. Log in to Netskope and go to Settings > Administration > Roles. For more info, refer to Create Roles and Assign Roles.
Identify any non-corporate users in the administration list and remove or revoke access. Log in to Netskope and go to Settings > Administration > Admins. For more info, refer to Change Access.
Confirm your enterprise policy for tenant support and enable or revoke based on the policy. Log in to Netskope and go to Settings > Administration > Admins. Identify tenant_support@netskope.com and review your corporate policy regarding this tenant support user and their level of access. Use the slide bar to the left which allows enablement and/or removal of this account. For more info, refer to Managing Administrators.
Some default settings should be changed to secure a Netskope tenant.
Feature/Function | Description | Default Setting | Secure Setting |
---|---|---|---|
Secure email invites with one-time enrollment | Allows making email invites to be one-time use to prevent reuse. | Off | On |
Disallow concurrent logins by an Admin (Settings > Administration > Admin > Settings) | Ensures an admin can log in to a tenant only once, instead of being able to log in to a tenant multiple times concurrently. | Off | On |
MFA (Settings > Manage > Multi-Factor Authentication Integration) | Enablement of multi-factor authentication. Integration with a third-party tool is required. | Off | On |
SSO (Settings > Administration > SSO) | Enablement of SSO authentication using forms like SAML. Integration with a third-party tool is required. | Off | On |
IP restriction for Tenant Access (Settings > Administration >IP Allowlist) | Controls the IP addresses that are allowed to access your Netskope tenant. | Off | On |
Chromebook Verified Access (Settings > Security Cloud Platform > Reverse Proxy > SAML. Click on your Google Workspace account and select Options.) | Use to verify if the Chromebook is enrolled via Verified Access. | Off | On |
Logging of Admin actions to SIEM | Logging of activity by admins is recommended but needs configuration by the user. Integration with a third-party tool is required. | Off | On |
Traffic Steering
Feature/Function | Description | Default Setting | Secure Setting |
---|---|---|---|
Safe Search (Settings > Security Cloud Platform > Configuration) | Enforce strict safe search for queries sent to search engines. | On | On |
Dynamic Trusted Store (Settings > Security Cloud Platform > Configuration) | Allows automatic download and use of intermediate certificate to verify server’s identity for SSL handshake. | On | On |
Enhanced Cert-Pinned Apps | Allows using specific domains and process name combination before making a decision to bypass or steer traffic. | On | On |
Bypass Loopback DNS controls | Allows configuring the Client to not respond to DNS responses from a DNS server on the Loopback address. Refer to the Bypass Umbrella Processes for Umbrella DNS-based Protection section in Cisco Umbrella for more details. | On | On |
Error Settings in Steering Configurations
These settings are located at: Settings > Security Cloud Platform > Steering Configuration > Manage Error Settings.
Feature/Function | Description | Default Setting | Secure Setting |
---|---|---|---|
No SNI | Between the Netskope Client and the Netskope Cloud Proxy, when the Netskope Cloud Proxy cannot determine the SNI. | Bypass | Block |
Malformed SSL | Between the Netskope Client and the Netskope Cloud Proxy, when the designated port is 443 but fails to parse the first packet in the SSL traffic. | Bypass | Block |
CRL/OCSP checks | Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is revoked. | Bypass | Block |
SSL Handshake Error | Between the Netskope Cloud Proxy and the internet server, when the SSL handshake fails. | Bypass | Block |
Self-Signed Server Certificate | Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is self-signed. | Block | Block |
Incomplete Certificate Trust Chain | Between the Netskope Cloud Proxy and the internet server, when the server’s certificate chain is incomplete. | Bypass | Block |
Untrusted Root Certificate | Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is not trusted. | Block | Block |
Malformed HTTP | Between the Netskope Client and the Netskope Cloud Proxy, when the HTTP request received by the Netskope Cloud Proxy is invalid. | Block | Block |
SSL-Pinned Certificate | For the Netskope Client to bypass a certificate-pinned application. | Bypass | Bypass |
SSL Host Mismatch | Between the Netskope Cloud Proxy and the internet server, when the domain name of the server doesn’t match the common name in a server’s certificate. | Block | Block |
Client Configuration
The Netskope Client installation links via the on-boarding process has an activation key. This activation key is generated when the on-boarding email is sent to the user. When a user clicks on an installation link, the activation key in the link validates the link and allows the Netskope Client installer to download from the download service. The installer has an activation key along with other user and tenant info.
These settings are located at: Settings > Security Cloud Platform > Devices > Client Configurations.
Feature/Function | Description | Default Setting | Secure Setting |
---|---|---|---|
Enable DTLS | Use only when required. | Off | Off, unless required. |
On-premises Detection | If the endpoint is on-premise, the Client will tunnel the following types of traffic and this traffic is bypassed by the Netskope Cloud. | Off | Off |
Upgrade Client automatically (Under Install & Troubleshoot) | Clients will automatically upgrade to the specified Client release. Recommendations are:
Disabling the Show Upgrade Notification option is recommended. | On | On |
Uninstall Clients automatically (Under Install & Troubleshoot) | Uninstalls the Client when users are removed from the Netskope tenant. Not recommended. | Off | Off |
Allow users to unenroll (Under Install & Troubleshoot) | If the Client is provisioned via IdP, selecting this option allows users to unenroll from Netskope. | Off | Off |
Allow disabling of Clients (Under Tamperproof) | Allows user to disable the Client on a device. | On | Off |
Password protection for Client uninstallation and service stop. (Under Tamperproof) | Password protection to prevent stopping the services is only supported on the Client on Windows. | Off | On |
Netskope provides prebuilt Publishers for VMWare (OVA format), Hyper-V (VHDX), and AWS (AMI). Additionally, you can also deploy a Publisher on top of a Ubuntu 20.04 based machine for other environments, such as GCP. The deployment methods and use of Docker images may raise some concerns about hardening and security. This document provides info that can be used by customers under NDA to better understand how a Publisher is deployed and maintained.
OS Requirements
Ubuntu 20.04 is supported.
Significant changes from the previously supported CentOS-based machine are:
Ubuntu Publishers are CIS benchmark enabled.
AppArmor and ufw are used instead of SELinux and FirewallD.
OS Hardening
Netskope takes a number of hardening steps for the images we provide including:
Disabling root login to base OS and container OS.
Removing root password.
Removing unneeded Linux firmware and packages.
Running the latest security updates prior to capturing the image.
Disabling support for CTL-ALT-DEL to prevent accidental or malicious system restarts.
You can perform additional hardening steps, such as:
Hardening SSH to use keys rather than passwords. AWS AMI uses keys by default. Publishers deployed on other platforms must be manually configured to use keys.
Using the native Ubuntu 20.04 firewall or network firewalls to limit access to and from the Publisher.
Netskope Private Access leverages RSA 2048 for all encrypted communications including Client, Publisher, and inner tunnel.
Updates
Netskope updates the host OS and the Publisher package during the software update process:
Base OS ( Ubuntu 20.04) security updates.
Publisher (security, functionality, and enhancements).
Netskope recommends that Publishers should always be updated to the most recent software version.
AppArmor and ufw for Ubuntu
The NPA Publisher is configured with AppArmor and ufw enabled and running. During Publisher installation, the following ufw configurations are made in order to enable the NPA Publisher to process data packets appropriately.
apt-get install -y ufw echo y | ufw enable ufw allow to 191.1.1.1/32 proto tcp port 784 ufw allow to 191.1.1.1/32 proto udp port 785 ufw allow in on tun0 to any port 53 proto tcp ufw allow in on tun0 to any port 53 proto udp ufw allow 22/tcp ufw allow in on lo ufw deny in from 127.0.0.0/8 ufw deny in from ::1 ufw reload sudo pkill npa_publisher
Note
As indicated above, this configuration is applied automatically in all current NPA Publisher releases and is included here for reference/legacy Publishers.