One way to approach application security issues is to fix the application code itself. The fact of the matter is for large applications, making changes takes time leaving the application vulnerable. Flaws may be in third party code so one has to wait for a patch. Legacy applications that assumed a trusted security model now are exposed to the web. Deploying an hardened application firewall gives time to fix the application while securing the application.
The payment card industry knows that this is a problem.
formed a council called PCI.
PCI-DSS or the Payment Card Industry Data Security Standard.
Defines how credit card data is transmitted, logged, stored and processed.
12 reqs in 6 domains
Compliance is pass or fail
NetScaler provides advanced App and Service delivery optimization. It is composed of four “pillars”.
100% application availability via our world-class L4-L7 load balancing capabilities and intelligent service health monitoring features
Accelerates application performance by 5x through static and dynamic content caching and compression
An average of 60% in application infrastructure savings through connection pooling and offloading SSL processing from servers
End-to-end application security with integrated Access Gateway Enterprise for secure remote access and an application firewall to protect against application layer attacks.
The Application Firewall is one of the principal integrated modules within NetScaler ADCs. This AppFW may be used within the context of an ADC or as a standalone appliance. If used as a standalone option, it may be field upgraded via software license to a full NetScaler at any time.
<number>
Integrated into Citrix NetScaler or as standalone Application Firewall it sits behind the network firewalls, in front of important web applications, protecting them from dozens of L7 attacks automatically. Simply configure it once, and you’re done. It can actually be up and running in less than 30 minutes in most cases. Its bi-directional inspection can protect against form-field or cookie consistency issues.
Protections include blocking cross site request forgery, xPath Injection attacks and XML including:
XML Attachment Checks Enhancements
Entity Expansion Attack Protection
Soap Fault Filtering
WSDL Scanning Prevention
XPath Injection Protection
Learning
Monitoring Web Services
With the latest MPX models dedicated traffic protection can exceed 12 Gbps.
NetScaler’s application firewall satisfies the PCI-DSS application firewall requirement and has been ICSA certified.
These are the latest lineup of standalone offerings. Note that additional standalone models available include App Firewalls based on the 5500, 7500, 9500, 10500 and 12500 but these are older models and these latest models are recommended for any new deployments.
Note: any NetScaler ADC (MPX, SDX or VPX) running Platinum include AppFW and this is an option on Enterprise Edition.
<number>
<number>
To understand how the NetScaler Application Firewall protects web infrastructures, one must first understand the hybrid model which is composed of “positive security model” and signatures (more on this later). The positive security model is fundamental to our strategy of delivering industry-leading security against known and unknown attacks.
With this model, we enforce positive application behavior deterministically. The security policy defines permissible application behavior based on industry standards and expected usage. Any event or instance falling outside of this model is treated as potentially malicious, and is alerted on or blocked, or both.
We understand what “good” traffic looks like. Contrast this with a negative security model that is signature based, and inevitably suffers from false positives.
A positive security model is the only approach that delivers “zero day” protection – no dependence on security vendors to identify a threat, develop a signature pattern and distribute to customers.
This model detects and blocks dozens of attack vectors including CSRF, cookie poisoining, SQL injection and many more.
<number>
Next generation security requires much more than simple packet-level inspection. Citrix Application Firewall integrates Deep Stream Inspection technology that reconstructs all bi-directional communications for each user session. Once reconstructed, it inspects all content to ensure correct application behavior and the validity of user and machine inputs. Citrix' innovative Deep Stream Inspection technology is based on multiple core technologies, including:
Bi-directional analysis of all application traffic
Complete header and payload inspection
Full application parsing
Semantic extraction of relevant application objects
Traffic sessionization
An administrator can use the following process to understand the data flow for the client request and server response:
1. The client issues a request for http://www.site.com
2. The NetScaler system receives the client request and performs configured App Firewall request inspections.
Request inspections can include:
Start URLs
XSS
SQL Injection
Field Consistency
Buffer Overflow
App Firewall can perform learning through exceptions to inspections.
3. The client request is load balanced to the appropriate server.
4. The server sends a response for www.site.com
5. The NetScaler system receives the server response and performs configured App Firewall response inspections.
Response inspections can include:
Credit Cards
SAFE Object
6. The server response for http://www.site.com is sent to the client.
<number>
<number>
<number>
<number>
<number>
<number>
Citrix Application Firewall has dynamic context sensitive cross site scripting attack protections. It does not just look for patterns, rather it looks for anything that looks like an HTML tag in a form field and cross references those against a list of allowed tags. If what is in the tag is not on there, the CAF will block it.
There are several types of XSS attacks but this is one of the more common examples
An application should never be able to allow a user to post executable code or scripts
This attack is against applications which allow posting of user information such as eBay
Rather than posting a description of an item the hacker will post an executable script which will run on a browser
An unsuspecting user will download the page and the script will execute
This may be in the form of a pop up window or a command to transfer the cookie information to the hackers location
Once this information is obtained by the hacker they have complete access to the users account
This is not an attack on the application but on the trust between the user and the web site.
Citrix Application Firewall has dynamic context sensitive cross site scripting attack protections. It does not just look for patterns, rather it looks for anything that looks like an HTML tag in a form field and cross references those against a list of allowed tags. If what is in the tag is not on there, the CAF will block it.
There are several types of XSS attacks but this is one of the more common examples
An application should never be able to allow a user to post executable code or scripts
This attack is against applications which allow posting of user information such as eBay
Rather than posting a description of an item the hacker will post an executable script which will run on a browser
An unsuspecting user will download the page and the script will execute
This may be in the form of a pop up window or a command to transfer the cookie information to the hackers location
Once this information is obtained by the hacker they have complete access to the users account
This is not an attack on the application but on the trust between the user and the web site.
Protects against CSRF attacks by checking if the referer header is coming from an authorized site.
<number>
Citrix Application Firewall enforces Entry Points, then remembers all of the URLs presented to the user in HTML in a particular session and only allows the user to go to those URLs.
No one else can do this dynamic URL closure without a large performance hit.
Citrix Application Firewall also provides dedicated defenses against buffer overflow attacks targeting the application, the application platform, or the underlying operating system.
Buffer overflow attacks are among the most common application-layer exploits. (Code Red and Nimda are well-known examples). They attempt to overflow an input buffer with excessive data. Successfully executed, the hacker can run a remote shell on the machine and gain the same system privileges granted to the application being attacked.
Citrix Application Firewall performs a deep stream inspection on all HTTP traffic to block buffer overflows anywhere in a client request.
<number>
Cookie tampering is another type of application exploit that is defeated with the positive security model. Citrix Application Firewall prevents attackers from modifying server-issued cookies to highjack sessions of legitimate users or steal user credentials. Any client request that includes a cookie that has been modified illegally is automatically rejected by Citrix Application Firewall.
Decrypt only option – Handle transition cases where cookie encryption is turned off and there may still be persistent cookies that have been set and encrypted.
To encrypt single Server cookie, may use PI encryption policy as alternate means to achieve this.
<number>
Session only – Only non-persistent cookies are stored in the App Firewall session. Persistent cookies (with an expires header) are forwarded to the client.
Only the AppFirewall session cookie is sent to the user. All session cookies are not set in the user browser. When user submits this request, the appropriate cookies based on the path and domain are inserted in the request before forwarding to the server.
If any session (non-persistent) cookies need to be sent to the user, add an exception for this cookie name.
<number>
Protects against CSRF attacks by checking if the request contains the unique ID provided by NetScaler.
<number>
<number>
Citrix Application Firewall form field protection is a good example of the positive security model in action. Many Web applications use forms for collecting customer information and interacting with users. Each form field is a potential attack vector. Hackers may try to inject malicious code or bad data into the application in an attempt to exploit an application’s inability to validate inputs.
Citrix Application Firewall provides comprehensive checks on form field inputs. It does this for each form and for each user session. This prevents a hacker from manipulating data in read-only or hidden form fields, and ensures that no elements of the form are tampered with.
Because the entire form is locked down, it prevents hackers from utilizing application forms to inject malicious code.
<number>
<number>
XML schemas are used to enforce proper data types on incoming XML payloads. This offers enhanced security. In addition, Schema validation can be expensive to perform on the servers. Offloading this to the NetScaler offers a significant boost in application performance.
<number>
<number>
<number>
src nat on lb (F5) in front waf (Citrix).
- From a security perspective, lost client ip. Forensically hard, if there is an alert.
- Workaround log the connection, translate the table, Could obtain logs from LB for a duration of a week.
- Need to put the source port in the syslog for WAF. Correlate based on time stamp.
- Want to put src port into the arcsight feed.
Use case: Multiple boxes in customer network, source NAT from 3rd party load balancer and in front of NetScaler AppFW. Track client with log info that includes source port and correlate with time stamps
Note that the source port is logged – extra traceability
<number>
Chunking occurs regularly when the server is returning a large volume of data.
Client is not informed in the first chunk of the total size of the response.
Requests are often tiny in size.
<number>
One of the most powerful capabilities of Citrix Application Firewall is business object protection. Business object protection prevents the unauthorized and inadvertent leakage of sensitive customer or corporate information, such as
Credit card numbers (via the SAFE Commerce module)
Customer-defined data objects (via the SAFE Object module). SAFE Object can protect social security numbers, driver's licenses, account numbers, passwords, patient ID numbers and other defined data objects.
If a sensitive data object is detected in a server response, the Application Firewall can either block the page, strip the object or mask the object.
Application Firewall delivers a last line of defense against information leakage. It ensures that no information is sent from the Web server that would compromise customer data and result in potential identity theft.
Citrix Business Object Protection modules are ideal for achieving regulatory compliance with Gramm-Leach-Bliley, the California Database Breach Act, and other privacy mandates.
XML Denial of Service protects servers from maiicious XML payloads by enforcing limits on the XML payload structure. This include limits on lengths of attributes, element names, size of payload etc. each of the limits can be set independently.
<number>
AppExpert Templates encapsulate the entire NetScaler configuration (the application components that NetScaler is optimizing, as well as the configuration settings and policies) for a specific application into one logical “view.” Ongoing changes to configuration and policies can also be made from this view.
AppExpert Templates can be imported and exported, enabling customers to load complete NetScaler configurations for optimization of specific applications within minutes. Import/export also makes it easy to share application-specific configuration within and between organizations, and to move app-specific configurations between different systems.
There is a specific template for SharePoint and Web Interface available for AppFW.
A powerful feature is the URL transform feature. This module leverages the underlying App firewall infrastructure to determine URLs in the request/ response and can transform them using a flexible regular expression syntax.
5-
<number>
There’s a number of ways folks have told us they’re going to use AppExpert rate controls. Of course straight-up rate limiting (e.g., DNS rate-limiting, limiting traffic originating from a single subnet) is one example. Ensuring a given resource (e.g., anything from a VServer to a specific URL) is another. Two specific examples are:
One customer allows some of its partners to scrape its website so the partners can republish content on their own sites. However, the customer wants to ensure that overly aggressive scraping by the partners doesn’t overwhelm the website and degrade the site’s performance. AppExpert rate controls can be used to limit how much scraping each partner can do. This same approach could be used to ensure that websites that publish APIs -- so that partners can do mashups, for example -- aren’t overwhelmed by any particular partner’s use of the API.
Another example is a customer that was having problems with a couple of users FTPing a few too many large files at the same time. By using AppExpert rate controls to build an expression around bandwidth consumed per sourceIP, they can drop any additional FTP requests coming from a sourceIP (aka a user) that already has too much FTP activity. A more generalized use could also do something along the lines of limiting the amount of concurrent file downloading for a given SharePoint site, to ensure that downloads don’t drown out other SharePoint (or other application) activity.
<number>
<number>
Authentication is commonly deployed in web applications. NS includes this feature to perform authentication and authorization for application traffic. It builds on the existing AG-EE infrastructure available on all NetScaler platforms and makes it available for regular load balanced traffic. All standard authentication schemes and directory stores are supported. This feature is not specific to the application firewall.
<number>
<number>
<number>
Tune signatures
Set Non Blocking Mode
Send Traffic
Leverage Logs, Stats, Learning to
Narrow Signature List
Tune Block, Log, Stat Settings
<number>
<number>
<number>
<number>
The application visualizer has been enhanced to quickly detect and resolve config drifts. You can also view detailed stats and overlay stats.
<number>
<number>
Logging and Auditing Capabilities:
Syslog
Nslog
Ability to log the following:
Login information
Logout information
Access failures
TCP statistics
UDP statistics
Http information
System events (device up/down)
<number>