Secure Tenant Configuration and Hardening
Secure Tenant Configuration and Hardening
This document outlines the security configurations available in Netskope products and how those can be used to harden the security of Netskope products and components deployed in customer environments.
Security hardening guidelines are provided in the following sections:
- Tenant Security Hardening Guidelines
- Client Security Hardening Guidelines
- Private Access Security Hardening Guidelines
- Publisher Security Hardening Guidelines
- Appliance Security Hardening Guidelines
- Cloud Exchange Security Hardening Guidelines
Tenant Security Hardening Guidelines
This section outlines the security configuration available in tenant UI and how those can be used to harden the security of UI.
User Identity and Authentication
User identity and access controls play an important role in how users are allowed to access the product and how the user’s identity will be established. Netskope provides below options to harden the user identity and access control to tenants.
Single Sign On (SSO)
Along with provisioning users locally, Netskope also provides capabilities to provision, identify, and authenticate users using the Single Sign On (SSO) solution. This solution provides an added security by providing the capability to control users’ access from one place, and removes the requirement of user management from each application.
To configure SSO:
- In the Netskope UI, go to Settings > Administration > SSO.
- Refer to Configure Single Sign On for the Netskope UI for the steps to configure SSO.
Multi-Factor Authentication (MFA)
To enhance the security of local users that are provisioned without SSO, Netskope provides an additional layer of security using multi-factor authentication. This protects user accounts from brute force attacks or compromised credentials attacks.
To configure MFA:
- Go to Settings > Administration > Admins to open the Admins page to see the Types (1) and MFA Status (2) of an Admin.
- Click the ellipses at the end of the local admin account user listing (3) and click Edit. The Edit Admin page opens.
- Toggle the Multi-Factor Auth radio button from Disabled (default) to Enabled.
- The next time the local admin logs in to their account, the admin must authenticate using an authentication app or a one-time password. Emails are sent to the email associated with the admin’s Netskope account.
- If needed, you can reset the admin’s MFA. Click Reset to disable MFA for a local admin. You will see the following warning message.
Note: Netskope recommends using either of the SSO or MFA features to protect users’ access to the tenant against any unauthorized attempts to access.
Concurrent Logins
Netskope provides a way to restrict users from logging into the same account from multiple devices. This ensures that in case a user’s account is compromised, the simultaneous login is prevented. It also gives a way for the user to track if the account is logged in at a different place or not.
To disallow concurrent logins:
- To change the default, go to Settings > Administration > Admins.
- On the top right-hand side, click the Settings icon to open the Configure dialog box. Activate Disallow Concurrent Logins by the same Admin.
- Click Save.
Authorization/Access Control
Netskope provides a granular way to provide access to the users based on their roles and responsibilities. This ensures that a user gets access to what is really needed for them to work or access. The control is implemented via Role Based Access Control.
To configure Authorization/Access:
- Go to Settings > Administration > Roles.
- Refer to Creating roles to configure Role Based Access Control.
Brute Force Protections
Netskope provides a way to protect accounts from brute force attacks with additional configurations. The following sections explain the options.
IP Allowlisting
Netskope provides an option to restrict access to tenants based on IP address. This ensures that any unauthorized user is not able to access the tenant outside the customer’s IP address space.
To configure an IP allowlist:
- Go to Settings > Administration > IP Allowlist and click Edit.
- Enter an IP address, range, or subnet. Multiple IP Addresses must be separated by a comma. When finished, click +ADD.
- Change the status from Disabled to Enabled.
- Enable the IP allowlist and click Save.
Note: Netskope has added a pre-defined list of Netskope’s IPs, which ensures Netskope Support is able to access the tenant to troubleshoot and resolve issues for customers.
Failed Login Attempts
This feature can be used to prevent users from brute force attempts, and ensures the account is locked out after a defined number of incorrect attempts.
To configure Failed Login Attempts:
- Go to Settings > Administration > Admins.
- Click Settings in the top right corner.
- Enter the desired number of attempts for Maximum failed login attempts.
- Click Save.
Additional Controls
Apart from the above controls, there are additional security measures that are available.
Idle Timeout
This feature enables administrators to logout users when the logged in session is inactive for a certain period of time. This can be configured to protect the tenant against abuses in scenarios where the user leaves the system unattended.
To configure Idle Timeout:
- Go to Settings > Administration > Admins.
- Click Settings in the top right corner.
- Select the desired number of minutes on the Idle Timeout dropdown.
- Click Save.
Password Expiration
A best practice is to expire passwords after a set interval to force users to rotate them.
To set how often a password expires:
- Go to Settings > Administration > Admins.
- On the top right-hand side, click the Settings icon.
- Select the number of days on the Password Expiration dropdown.
- Click Save.
Netskope Client Security Hardening Guidelines
The Netskope Client is the core of Netskope products and is used to steer traffic in your environments, provision access to private applications, and apply required security policies to end machines.
Considering the critical usage of Netskope Client, it is designed with a lot of security configurations and hardening options that you can leverage to adequately protect the Client in your environment.
The following sections explain the security configurations that are available in the Client.
User Identity and Authentication
The Netskope Client provides various ways to provision users, and establish user identity and user authentication. The users can be provisioned by using any of the following:
- Using Netskope Directory Importer
- Using SCIM Application
- Manually
For further details, please refer to detailed documentation here.
User identity in the Netskope Client is established using either of these parameters:
- User principal name (UPN). This is automatically fetched for the user from the machine where the user is logged in.
- User’s email address
User authentication can be achieved by using either of these ways depending on how the Client is deployed and being provisioned for a user. Here are the user authentication methods supported by Netskope Client:
- One-time token: The Netskope Client uses a one-time token when the client is installed and provisioned using email invite. The email invite contains a one time token and after installation and user authentication is completed, the token expires. For more details, refer to the documentation here.
- IdP-based authentication: The Netskope Client supports user authentication and enrollment via IdP. In this case, the user will have to authenticate to the IdP configured for the tenant by the administrator. You can configure the IdP in SAML forward proxy. For more details, refer to the documentation here.
- Authentication Token: The Netskope Client provides tokens that can be used to establish the user authentication. The token is used as a shared secret between the Client and Netskope services to sign the JWT token, which is then used for user authentication. This token is part of Secure enrollment and can be leveraged by following the documentation here.
Note: For strict enforcement of user authentication, it is recommended you enable the Secure Enrollment, and then Authentication Token in the Netskope UI.
Protection of Client Resources Post-Enrollment
Netskope provides various additional methods and features to protect the the Netskope Client and its resources after the deployment of the Client on an endpoint. Here are some of the those additional controls to further harden the Client.
Access Restrictions
You can prevent users from tampering with Netskope Client process, configuration files, registry, and directory location by accessing them on the endpoint. The access to all Netskope Client related files, processes, directories, etc. can be restricted. To add this additional protection:
- Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration.
- Choose the Client configuration you want to edit.
- Under Tamperproof, and check the box for Protection Client configuration and resources.
- Click Save.
Encryption of Files
Apart from restricting users from accessing the files related to the Netskope Client, there is an option to encrypt the Netskope Client configuration files on the endpoint. This encryption uses the underlying operating system’s native encryption method to encrypt and decrypt the files.
To enable this feature, please reach out to the Netskope Support Team.
Note: The above options are supported on Windows 10 and higher versions only.
Protection of Client Processes
The Netskope Client has various options to protect the Client’s processes, and have provisions to prevent users from disabling and removing the Client from their machines. The following sections explain these options.
Prevent Disabling of the Netskope Client
To avoid users bypassing the various policies and configurations that protect them while connected to the Netskope Client, it is important that users are unable to disable the Netskope Client themselves.
To prevent the disabling of the Netskope Client:
- Go to Settings > Security Cloud Platform > Client Configuration
- Choose the Client configuration you want to edit.
- Under Tamperproof, uncheck the box for Allow disabling of Clients.
- Click Save
Prevent Uninstallation of Netskope Client
It is also important that users are unable to uninstall the Netskope Client themselves. This can be done by protecting Client uninstallation with a password set by a tenant admin. On Windows devices, this password can also prevent the Client service from being stopped.
To prevent users from uninstalling the Client:
- Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration
- Choose the client configuration you want to edit.
- Under Tamperproof, select Password protect Client uninstallation
- In the box that appears, type in the admin password that can be used if a scenario arises where the Netskope client needs to be uninstalled. Exercise proper password management hygiene when handling this password.
- Click Save.
Note: It is highly recommended to enable this setting along with Protect Client configuration and resources.
Protect an Endpoint in the Absence of a Client Tunnel
The Netskope Client has the capability to block all network traffic from an endpoint when certain scenarios are not met for the Client, such as:
- A tunnel to steer the traffic from the Client to Netskope is not connected.
- Users are not provisioned on the endpoint, but the Client is installed.
Enabling this setting prevents users from accessing the internet on the endpoint, ensuring that the endpoint is protected unless all security policies are configured on the machine.
Enabling this setting will also enable Password protection Client uninstallation and disable Allow disabling of Clients. This setting will honor all exceptions, except for category-based ones.
To enable this setting:
- Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration
- Choose the client configuration you want to edit.
- Under Tamperproof, check the box for Fail Close.
- If you have Password protect Client uninstallation disabled or Allow disabling of Clients enabled, the following message will appear. Click Proceed.
- Type in the Admin Password you want to use to protect the Client uninstallation. Then select whether:
- Private App traffic should be excluded from being blocked
- Notifications should show even if the client icon is hidden
- How long Fail Close should be disabled for when a user is behind a captive portal.
- Click Save.
Additional Controls
Apart from above controls, Netskope provides an additional control, like the capability to protect files during transmission.
Enrollment Configuration Protection
Enrollment configuration file can be protected additionally by encrypting on top of TLS. This ensures that confidentiality and integrity of the file is preserved while downloading, and prevents Client enrollment on machines where the decryption token is not configured.
To configure Secure Enrollment:
- Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration
- Click MDM Distribution > Secure Enrollment.
- Enable Enforce encryption of initial configuration of Netskope Client.
- This will create a token. Push the token on the end points using MDM/SCCM tools.
Updates and Upgrades
Netskope provides the capability to configure updates/upgrades for the Client, which ensures that the Client stays up-to-date in your environments. Keeping the software up-to-date with the latest version ensures that the security issues are patched and the application is using the latest features and functionalities.
To configure Upgrade settings:
- Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration.
- Create or edit the configuration and go to Install & Troubleshoot.
- Check the Upgrade Client Automatically to and select the updates from the dropdown.
- Click Save.
Netskope Private Access (NPA) Security Hardening Guidelines
Netskope Private Access is provisioned using the Netskope Publisher and Netskope client. The Publisher is deployed near to the applications to which access needs to be provisioned. The access is provisioned using the NSClient for users where policies are configured and a separate tunnel is established to access the applications.
Below are some of the security hardening options available for Netskope Private Access apart from the inbuilt security controls:
User Authentication
Netskope establishes the authentication of the user with private applications through NSClient. Once the user is enrolled with NSClient, a separate authentication is initiated for the user to enroll with NPA and setup a NPA tunnel to provision access to applications.
Below are some options to harden the authentication for users for private apps:
Periodic Re-authentication for Private Apps
Periodic re-authentication ensures that users are re-authenticated using the idP configured for the tenant, after a specified time period to access the private apps. Without re-authentication, the users will not be able to access the private apps. This ensures that even if the device is compromised, a malicious user will not be able to access the apps.
Below are the steps to configure and use the feature:
- Go to Settings > Security Cloud Platform > Netskope Client > Client Configuration > Client Configurations
- Edit or create a new configuration for the users, and under Tunnel Settings, check Periodic re-authentication for Private Apps to enable it.
Note: If the option is not available please reach out to the Netskope Support team.
Netskope Publisher Security Hardening Guidelines
Netskope recommends below security hardening guidelines for NPA Publisher. Please configure these to harden the security of the publisher.
OS Hardening
Netskope provides NPA publisher with host os and also offers NPA publisher which can be installed on customer’s own host os. For detailed information on the same, please refer here.
Netskope does below to harden the NPA publishers offered with host os:
- Use CIS benchmarked image for host OS.
- Disabled root login to base OS and container OS.
- Removed root password.
- Disabling support for CTL-ALT-DEL to prevent accidental or malicious system restarts.
Netskope recommends doing following things on the host OS to harden the publisher:
Access Hardening
- Usage of key based authentication for SSH instead of password based authentication. Netskope AWS AMI does that out of the box.
- Using the native Ubuntu 20.04 firewall or network firewalls to limit access to and from the Publisher.
Protocols and Ports
The Publisher requires communication over the following ports and protocols:
- Port 22: SSH Access
- Port 53: DNS Resolution
- Port 443: HTTPS outbound connectivity for tunneling and updates
- Any additional ports that are required by the customer applications.
Ensure that all other ports and protocols are disabled for the Publisher.
Updates and Upgrades
Netskope updates the host OS and the Publisher package during the software update process:
- Base OS ( Ubuntu 20.04) security updates and kernel updates.
- Publisher (security, functionality, and enhancements).
Netskope recommends that Publishers should always be updated to the most recent software version. Follow the instructions here for the kernel update.
Netskope provides a way to configure auto updates for Publishers. Follow the instructions here to configure and enable it.
Installation of 3rd-party Applications on Publishers
Netskope does not recommend installation of any 3rd-party software on Publishers, specifically on the ones where the host os is also provided by Netskope. Installation of any 3rd party software should be done at customers own risk and Netskope will not be responsible for any breach due the 3rd party software installed by the customer. Follow the instructions here.
Publisher Maintenance Best Practices
Netskope provides a detailed guide on other publisher best practices to ensure the smooth functioning of the Publisher(s). Follow the best practices here.
Netskope Appliance Security Hardening Guidelines
Netskope recommends these security hardening guidelines for Netskope Appliance. These sections explain how to harden the security of the Appliance.
OS Hardening
Netskope has done these things to harden the OS by default for the appliance:
- Restricted shell access.
- By default, the access to the Appliance host OS is restricted to a limited number of commands.
Access Hardening
The Appliance comes with two user accounts, and both have default passwords. Netskope recommends that you change the default passwords for both accounts. Follow below instructions to do the same:
- Log in to the Appliance using the default credentials.
- After login, change the password by using the appropriate command:
- For an nsadmin user:
nsappliance> auth change-password nsadmin
- For an nstransfer user:
nsappliance> auth change-password nstransfer
- For an nsadmin user:
- Follow the pop up instructions on the shell afterwards to set the new password.
Ports and Services
Ensure that only these ports and services are configured on the Appliance and all others are disabled:
- Outbound ports
- Port 443: For management connectivity
- Port 22: Log Upload using SFTP
- Port 443: Log Upload to Netskope Cloud with HTTPS
- Port 443: Use for fetching the REST API tokens with HTTPS
- Inbound ports
- Port 514: For receiving syslog traffic
- Port 4400: AD Connector
- Port 22: SFTP and SCP
- Port 21: FTPS
Access Restriction using the IP Allowlist
SSH connections to access the Appliance CLI can be restricted to trusted IPs only. This configuration ensures that only allowlist IPs can access the Appliance CLI.
To configure allowlist IPs on an Appliance:
-
- Log in to the Appliance.
- Go to configuration mode by using the
configure
command. - In the configuration mode, use this command to set the IP allowlist.
set system ssh-allowlist <comma-separated list of IPs and subnets without spaces>
Example:
set system ssh-allowlist 192.168.169.0/24,172.18.78.10
- Enter
Save
.
Ensure these things exist to properly configure the IP Allowlist:
- Subnets must be specified in this format:
<IP>/<Netmask>
. For example,192.168.169.0/24, 172.18.78.0/255.255.255.0.
- Individual allowlisted IPs in the list cannot be the same as IP addresses that are configured on the Appliance’s interfaces. Although, allowlisted subnets are allowed to contain IP addresses configured on the Appliance’s interfaces.
- Allowlist IPs must not contain the subnet reserved for Netskope Appliance’s internal bridge network. By default, the Appliance’s internal services use the subnet
172.17.0.0/16
. This subnet can be changed using the command,set system bridge-network <IP subnet>
- When specifying a new subnet for the bridge network, use the format
<Network Address>/<Netmask>
. For example:192.168.1.0/0, 172.18.78.0/255.255.255.0.
Configure a Login Banner
When you log into your virtual appliance, the default login banner for the Netskope Appliance is displayed in the console. It is recommended to update the banner with your organization’s policies to deter malicious use of the software. Follow the instructions below to update:
- To configure a login banner, enter the following command at the configuration prompt:
set system login-banner
- Copy and paste the login banner at the prompt.
- Press
Ctrl-D
to set the new login banner. - To save the login banner configuration, enter save at the configuration prompt.
Certificate Management
Appliance require server side certificates to enable SSL inspection. Appliance can generate self-signed certificates, but it is recommended to use CA signed certificates. Follow the below guide setup your CA signed certificates:
- Log in to the Appliance.
- Use these commands to set up the certificate:
set dataplane forward-proxy server-cert
(Copy paste the certificate and press Enter, then type Ctrl-D.)set dataplane forward-proxy server-key
(Copy and paste your private key in the buffer, press Enter, then type Ctrl-D to exit.)set dataplane forward-proxy server-intermediate-ca-chain
- Copy and paste any additional certificates in the following order:
- Server certificate, Intermediate CA certificate, Root CA certificate
- Press
Enter
, then typeCtrl-D
to exit.
- Enter
Save
and pressEnter
to save the configuration.
Log Upload Hardening
The Appliance provides various methods to securely upload the logs. Netskope recommends that you configure these security methods.
Configure SSH Keys for Log Uploads
You can configure your SSH key pairs to automatically upload logs to the appliance.
To use your own SSH key pairs:- Log in to the Appliance.
- Enter
configure
to enter the nsshell configure mode. - Add an entry to the ssh-public-keys list in the CLI configuration by using this command:
add log-upload ssh-public-keys added index 0
- Set the value of the ssh public key at the index returned from the last command. This requires you to paste the SSH public key:
set log-upload ssh-public-keys 0 key
- Copy and paste the ssh public key.
- Enter one or more lines of input. When done, press Ctrl-D.
- To verify the configuration are applied properly, enter the following command:
show log-upload ssh-public-keys
- Enter save to activate your changes.
For detailed information on various log upload options and configuration, go here.
Audit Logging and Monitoring
Netskope recommends that you monitor the logs of the appliance to detect any malicious activity. Appliances generate audit logs for all the actions and events generated by the user’s activities.
To monitor and set up alerts in Appliance logs:- Open nsshell to the Appliance and enter this command:
add audit-logging destinations
- Server response should be added after index 0.
- Use following commands to configure the syslog server destination:
set audit-logging destinations 0 host <hostname> set audit-logging destinations 0 port <port number> set audit-logging destinations 0 protocol [TCP | UDP] set audit-logging enable true
- Enter
false
in the last command to turn off this feature. - When enabled, review the log file on the system specified in the host and port commands.
Updates and Upgrades
Netskope recommends keeping the Appliance updated to the latest version. The latest version contains security bug fixes, functionality enhancements and other improvements. Refer to these instructions to upgrade and set up auto updates for the Appliance.
Cloud Exchange Security Hardening Guidelines
Netskope recommends these security hardening guidelines for Cloud Exchange. The following sections explain how to harden the security of the Cloud Exchange.
Host Hardening
Cloud Exchange can be deployed in various ways depending on customer requirements and environment. Netskope recommends hardening the underlying OS aligning with organizational policies using the OS supported security best practices such as:
- Disabling unused and insecure ports.
- Enabling certificate-based user authentication to the OS.
- Ensuring proper logging and event management.
- Keeping the OS updated with the latest security patches.
High Availability
Netskope provides an option to deploy and configure the Cloud Exchange in High Availability configurations to ensure the service is up and running in case of any failure or outage at one place. For more information in HA configuration, go here.
Netskope recommends that you use this feature and apply these best practices:Ports and Services
Netskope recommends that you configure these ports and services for HA configurations:
- Port 80/443: Cloud Exchange UI
- Port 4369: A peer discovery service used by RabbitMQ nodes and CLI tools
- Port 5672: Used by AMQP 0-9-1 and AMQP 1.0 clients without and with TLS
- Port 15672: HTTP API clients, management UI and rabbitmqadmin, without and with TLS
- Port 25672: Used for inter-node and CLI tools communication
- Port 35672: Used for inter-node and CLI tools communication
- Port 27017: The default port for mongodb and mongos instances.
Storage
Cloud Exchange uses NFS for shared storage, so it is important that you configure the NFS volume in a manner that restricts access exclusively to Netskope CE instances. This precaution is of utmost importance in order to strengthen security measures.
Cloud Exchange Hardening
Netskope provides these options to securely configure the Cloud Exchange post deployment.
Credentials and Secret Management
By default, credentials required for all Cloud Exchange operations are stored within a password-protected MongoDB. The data stored within Mongo is unencrypted.
Note that data encryption within Mongo is available in the Enterprise edition.
Secrets Manager can be used to allow users to configure Netskope tenant, customer plugin repositories, and plugins using secrets from their configured Secrets Manager. When configured, only the secrets paths will be stored in MongoDB.
Currently available options for Secrets Manager:- Hashicorp Vault
Perform these steps as a user with write privileges:
- Go to Settings > General > Secret Manager.
- By default, the Secrets Manager is disabled. Enable the Secrets Manager toggle.
- Leave the default value for the Secrets Manager. Hashicorp is currently the only option.
- Provide the Vault URL and Namespace.
- Select an authentication method. Currently supported authentication methods are:
- Token (https://developer.hashicorp.com/vault/docs/auth/token)
- AppRole (https://developer.hashicorp.com/vault/docs/auth/approle)
- Username & Password (https://developer.hashicorp.com/vault/docs/auth/userpass)
- Provide the required parameters for the selected authentication method and click Save.
Secrets Management
Configure these Tenant settings to manage the secrets used for custom plugin repositories or Netskope Tenants with Secret Manager.
You still have the option to directly provide the password value instead of the secret path by disabling the toggle.Ports and Services
Ensure only below ports are enabled and the associated services are running on those ports:
- Port: 80/443 HTTP/HTTPS
- Configurable – during the setup
- Used to access CE UI
- Port: 15672
- Configurable – No
- Used for RabbitMQ dashboard
Communication Security
Cloud Exchange provides an option to configure TLS 1.3 and/or TLS1.2 during setup. These are used for security of the communication channel for the Cloud Exchange UI.
Cloud Exchange generates a self-signed certificate to use for any of the protocols. Netskope recommends using a CA-signed certificate for this. Cloud Exchange provides an option to upload your certificates.
For more detailed information on how to manage certificates, go here.User Management
Cloud Exchange comes with three default local users. All three users have different roles associated. Netskope recommends configuring these users as per requirement, and changing the default password for these users after configurations and setup.
Here are the users and their roles:- admin: Used to access the Cloud Exchange UI.
- user: Used to access the RabbitMQ dashboard.
- cteadmin: Used to access the mongo database.
After supporting local user accounts, Cloud Exchange also supports provisioning of users via SSO. Provisioning users via SSO provides more security and is recommended. Refer to the documentation here.
Password Policy
Although Cloud Exchange does not enforce a strict password policy, it is recommended to use a strong password with these options:
- Password must contain at least one lower case letter
- Password must contain at least one uppercase letter
- Password must contain at least one special character (e.g #, @,)
- Password must contain at least one numeric character
- Minimum 8 characters are required for the password
- Maximum 72 characters are supported for the password
Updates and Upgrades
Netskope releases updates and upgrades for Cloud Exchange regularly to improve the functionality of the product, and also address the security issues and gaps in the product. We recommend that you keep the Cloud Exchange updated with the latest version provided by Netskope.
For more detailed information, go here.