Netskope Help

Secure Tenant Configuration and Hardening

The following sections provide guidance to make your Netskope tenants and Publishers secure.

This document describes how to secure a tenant by checking and changing settings for features and functions in the Netskope UI.

Tenant Access

The following steps explain how to quickly set up your tenant.

  1. Set up a global admin that will only be used with proper change management controls. Log in to Netskope and go to Settings > Administration > Admins > New Admin. For more info, see: Create Administrators.

  2. Enable Single Sign On (SSO) with your current SSO provider. Log in to Netskope and go to Settings > Administration > SSO. For more info, see: SSO Settings.

  3. Create and assign roles for restricted admins. Log in to Netskope and go to Settings > Administration > Roles. For more info, refer to Create Roles and Assign Roles.

  4. Identify any non-corporate users in the administration list and remove or revoke access. Log in to Netskope and go to Settings > Administration > Admins. For more info, refer to Change Access.

  5. Confirm your enterprise policy for tenant support and enable or revoke based on the policy. Log in to Netskope and go to Settings > Administration > Admins. Identify tenant_support@netskope.com and review your corporate policy regarding this tenant support user and their level of access. Use the slide bar to the left which allows enablement and/or removal of this account. For more info, refer to Managing Administrators.

Some default settings should be changed to secure a Netskope tenant.

Feature/Function

Description

Default Setting

Secure Setting

Secure email invites with one-time enrollment

Allows making email invites to be one-time use to prevent reuse.

Off

On

Disallow concurrent logins by an Admin

(Settings > Administration > Admin > Settings)

Ensures an admin can log in to a tenant only once, instead of being able to log in to a tenant multiple times concurrently.

Off

On

MFA

(Settings > Manage > Multi-Factor Authentication Integration)

Enablement of multi-factor authentication. Integration with a third-party tool is required.

Off

On

SSO

(Settings > Administration > SSO)

Enablement of SSO authentication using forms like SAML. Integration with a third-party tool is required.

Off

On

IP restriction for Tenant Access

(Settings > Administration >IP Allowlist)

Controls the IP addresses that are allowed to access your Netskope tenant.

Off

On

Chromebook Verified Access

(Settings > Security Cloud Platform > Reverse Proxy > SAML. Click on your Google Workspace account and select Options.)

Use to verify if the Chromebook is enrolled via Verified Access.

Off

On

Logging of Admin actions to SIEM

Logging of activity by admins is recommended but needs configuration by the user. Integration with a third-party tool is required.

Off

On

Traffic Steering

Feature/Function

Description

Default Setting

Secure Setting

Safe Search

(Settings > Security Cloud Platform > Configuration)

Enforce strict safe search for queries sent to search engines.

On

On

Dynamic Trusted Store

(Settings > Security Cloud Platform > Configuration)

Allows automatic download and use of intermediate certificate to verify server’s identity for SSL handshake.

On

On

Enhanced Cert-Pinned Apps

Allows using specific domains and process name combination before making a decision to bypass or steer traffic.

On

On

Bypass Loopback DNS controls

Allows configuring the Client to not respond to DNS responses from a DNS server on the Loopback address. Refer to the Bypass Umbrella Processes for Umbrella DNS-based Protection section in Cisco Umbrella for more details.

On

On

Error Settings in Steering Configurations

These settings are located at: Settings > Security Cloud Platform > Steering Configuration > Manage Error Settings.

Feature/Function

Description

Default Setting

Secure Setting

No SNI

Between the Netskope Client and the Netskope Cloud Proxy, when the Netskope Cloud Proxy cannot determine the SNI.

Bypass

Block

Malformed SSL

Between the Netskope Client and the Netskope Cloud Proxy, when the designated port is 443 but fails to parse the first packet in the SSL traffic.

Bypass

Block

CRL/OCSP checks

Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is revoked.

Bypass

Block

SSL Handshake Error

Between the Netskope Cloud Proxy and the internet server, when the SSL handshake fails.

Bypass

Block

Self-Signed Server Certificate

Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is self-signed.

Block

Block

Incomplete Certificate Trust Chain

Between the Netskope Cloud Proxy and the internet server, when the server’s certificate chain is incomplete.

Bypass

Block

Untrusted Root Certificate

Between the Netskope Cloud Proxy and the internet server, when the server’s certificate is not trusted.

Block

Block

Malformed HTTP

Between the Netskope Client and the Netskope Cloud Proxy, when the HTTP request received by the Netskope Cloud Proxy is invalid.

Block

Block

SSL-Pinned Certificate

For the Netskope Client to bypass a certificate-pinned application.

Bypass

Bypass

SSL Host Mismatch

Between the Netskope Cloud Proxy and the internet server, when the domain name of the server doesn’t match the common name in a server’s certificate.

Block

Block

Client Configuration

The Netskope Client installation links via the on-boarding process has an activation key. This activation key is generated when the on-boarding email is sent to the user. When a user clicks on an installation link, the activation key in the link validates the link and allows the Netskope Client installer to download from the download service. The installer has an activation key along with other user and tenant info.

These settings are located at: Settings > Security Cloud Platform > Devices > Client Configurations.

Feature/Function

Description

Default Setting

Secure Setting

Enable DTLS

Use only when required.

Off

Off, unless required.

On-premises Detection

If the endpoint is on-premise, the Client will tunnel the following types of traffic and this traffic is bypassed by the Netskope Cloud.

Off

Off

Upgrade Client automatically

(Under Install & Troubleshoot)

Clients will automatically upgrade to the specified Client release. Recommendations are:

  • Group: Suggested Configuration

  • InfoSec/Test Ring: Latest Golden Release

  • General/Default Config: Specific Golden Release - Opt-in dot upgrade. Suggest selecting the latest Client version that was validated via the test ring.

Disabling the Show Upgrade Notification option is recommended.

On

On

Uninstall Clients automatically

(Under Install & Troubleshoot)

Uninstalls the Client when users are removed from the Netskope tenant. Not recommended.

Off

Off

Allow users to unenroll

(Under Install & Troubleshoot)

If the Client is provisioned via IdP, selecting this option allows users to unenroll from Netskope.

Off

Off

Allow disabling of Clients

(Under Tamperproof)

Allows user to disable the Client on a device.

On

Off

Password protection for Client uninstallation and service stop.

(Under Tamperproof)

Password protection to prevent stopping the services is only supported on the Client on Windows.

Off

On

Netskope provides prebuilt Publishers for VMWare (OVA format), Hyper-V (VHDX), and AWS (AMI).  Additionally, you can also deploy a Publisher on top of a Ubuntu 20.04 based machine for other environments, such as GCP.  The deployment methods and use of Docker images may raise some concerns about hardening and security.  This document provides info that can be used by customers under NDA to better understand how a Publisher is deployed and maintained.

OS Requirements

Ubuntu 20.04 is supported.

Significant changes from the previously supported CentOS-based machine are:

  • Ubuntu Publishers are CIS benchmark enabled.

  • AppArmor and ufw are used instead of SELinux and FirewallD.

OS Hardening

Netskope takes a number of hardening steps for the images we provide including:

  • Disabling root login to base OS and container OS.

  • Removing root password.

  • Removing unneeded Linux firmware and packages.

  • Running the latest security updates prior to capturing the image.

  • Disabling support for CTL-ALT-DEL to prevent accidental or malicious system restarts.

You can perform additional hardening steps, such as:

  • Hardening SSH to use keys rather than passwords. AWS AMI uses keys by default. Publishers deployed on other platforms must be manually configured to use keys.

  • Using the native Ubuntu 20.04 firewall or network firewalls to limit access to and from the Publisher.

Netskope Private Access leverages RSA 2048 for all encrypted communications including Client, Publisher, and inner tunnel.

Updates

Netskope updates the host OS and the Publisher package during the software update process:

  • Base OS ( Ubuntu 20.04) security updates.

  • Publisher (security, functionality, and enhancements).

Netskope recommends that Publishers should always be updated to the most recent software version.

AppArmor and ufw for Ubuntu

The NPA Publisher is configured with AppArmor and ufw enabled and running. During Publisher installation, the following ufw configurations are made in order to enable the NPA Publisher to process data packets appropriately.

apt-get install -y ufw
echo y | ufw enable
ufw allow to 191.1.1.1/32 proto tcp port 784
ufw allow to 191.1.1.1/32 proto udp port 785
ufw allow in on tun0 to any port 53 proto tcp
ufw allow in on tun0 to any port 53 proto udp
ufw allow 22/tcp
ufw allow in on lo
ufw deny in from 127.0.0.0/8
ufw deny in from ::1
ufw reload
sudo pkill npa_publisher

Note

As indicated above, this configuration is applied automatically in all current NPA Publisher releases and is included here for reference/legacy Publishers.