Citrix Application Firewall Guide. Citrix NetScaler 9.2

Transcription

1 Citrix Application Firewall Guide Citrix NetScaler 9.2

2 Copyright and Trademark Notice CITRIX SYSTEMS, INC., ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, , 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, The Regents of the University of Michigan and Merit Network, Inc. Copyright , RSA Data Security, Inc. Created Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) University of Cambridge. All rights reserved. Copyright (c) David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, Bill Paul. All rights reserved. Copyright (c) Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Last Updated: July 2010

3 CONTENTS Preface Chapter 1 Chapter 2 Chapter 3 About This Guide i New in This Release iii Audience iv Formatting Conventions iv Related Documentation v Getting Service and Support v Documentation Feedback vi Introduction What is the Application Firewall? What the Application Firewall Does How the Application Firewall Works The Application Firewall Platform The Application Firewall on a Network The User Interfaces The Citrix NetScaler Command Line Interface The Citrix NetScaler Configuration Utility Installation Planning the Installation Installing the Server The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler MPX The Citrix NetScaler MPX Performing Initial Configuration Using the Configuration Utility Using the Citrix NetScaler Command Line Interface Simple Configuration Enabling the Application Firewall Creating and Configuring a Profile Creating and Configuring Policies Binding Policies

4 iv Citrix Application Firewall Guide Chapter 4 Chapter 5 Chapter 6 Chapter 7 Profiles About Application Firewall Profiles The Built-In Profiles User-Created Profiles Creating, Configuring, and Deleting Profiles Configuring the Security Checks Common Security Checks HTML Security Checks XML Security Checks Configuring the Security Checks with the Configuration Utility Configuring the Security Checks at the NetScaler Command Line Configuring the Profile Settings Configuring the Profile Settings by Using the Configuration Utility Configuring the Profile Settings at the NetScaler Command Line Configuring the Learning Feature Policies An Overview of Policies Configuring Policies Globally Binding a Policy Imports Creating a Custom Settings File Exporting the Default Custom Settings File Editing the Custom Settings File Importing Configuration Files Global Configuration The Engine Settings Cookie Name Session Timeout Maximum Session Lifetime Logging Header Name Undefined Profile Default Profile Import Size Limit Confidential Fields Field Types

5 Contents v Chapter 8 Chapter 9 Chapter 10 The Common Security Checks The Start URL Check Configuring the Start URL List The Deny URL Check Configuring the Deny URL List The Cookie Consistency Check Configuring the Cookie Consistency List The Buffer Overflow Check Configuring the Buffer Overflow Checks The Credit Card Check Configuring the Credit Card List The Safe Object Check The HTML Security Checks The Form Field Consistency Check Configuring the Form Field Consistency List The Field Formats Check Configuring the Field Formats List The CSRF Form Tagging Check Configuring the CSRF Form Tagging List The HTML Cross-Site Scripting Check Configuring the HTML Cross-Site Scripting List The HTML SQL Injection Check Configuring the HTML SQL Injection List The XML Security Checks The XML Format Check The XML Denial of Service Check Configuring the XML Denial of Service List The XML Cross-Site Scripting Check The XML SQL Injection Check The XML Attachment Check Configuring the XML Attachment Checks The Web Services Interoperability Check Configuring the Web Services Interoperability List The XML Message Validation Check Configuring the XML Message Validation Checks The XML SOAP Fault Filtering Check

6 vi Citrix Application Firewall Guide Chapter 11 Chapter 12 The Application Firewall Reports The PCI DSS Report The Application Firewall Configuration Report The PCI DSS Standard Use Cases Protecting a Shopping Cart Application Creating and Configuring the Shopping Cart Profile Creating and Configuring a Shopping Cart Policy Protecting a Product Information Query Page Creating and Configuring a Product Query Profile Creating and Configuring a Product Query Policy Managing Learning Glossary Index Appendix A Appendix B Appendix C Appendix D Appendix E PCRE Character Encoding Format Representing UTF-8 Characters PCI DSS Standard Configuring for Large Files and Web Pages Overview Three Workarounds SQL Injection Check Keywords Cross-Site Scripting: Allowed Tags and Attributes Allowed Tags Allowed Attributes

7 PREFACE Preface About This Guide Before you begin to configure the Citrix Application Firewall, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback. In This Preface About This Guide New in This Release Audience Formatting Conventions Related Documentation Getting Service and Support Documentation Feedback The Citrix Application Firewall Guide provides an overview of two products: the standalone Citrix Application Firewall, and the Citrix NetScaler Application Firewall feature, an integrated part of the Citrix NetScaler Application Delivery System. Except for certain installation and basic configuration steps, these products are nearly identical. The guide explains what the Application Firewall is and does, and provides detailed instructions on installing, configuring, and managing it. This guide provides the following information: Chapter 1, Introduction. Provides an overview of the Application Firewall, including what it does and how it works. Chapter 2, Installation. Provides installation and configuration information for the standalone Citrix Application Firewall. Chapter 3, Simple Configuration. Provides instructions on how to create your first Application Firewall profile, your first Application Firewall

8 ii Citrix Application Firewall Guide policy, and globally bind the policy. This process enables the Application Firewall to start protecting Web servers. Chapter 4, Profiles. Describes Application Firewall profiles and how to configure the security checks and other settings associated with profiles. Chapter 5, Policies. Describes Application Firewall policies, how to create a policy, and the structure of the expressions language used in creating policies. Chapter 6, Imports. Provides instructions on how to import HTML error pages, XML error pages, XML schemas, and WSDL pages into the Application Firewall configuration. Chapter 7, Global Configuration. Provides instructions on how to configure the global Engine settings, Confidential Field settings, and Field types. Chapter 8, The Common Security Checks. Describes each Application Firewall security check that is common to all types of profile. Chapter 9, The HTML Security Checks. Describes each Application Firewall security check that applies to HTML-based Web applications and HTML content. Chapter 10, The XML Security Checks. Describes each Application Firewall security check that applies to XML-based Web services and XML content. Chapter 11, The Application Firewall Reports. Describes the PCI DSS report and the The Application Firewall Configuration report, and provides an overview of the PCI DSS standard. Chapter 12, Use Cases. Provides two use cases that describe how to configure the Application Firewall to protect a back-end SQL database, and scripted content that accesses and/or modifies information on other Web servers. Appendix A, PCRE Character Encoding. Provides a primer on using PCRE character encoding to represent non-ascii characters in Application Firewall regular expressions. Appendix B, PCI DSS Standard. Provides a copy of the official Payment Card Industry (PCI) Data Security (DSS) Standard. Appendix C, Configuring for Large Files and Web Pages. Provides instructions on how to configure the Application Firewall to handle large uploaded files and large, complex Web pages with minimal impact on performance. Appendix D, SQL Injection Check Keywords. Lists the SQL keywords that the Application Firewall SQL Injection security check uses when examine requests.

9 iii New in This Release Appendix E, Cross-Site Scripting: Allowed Tags and Attributes. Lists the HTML tags and attributes that the Application Firewall Cross-Site Scripting security check will allow in requests without blocking the request. NetScaler ncore Technology uses multiple CPU cores for packet handling and greatly improves the performance of many NetScaler features. Release 9.2 adds ncore support for many additional features, including load balancing, virtual private networks (VPNs), and the Application Firewall. In Release 9.2, the following new features are also supported in the Application Firewall: Built-in profiles. The Application Firewall now installs with four built-in profiles. These profiles provide tools to allow or block connections that do not require further filtering. Default and undefined profiles. You can now designate a default profile and an undefined profile on a per-profile basis. The default profile is used for connections that do not match any Application Firewall policy. The undefined profile is used when a connection evaluates as undefined. Learning feature GUI changes. The Manage Learned Rules dialog box has been simplified and streamlined, and the Learning Data Visualizer has been integrated more completely with the Learning feature. NetScaler advanced policies. You can now use advanced policies and expressions to configure the Application Firewall. Advanced expressions provide a rich set of expression elements along with options to control the flow of evaluation within a policy bank. These elements and options enable you to maximize the capabilities of the Application Firewall. Advanced policies, which comprise a set of rules and actions that use the advanced expression format, further enhance your ability to analyze data at various network layers and at different points along the flow of traffic. For more information about the benefits of using advanced policies and expressions, see the Introduction to Policies and Expressions chapter in the Citrix NetScaler Policy Configuration and Reference Guide. User-configurable SQL and XSS lists. Users can now modify the lists of SQL special characters, SQL keywords, cross-site scripting allowed tags, and cross-site scripting allowed attributes used by the HTML and XML SQL injection security check and the HTML and XML cross-site scripting check. Users can create and upload multiple different lists, and designate the list to be used on a per-profile basis. For a summary of the new features and remaining unsupported features, see the Citrix NetScaler 9.2 Release Notes.

10 iv Citrix Application Firewall Guide Audience This guide is intended for the following audience: IT Managers. IT managers or other individuals responsible for managing your network. System Administrators. Any system administrators responsible for managing your standalone Citrix Application Firewall, or your Citrix NetScaler Application Accelerator or NetScaler appliance. The concepts and tasks described in this guide require you to have a basic understanding of networking and firewall concepts and terminology, the HTTP protocol, HTML and XML Soap, and Web security. Formatting Conventions This documentation uses the following formatting conventions. Formatting Conventions Convention Boldface <Angle Brackets> %SystemRoot% Monospace Meaning Information that you type exactly as shown (user input); elements in the user interface. Placeholders for information or parameters that you provide. For example, <FileName> in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks). The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows. System output or characters in a command line. User input and placeholders also are formatted using monspace text. { braces } A series of items, one of which is required in command statements. For example, { yes no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example, in the following command, [-range positiveinteger] means that you have the option of entering a range, but it is not required: add lb vserver name servicetype IPAddress port [-range positiveinteger] Do not type the brackets themselves.

11 v Formatting Conventions Convention Related Documentation A complete set of documentation is available on the Documentation tab of your NetScaler and from (Most of the documents require Adobe Reader, available at To view the documentation 1. From a Web browser, log on to the NetScaler. 2. Click the Documentation tab. 3. To view a short description of each document, hover your cursor over the title. To open a document, click the title. Getting Service and Support Meaning (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods: lbmethod = ( ROUNDROBIN LEASTCONNECTION LEASTRESPONSETIME URLHASH DOMAINHASH DESTINATIONIPHASH SOURCEIPHASH SRCIPDESTIPHASH LEASTBANDWIDTH LEASTPACKETS TOKEN SRCIPSRCPORTHASH LRTM CALLIDHASH CUSTOMLOAD ) Citrix offers a variety of resources for support with your Citrix environment, including the following: The Knowledge Center is a self-service, Web-based technical support database that contains thousands of technical solutions, including access to the latest hotfixes, service packs, and security bulletins. Technical Support Programs for both software support and appliance maintenance are available at a variety of support levels. The Subscription Advantage program is a one-year membership that gives you an easy way to stay current with the latest product version upgrades and enhancements. Citrix Education provides official training and certification programs on virtually all Citrix products and technologies.

12 vi Citrix Application Firewall Guide For detailed information about Citrix services and support, see the Citrix Systems Support Web site at You can also participate in and follow technical discussions offered by the experts on various Citrix products at the following sites: Documentation Feedback You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version. For NetScaler documentation, send to For Command Center documentation, send to For Access Gateway documentation, send to You can also provide feedback from the Knowledge Center at support.citrix.com/. To provide feedback from the Knowledge Center home page 1. Go to the Knowledge Center home page at 2. On the Knowledge Center home page, under Products, expand NetScaler, and then click the NetScaler release for which you want to provide feedback. 3. On the Documentation tab, click the guide name, and then click Article Feedback. 4. On the Documentation Feedback page, complete the form, and then click Submit.

13 CHAPTER 1 Introduction The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business or customer information. It accomplishes this by filtering both requests and responses, examining them for evidence of malicious activity and blocking those that exhibit it. To use the Application Firewall, you must configure at least one profile to tell it what to do with the connections it filters, one policy to tell it which connections to filter, and then associate the profile with the policy. You can configure an arbitrary number of different profiles and policies to protect more complex Web sites. You can adjust how the Application Firewall operates on all connections in the Engine Settings. You can enable, disable, and adjust the setting of each security check separately. Finally, you can configure and use the included PCI- DSS report to assess your security configuration for compliance with PCI-DSS standard. You can configure the Application Firewall using either the Citrix NetScaler Configuration Utility (configuration utility) or the Citrix NetScaler Command Line Interface (NetScaler command line). What is the Application Firewall? The Application Firewall is a filter that sits between Web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects Web servers and Web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, Web server software, and the underlying operating system.

14 2 Citrix Application Firewall Guide The Application Firewall is available on two platforms. First, the Citrix Application Firewall is a standalone appliance based on the Citrix NetScaler Application Accelerator platform and Citrix NetScaler Application Delivery System operating system. Second, the Citrix NetScaler Application Firewall feature is part of the Citrix NetScaler Application Delivery System, which runs on all models of the Citrix NetScaler Application Accelerator or Citrix NetScaler appliance. Therefore, users who want a dedicated Application Firewall can purchase a standalone Citrix Application Firewall. Users who want the Application Firewall functionality in addition to other NetScaler operating system features can purchase a new Citrix NetScaler appliance, or upgrade to version 9.1 of the NetScaler operating system and install it on their existing appliance appliance. Note: Citrix also supports the Citrix Application Firewall EX, which is built on a different hardware and operating system platform than the Application Firewall discussed in this manual. The Citrix Application Firewall EX has its own separate documentation set. This manual does not apply to the Citrix Application Firewall EX. If you need to obtain the Citrix Application Firewall EX documentation, contact Citrix Customer Support for further assistance. What the Application Firewall Does The Citrix Application Firewall protects Web servers and Web sites from misuse by hackers and malware, such as viruses and trojans, by filtering traffic between each protected Web server and users that connect to any Web site on that Web server. The Application Firewall examines all traffic for evidence of attacks on Web server security or misuse of Web server resources, and takes the appropriate action to prevent these attacks from succeeding. Most types of attacks against Web servers and Web sites are launched to accomplish two overall goals. These are: Obtaining private information. The Application Firewall watches for attacks intended to obtain sensitive private information from your Web sites and the databases that your Web sites can access. This information can include customer names, addresses, phone numbers, social security numbers, credit card numbers, medical records, and other private information. The hacker or malware author can then use this information directly, sell it to others, or both. Much of the information obtained by such attacks is protected by law, and all of it by custom and expectation. A breach of this type can have extremely serious consequences for customers whose private information was compromised. At best, these customers will have to exercise vigilance

15 Chapter 1 Introduction 3 to prevent others from abusing their credit cards, opening unauthorized credit accounts in their name, or appropriate the customer s identity outright to commit criminal activities in their name (or identity theft). At worst, the customers may face ruined credit ratings or even be blamed for criminal activities in which they had no part. If a hacker or malware author manages to obtain such information through your Web site and then misuses it, that can create an embarrassing situation at best, and may expose your company to legal consequences. Obtaining unauthorized access and control. The Application Firewall watches for attacks intended to give the attacker access to and control of your Web server without your knowledge or permission. This prevents hackers from using your Web server to host unauthorized content, act as a proxy for content hosted on another server, provide SMTP services to send unsolicited bulk , or provide DNS services to support these activities on other compromised Web servers. Such activities constitute theft of your server capacity and bandwidth for purposes you did not authorize. By preventing unauthorized access to and control of your Web servers, the Application Firewall also helps prevent the common practice of unauthorized modifications of your home page or other pages on your Web site (or Web site defacement). Most Web sites that are hosted on hacked Web servers (or compromised Web servers) promote questionable or outright fraudulent businesses. For example, the majority of pharming Web sites, phishing Web sites, and child pornography Web sites (or CP Web sites) are hosted on compromised Web servers. So are many sites that sell prescription medications without a prescription, illegal OEM copies of copyrighted software, and untested and often worthless quack medical remedies. If a hacker or malware author manages to host such a Web site on your company s Web server, or use your company s Web server to provide spam support services, that can create an embarrassing incident at the very least. Many types of attacks can be used to obtain private information from or make unauthorized use of your Web servers. These attacks include: Buffer overflow attacks. Sending an extremely long URL, cookie, or other bit of information to a Web server in hopes of causing it or the underlying operating system to hang, crash, or behave in some manner useful to the attacker. A buffer overflow attack can be used to gain access to unauthorized information, to compromise a Web server, or both. Cookie security attacks. Sending a modified cookie to a Web server, usually in hopes of obtaining access to unauthorized content using falsified credentials.

16 4 Citrix Application Firewall Guide Forceful browsing. Accessing URLs on a Web site directly, without navigating to the URLs via hyperlinks on the home page or other common start URLs on the Web site. Individual instances of forceful browsing may simply indicate a user who bookmarked a page on your Web site, but repeated attempts to access non-existent content or content that users should never access directly often represents an attack on Web site security. Forceful browsing is normally used to gain access to unauthorized information, but can also include a buffer overflow attack and be used to compromise your server. Web form security attacks. Sending inappropriate content to your Web site using a Web form. Inappropriate content can include modified hidden fields, HTML or code in a field intended for alphanumeric data only, a overly long string in a field that accepts only a short string, an alphanumeric string in a field that accepts only an integer, and a wide variety of other data that your Web site does not expect to receive in that Web form. A Web form security attack can be used either to obtain unauthorized information from your Web site or to compromise the Web site outright, usually when combined with a buffer overflow attack. In addition to standard Web form security attacks, there are two specialized types of attacks on Web form security that deserve special mention: - SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords using a Web form, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information. - Cross-site scripting attacks. Using a script on a web page to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different Web site. Since scripts can obtain information and modify files on your Web site, allowing a script access to content on a different Web site can provide an attacker the means to obtain unauthorized information, to compromise a Web server, or both. XML security attacks. Sending inappropriate content to an XML-based application, or attempting to breach security on your XML-based application. There are a number of special attacks that can be made against XMLbased applications using XML requests that contain malicious code or objects. These include attacks based on badly-formed XML requests, or XML requests that do not conform to the W3C XML specification, XML requests used to stage a denial of service (DoS) attack, and on XML requests that contain attached files that can breach site security. In addition to standard XML-based attacks, there are two specialized types of XML attacks that deserve special mention:

17 Chapter 1 Introduction 5 - SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords in a XMLbased request, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information. - Cross-site scripting attacks. Using a script included in an XMLbased application to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different application. Since scripts can obtain information and modify files using your XML application, allowing a script access to content belonging to a different application can provide an attacker the means to obtain unauthorized information, to compromise the application, or both. The Application Firewall has special filters, or checks, that look for each of these types of attack and prevent them from succeeding. The checks use a range of filters and techniques to detect each attack, and respond to different types of attacks or potential attacks differently. A potential attack that does not pose a significant threat may simply be logged. If the same pattern of activity does not reoccur, it probably was not a deliberate attack and no further action was needed. A series of potential attacks may require a different response, which may include blocking further requests from that source. The greatest threat against Web sites and applications does not come from known attacks, however. It comes from new and unknown attacks, attacks for which the Application Firewall may not yet have a specific check. For this reason, the core Application Firewall methodology does not rely upon specific checks. It relies upon comparing requests and responses to a profile of normal use of a protected Web site or application. The user helps create the profile during initial configuration and at intervals thereafter by providing certain information to the Application Firewall. The Application Firewall then generates the rest of this profile using its learning feature. Thereafter, if a request or response falls outside of the profile for that Web site or application, either the threat in the request or response is neutralized, or the request or response is blocked. This is called a positive security model, and allows the Application Firewall to protect a Web site or application against attacks for which it may not yet have specific checks. In summary, the Application Firewall prevents outsiders from misusing your Web sites and applications for their own purposes. It ensures that your Web sites and applications are used as you intended them to be used, for your benefit and that of your customers. The following section explains in more detail how the Application Firewall performs these tasks.

18 6 Citrix Application Firewall Guide How the Application Firewall Works The Application Firewall protects your Web sites and applications by filtering traffic to and from them, and blocking or rendering harmless any attacks or threats that it detects. This subsection provides an outline of the filtering process it uses to accomplish this. The platform on which the Application Firewall is built is the Citrix NetScaler Application Delivery product line, which can be installed as either a layer 3 network device or a layer 2 network bridge between your servers and your users, usually behind your company s router or firewall. Depending on which Application Firewall model you have and which other tasks it performs, you may install it in different locations and configure it differently. To function, however, an Application Firewall must be installed in a location where it can intercept traffic between the Web servers you want to protect and the hub or switch through which users access those Web servers. You then configure the network to send requests to the Application Firewall instead of directly to your Web servers, and responses to the Application Firewall instead of directly to your users. The Application Firewall then filters that traffic before forwarding it to its final destination. It examines each request or response using both its internal rule set and your additions and modifications. In addition to profiling the Web servers it protects using its learning feature, the Application Firewall also profiles each specific user s session in real time to determine if incoming traffic from that user to your Web server, and outgoing traffic from your Web server to that user, is appropriate in light of previous requests from the user during the current session. It then blocks or renders harmless any that trigger a specific check or that fail to match the Web site profile. The figure below provides an overview of the filtering process.

19 Chapter 1 Introduction 7 A Flowchart of Application Firewall Filtering As the figure shows, when a user requests a URL on a protected Web server, the Application Firewall first examines the request to ensure that it violates no network security rules. These rules check for DoS attacks and other types of network attacks that are not specific to Web servers. Many of those attacks do not require the same level of analysis to detect as many Web site or application attacks do. Detecting and stopping these attacks before analyzing requests further reduces overall load on the Application Firewall. If the request passes network security inspection, the Application Firewall checks to see if the request needs further filtering. Requests for certain types of content, such as image files, do not require further analysis. Requests for HTML-based web pages, XML-based applications, or active content do require further analysis, and are passed to the Application Firewall filtering engine.

20 8 Citrix Application Firewall Guide The Application Firewall then examines the request, applying all relevant checks and comparing it to the profile it has of the protected Web site or XML application. If the request passes the Application Firewall security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall passes the request on to the server. The Web site or application sends its response back to the Application Firewall, which examines the response. If the response does not violate any security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall forwards the response to the user. This process is repeated for each request and response. In summary, the Application Firewall filters HTTP traffic for security-related issues at two points in the HTTP request/response cycle: it filters requests before they are sent to the server, and responses before they are sent to the user. When it detects a problem, it either neutralizes the problem or, if it cannot, blocks the request or response. The Application Firewall Platform The Citrix Application Firewall is built on the NetScaler operating system (NetScaler operating system) platform. It is fully integrated into the appliance platform and interoperates cleanly with all other appliance features. The appliance software runs on several types of hardware and a range of different servers optimized for different levels and types of network traffic. All are collectively referred to as the Citrix NetScaler Application Delivery product line. As of the NetScaler operating system 8.0 release, the Application Firewall has been available as a licensed feature. You can also purchase a standalone Citrix Application Firewall based on the same platform. For more information about the hardware platforms in the Citrix NetScaler Application Delivery product line, see Installing the Server on page 19. For complete information about the Citrix NetScaler Application Delivery product line, see the Citrix NetScaler Installation and Configuration Guide. The Application Firewall on a Network To do its work properly, any Application Firewall model must be installed in the right place on your network. The location must allow traffic to and from your protected Web servers to be routed through the Application Firewall. You can ensure this by installing the Application Firewall in a location where traffic to and from your Web servers must pass through it, or you can use virtual LANs (VLANS) to ensure that your network can distinguish between packets that need to be routed to the Application Firewall, and packets that the Application Firewall has already filtered and that can be sent to the Web server or user, as appropriate.