FAQs and Deployment Guide
NETSCALER - A STAND ALONE PRODUCT - CLOUD SOFTWARE GROUP.
Documentation - Technical Part 5
With the following features, the NetScaler Web App Firewall offers a comprehensive security solution:
- Hybrid security model: NetScaler hybrid security model allows organizations to take advantage of both a positive security model and a negative security model to come up with a configuration ideally suited for the required applications.
- Positive security model protects against Buffer Overflow, CGI-BIN Parameter Manipulation, Form/Hidden Field Manipulation, Forceful Browsing, Cookie or Session Poisoning, Broken ACLs, Cross-Site Scripting (cross-site scripting), Command Injection, SQL Injection, Error Triggering Sensitive Information Leak, Insecure Use of Cryptography, Server Misconfiguration, Back Doors and Debug Options, Rate-Based Policy Enforcement, Well Known Platform Vulnerabilities, Zero-Day Exploits, Cross Site Request Forgery (CSRF), and leakage of Credit Card and other sensitive data.
- Negative security model uses a rich set signature to protect against L7 and HTTP application vulnerabilities. The Web App Firewall is integrated with several third-party scanning tools, such as those offered by Cenzic, Qualys, Whitehat, and IBM. The built-in XSLT files allow easy importation of rules, which can be used in conjunction with the native-format Snort based rules. An auto-update feature gets the latest updates for new vulnerabilities.
The positive security model might be the preferred choice for protecting applications that have a high need for security, because it gives the option to fully control who can access what data. This allows only what is wanted and block the rest.
This model includes a built-in security check configuration, which is deployable with few clicks. However, keep in mind that the tighter the security, the greater the processing overhead. The negative security model might be preferable for customized applications.
The signatures allowed to combine multiple conditions, and a match and the specified action are triggered only when all the conditions are satisfied. Block only what is not wanted and allow the rest. A specific fast-match pattern in a specified location can significantly reduce processing overhead to optimize performance. The option to add the company's own signature rules, based on the specific security needs of the applications, gives the flexibility to design customized security solutions.
- Request as well as response side detection and protection: Inspect the incoming requests to detect any suspicious behavior and take appropriate actions and can check the responses to detect and protect against leakage of sensitive data.
- Rich set of built-in protections for HTML, XML and JSON payloads: The Web App Firewall offers 19 different security checks. Six of them (such as Start URL and Deny URL) apply to both HTML and XML data. Five checks (such as Field Consistency and Field Format) are specific to HTML, and eight (such as XML Format and Web Service Interoperability) are specific to XML payloads. This feature includes a rich set of actions and options. For example, URL Closure enables control and optimize the navigation through a website, to safeguard against forceful browsing without having to configure relaxation rules to allow each and every legitimate URL. If the option to remove or x-out the sensitive data, such as credit-card numbers, in the response. Be it SOAP Array attack protection, XML denial of Service (XDoS), WSDL scan prevention, Attachment check, or any number of other XML attacks, have the comfort of knowing that the company has an ironclad shield protecting data when the applications are protected by the Web App Firewall. The signatures allow to configure rules using XPATH-Expressions to detect violations in the body as well as the header of a JSON payload.
- GWT: Support for protecting Google Web Toolkit applications to safeguard against SQL, cross-site scripting and Form Field Consistency check violations.
- Java-free, user friendly graphical user interface (GUI): An intuitive GUI and preconfigured security checks make it easy to deploy security by clicking a few buttons. A wizard prompts and offers guides to create the required elements, such as profiles, policies, signatures, and bindings. The HTML5 based GUI is free of any Java dependency. It’s performance is significantly better than that of the older, Java based versions.
- Easy to Use and automatable CLI: Most of the configuration options that are available in GUI are also available in the command line interface (CLI). The CLI commands can be executed by a batch file and are easy to automate.
- Support for REST API: The NetScaler NITRO protocol supports a rich set of REST API’s to automate Web App Firewall configuration and collect pertinent statistics for ongoing monitoring of security violations.
- Learning: The Web App Firewall’s ability to learn by monitoring traffic to fine tune security is very user friendly. The learning engine recommends rules, which makes it easy to deploy relaxations without proficiency in regular expressions.
- RegEx editor support: Regular expression offer an elegant solution to the dilemma of wanting to consolidate rules and yet optimize search. Companies can capitalize on the power of regular expressions to configure URLs, field names, signature patterns, and so on. The rich built-in GUI RegEx editor offers a quick reference for the expressions and provides a convenient way to validate and test your RegEx for accuracy.
- Customized error page: Blocked requests can be redirected to an error URL. There is also have the option to display a customized error object that uses supported variables and NetScaler advanced policy (advanced PI expressions) to embed troubleshooting information for the client.
- PCI-DSS, stats, and other violation reports: The rich set of reports makes it easy to meet the PCI-DSS compliance requirement, gather stats about traffic counters, and view violation reports for all profiles or just one profile.
- Logging and click-to-rule from log: Detailed logging is supported for native as well as CEF format. The Web App Firewall offers you the ability to filter targeted log messages in the syslog viewer. You can select a log message and deploy a corresponding relaxation rule by a simple click of a button. You have the flexibility to customize log messages and also have support for generating web logs. For additional details, see Web App Firewall Logs topic.
- Include violation logs in trace records: The ability to include log messages in the trace records makes it very easy to debug unexpected behavior such as reset and block.
- Cloning: The useful Import/Export profile option allows you to clone the security configuration from one NetScaler appliance to others. Export learned data options make it easy to export the learned rules to an Excel file. You can then get them reviewed and approved by application owner before applying them.
- An AppExpert template (a set of configuration settings) can be designed to provide appropriate protection for your websites. It can simplify and expedite the process of deploying similar protection on other appliances by exporting these cookie-cutter templates to a template.
For additional details, see AppExpert template topic.
- Session less security checks: Deploying session less security checks can help reduce the memory footprint and expedite the processing.
- Interoperability with other NetScaler features: The Web App Firewall works seamlessly with other NetScaler features, such as rewrite, URL transformation, integrated caching, CVPN, and rate limiting.
- Support of PI expressions in policies: Which can leverage the power of advanced PI expressions to design policies to implement different levels of security for different parts of the application.
- Support for IPv6: The Web App Firewall supports both IPv4 and IPv6 protocols.
- Geolocation based security protection: Offers flexibility of using NetScaler advanced policy (PI Expressions) for configuring location based policies, which can be used in conjunction with a built-in location database to customize firewall protection. It can identify the locations from which malicious requests originate and enforce the desired level of security-check inspections for requests that originate from a specific geographical location.
- Performance: Request-side streaming significantly improves performance. As soon as a field is processed, the resulting data is forwarded to the back end while evaluation continues for the remaining fields. The improvement in processing time is especially significant when handling large posts.
- Other security features: The Web App Firewall has several other security settings that can help ensure the security of your data. For example, the Confidential Field allows to block leakage of sensitive information in the log messages, and Strip HTML Comment allows the removal of the HTML comments from the response before forwarding it to the client. Field Types can be used to specify what inputs are allowed in the forms submitted to your application.
Q: What do I need to do to configure Web App Firewall?
Do the following:
- Add an Web App Firewall profile and select the appropriate type (html, xml, web2.0) for the security requirements of the application.
- Select the required level of security (basic or advanced).
- Add or import the required files, such as signatures or WSDL.
- Configure the profile to use the files, and make any other necessary changes to the default settings.
- Add an Web App Firewall policy for this profile.
- Bind the policy to the target bind point and specify the priority.
Q: How do I know what profile type to choose?
The Web App Firewall profile offers protection for both HTML and XML payloads. Depending on the need of your application, you can choose either a HTML profile or XML profile. If your application supports both HTML and XML data, you can choose a Web2.0 profile.
Q: What is the difference between basic and advanced profiles? How do I decide which one I need?
The decision to use a basic or an advance profile depends on the security need of your application. A basic profile includes a preconfigured set of Start URL and Deny URL relaxation rules. These relaxation rules determine which requests are allowed and which are denied. Incoming requests are matched with the preconfigured rules, and the configured actions are applied. The user can secure applications with minimal configuration of relaxation rules. The Start URL rules protect against forceful browsing. Known web server vulnerabilities that are exploited by hackers can be detected and blocked by enabling a set of default Deny URL rules. Commonly launched attacks, such as Buffer Overflow, SQL, or Cross-Site Scripting can also be easily detected.
As the name indicates, advanced protections are for applications that have higher security requirements. Relaxation rules are configured to allow access to only specific data and block the rest. This positive security model mitigates unknown attacks, which might not be detected by basic security checks. In addition to all the basic protections, an advanced profile keeps track of a user session by controlling the browsing, checking for cookies, specifying input requirements for various form fields, and protecting against tampering of forms or Cross-Site Request Forgery attacks. Learning, which observes the traffic and recommends the appropriate relaxations, is enabled by default for many security checks. Although easy to use, advanced protections require due consideration, because they offer tighter security but also require more processing. Some advance security checks do not allow use of caching, which can affect performance.Keep the following points in mind when deciding whether to use basic or advanced profiles:
- Basic and advanced profiles are just starting templates. You can always modify the basic profile to deploy advanced security features, and vice versa.
- Advanced security checks require more processing and can affect performance. Unless your application needs advanced security, you might want to start with a basic profile and tighten the security as required for your application.
- You do not want to enable all security checks unless your application needs it.
Q: What is a policy? How do I select the bind point and set the priority?
Web App Firewall policies can help you sort your traffic into logical groups for configuring different levels of security implementation. Carefully select the bind points for the policies to determine which traffic is matched against which policy. For example, if you want every incoming request to be checked for SQL/cross-site scripting attacks, you can create a generic policy and bind it globally. Or, if you want to apply more stringent security checks to the traffic of a virtual server hosting applications that contain sensitive data, you can bind a policy to that virtual server.
Careful assignment of priorities can enhance the traffic processing. You want to assign higher priorities to more specific policies and lower priorities to generic policies. Note that the higher the number, the lower the priority. A policy with a priority of 10 is evaluated before a policy that has a priority of 15.You can apply different levels of security for different kinds of contents, e.g. requests for static objects like images and text can be by-passed by using one policy and requests for other sensitive contents can be subjected to a much stringent check by using a second policy.
Q: How do I go about configuring the rules to secure my application?
The Web App Firewall makes it very easy to design the right level of security for your web-site. You can have multiple Web App Firewall policies, bound to different Web App Firewall profiles, to implement different levels of security-check inspections for your applications. You can initially monitor the logs to observe what security threats are being detected and which violations are being triggered. You can either manually add the relaxation rules or take advantage of the Web App Firewall’s recommended learned rules to deploy the required relaxations to avoid false positives.
The NetScaler Web App Firewall offers visualizer support in GUI, which makes rule management very easy. You can easily view all the data on one screen, and take action on several rules with one click. The biggest advantage of the visualizer is that it recommends regular expressions to consolidate several rules. You can select a subset of the rules, basing your selection on the delimiter and Action URL.
Visualizer support is available for viewing 1) learned rules and 2) relaxation rules.
- The visualizer for learned rules offers the option to edit the rules and deploy them as relaxations. You can also skip (ignore) rules.
- The visualizer for deployed relaxations offers you the option to add a new rule or edit an existing one. You can also enable or disable a group of rules by selecting a node and clicking the Enable or Disable button in the relaxation visualizer.
Q: What are signatures? How do I know which signatures to use?
A signature is an object that can have multiple rules. Each rule consists of one or more patterns that can be associated with a specified set of actions. The Web App Firewall has a built-in default signature object consisting of more than 1,300 signature rules, with an option to get the latest rules by using the auto-update feature to get protection against new vulnerabilities. Rules created by other scan tools can also be imported.
Signatures are very powerful because they use pattern matching to detect malicious attacks and can be configured to check both the request and the response of a transaction. They are a preferred option when a customizable security solution is needed. Multiple action choices (for example, block, log, learn, and transform) are available for when a signature match is detected. The default signatures cover rules to protect different types of applications, such as web-cgi, web-coldfusion, web-frontpage, web-iis, web-php, web-client, web-activex, web-shell-shock, and web-struts. To match the needs of your application, you can select and deploy the rules belonging to a specific category.
- You can just make a copy of the default signature object and modify it to enable the rules you need and configure the actions you want.
- The signature object can be customized by adding new rules, which can work in conjunction with other signature rules.
- The signature rules can also be configured to work in conjunction with the security checks specified in the Web App Firewall profile. If a match indicating a violation is detected by a signature as well as a security check, the more restrictive action is the one that gets enforced.
- A signature rule can have multiple patterns and be configured to flag a violation only when all the patterns are matched, thereby avoiding false positives.
- Careful selection of a literal fast-match pattern for a rule can significantly optimize processing time.
Q: Does the Web App Firewall work with other NetScaler features?
The Web App Firewall is fully integrated into the NetScaler appliance and works seamlessly with other features. You can configure maximum security for your application by using other NetScaler security features in conjunction with the Web App Firewall.
For example, AAA-TM can be used to authenticate the user, check the user’s authorization to access the content, and log the accesses, including invalid login attempts.
Rewrite can be used to modify the URL or to add, modify or delete headers, and Responder can be used to deliver customized content to different users. You can define the maximum load for your website by using Rate Limiting to monitor the traffic and throttle the rate if it is too high.
HTTP Denial-of-Service (DoS) protection can help distinguish between real HTTP clients and malicious DoS clients. You can narrow the scope of security-check inspection by binding the Web App Firewall policies to virtual servers, while still optimizing the user experience by using the Load Balancing feature to manage heavily used applications. Requests for static objects such as images or text can bypass security check inspection, taking advantage of integrated caching or compression to optimize the bandwidth usage for such content.
Q: How is the payload processed by the Web App Firewall and the other NetScaler features?
A diagram showing details of the L7 packet flow in a NetScaler appliance is available in the Processing Order of Features section.
Q: What is the recommended workflow for Web App Firewall deployment?
Now that you know the advantages of using the state-of-the-art security protections of the NetScaler Web App Firewall, you might want to collect additional information that can help you design the optimal solution for your security needs. Citrix recommends that you do the following:
- Know your environment: Knowing your environment will help you to identify the best security protection solution (signatures, security checks, or both) for your needs. Before you begin configuration, you must gather the following information.
- OS: What kind of OS (MS Windows, Linux, BSD, Unix, others) do you have?
- Web Sever: What web server (IIS, Apache or NetScaler Enterprise Server) are you running?
- Application: What type of applications are running on your application server (for example, ASP.NET, PHP, Cold Fusion, ActiveX, FrontPage, Struts, CGI, Apache Tomcat, Domino, and WebLogic)?
- Do you have customized applications or off-the-shelf (for example, Oracle, SAP) applications? What version you are using?
- SSL: Do you require SSL? If so, what key size (512, 1024, 2048, 4096) is used for signing certificates?
- Traffic Volume: What is the average traffic rate through your applications? Do you have seasonal or time-specific spikes in the traffic?
- Server Farm: How many servers do you have? Do you need to use load balancing?
- Database: What type of database (MS-SQL, MySQL, Oracle, Postgres, SQLite, nosql, Sybase, Informix and so forth.) do you use?
- DB Connectivity: What kind of data base connectivity do you have (DSN, per-file connection string, single file connection string) and what drivers are used?
- Identify your security needs: You might want to evaluate which applications or specific data need maximum security protection, which ones are less vulnerable, and the ones for which security inspection can safely be bypassed. This will help you in coming up with an optimal configuration, and in designing appropriate policies and bind points to segregate the traffic. For example, you might want to configure a policy to bypass security inspection of requests for static web content, such as images, MP3 files, and movies, and configure another policy to apply advanced security checks to requests for dynamic content. You can use multiple policies and profiles to protect different contents of the same application.
- License requirement: NetScaler offers a unified solution to optimize the performance of your application by taking advantage of a rich set of features such as load balancing, content switching, caching, compression, responder, rewrite, and content filtering, to name a few. Identifying the features that you want can help you decide which license you need.
- Install and baseline a NetScaler appliance: Create a virtual server and run test traffic through it to get an idea of the rate and amount of traffic flowing through your system. This information will help you to identify your capacity requirement and select the right appliance (VPX, MPX, or SDX).
- Deploy the Web App Firewall: Use the Web App Firewall wizard to proceed with a simple security configuration. The wizard walks you through several screens and prompts you to add a profile, policy, signature, and security checks.
- Profile: Select a meaningful name and the appropriate type (HTML, XML or WEB 2.0) for your profile. The policy and signatures will be auto-generated using the same name.
- Policy: The auto-generated policy has the default Expression (true), which selects all traffic and is bound globally. This is a good starting point unless you have in mind a specific policy that you want to use.
- Protections: The wizard helps you take advantage of the hybrid security model, in which you can use the default signatures offering a rich set of rules to protect different types of applications. Simple edit mode allows you to view the various categories (CGI, Cold Fusion, PHP, and so forth.). You can select one or more categories to identify a specific set of rules applicable to your application. Use the Action option to enable all the signature rules in the selected categories. Make sure that blocking is disabled, so that you can monitor the traffic before tightening the security. Click Continue. In the Specify Deep protections pane, you can make changes as needed to deploy the security check protections. In most cases, basic protections are sufficient for initial security configuration. Run the traffic for a while to collect a representative sample of the security-inspection data.
- Tightening the security: After deploying Web App Firewall and observing the traffic for a while, you can start tightening the security of your applications by deploying relaxations and then enabling blocking. Learning, Visualizer, and Click to deploy rules are useful features that make it very easy to tweak your configuration to come up with just the right level of relaxation. At this point, you can also change the policy expression and/or configure additional policies and profiles to implement desired levels of security for different types of content.
- Debugging: If you see unexpected behavior of your application, the Web App Firewall offers various options for easy debugging:
- Log. If legitimate requests are getting blocked, your first step is to check the ns.log file to see if any unexpected security-check violation is being triggered.
- Disable feature. If you do not see any violations but are still seeing unexpected behavior, such as an application resetting or sending partial responses, you can disable the Web App Firewall feature for debugging. If the issue persists, it rules out the Web App Firewall as a suspect.
- Trace records with log messages. If the issue appears to be Web App Firewall related and needs closer inspection, you have the option to include security violation messages in an nstrace. You can use “Follow TCP stream” in the trace to view the details of the individual transaction, including headers, payload, and the corresponding log message, together on the same screen. Details of how to use this functionality are available at Appendixes.