Citrix Application Firewall Guide. Citrix NetScaler 9.1

Transcription

1 Citrix Application Firewall Guide Citrix NetScaler 9.1

2 CONTENTS 1 Preface Chapter 1 Chapter 2 Chapter 3 About This Guide i New in This Release iii Audience iii Formatting Conventions iii Getting Service and Support iv Knowledge Center iv Silver and Gold Maintenance v Subscription Advantage vi Education and Training vi Documentation Feedback vi Introduction What is the Application Firewall? What the Application Firewall Does How the Application Firewall Works The Application Firewall Platform The Application Firewall on a Network The User Interfaces The Citrix NetScaler Command Line Interface The Citrix NetScaler Configuration Utility Installation Planning the Installation Installing the Server The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler MPX The Citrix NetScaler MPX Performing Initial Configuration Using the Configuration Utility Using the Citrix NetScaler Command Line Interface Simple Configuration Enabling the Application Firewall Creating and Configuring a Profile

3 iv Citrix Application Firewall Guide Creating and Configuring Policies Globally Binding Policies Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Profiles About Application Firewall Profiles Creating, Configuring, and Deleting a Profile Configuring the Security Checks Configuring the Security Checks at the Configuration Utility Configuring the Security Checks at the NetScaler Command Line Configuring the Profile Settings Configuring the Profile Settings at the Configuration Utility Configuring the Profile Settings at the NetScaler Command Line Configuring the Learning Feature Policies An Overview of Policies Creating and Configuring Policies Globally Binding a Policy Confidential Fields Adding Confidential Field Designations Managing Confidential Field Designations Field Types Configuring the Field Types Settings Imports Importing Configuration Elements The Engine Settings Session Cookie Name Session Timeout Client IP Header Name The Common Security Checks The Start URL Check The Deny URL Check

4 Contents v The Cookie Consistency Check The Buffer Overflow Check The Credit Card Check The Safe Object Check Chapter 11 Chapter 12 Chapter 13 Chapter 14 The HTML Security Checks The Form Field Consistency Check The Field Formats Check The HTML Cross-Site Scripting Check The HTML SQL Injection Check The XML Security Checks The XML Format Check The XML Denial of Service Check The XML Cross-Site Scripting Check The XML SQL Injection Check The XML Attachment Check The Web Services Interoperability Check The XML Message Validation Check The PCI DSS Report About PCI DSS An Overview of the PCI DSS Report An Overview of the PCI DSS Standard Use Cases Protecting a Shopping Cart Application Creating and Configuring the Shopping Cart Profile Creating and Configuring a Shopping Cart Policy Protecting a Product Information Query Page Creating and Configuring a Product Query Profile Creating and Configuring a Product Query Policy Managing Learning Glossary Index

5 vi Citrix Application Firewall Guide Appendix A Appendix B Appendix C Appendix D Appendix E PCRE Character Encoding Format Representing UTF-8 Characters PCI DSS Standard Configuring for Large Files and Web Pages Overview Three Workarounds SQL Injection Check Keywords Cross-Site Scripting: Allowed Tags and Attributes Allowed Tags Allowed Attributes

6 Copyright and Trademark Notice CITRIX SYSTEMS, INC., ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, , 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, The Regents of the University of Michigan and Merit Network, Inc. Copyright , RSA Data Security, Inc. Created Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) University of Cambridge. All rights reserved. Copyright (c) David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, Bill Paul. All rights reserved. Copyright (c) Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Last Updated: June 2009

7 PREFACE Preface About This Guide Before you begin to configure the Citrix Application Firewall, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback. In This Preface About This Guide New in This Release Audience Formatting Conventions Getting Service and Support Documentation Feedback The Citrix Application Firewall Guide provides an overview of two products: the standalone Citrix Application Firewall, and the Citrix NetScaler Application Firewall feature, an integrated part of the Citrix NetScaler Application Delivery System. Except for certain installation and basic configuration steps, these products are nearly identical. The guide explains what the Application Firewall is and does, and provides detailed instructions on installing, configuring, and managing it. This guide provides the following information: Chapter 1, Introduction. Provides an overview of the Application Firewall, including what it does and how it works. Chapter 2, Installation. Provides installation and configuration information for the standalone Citrix Application Firewall. Chapter 3, Configuration. Provides instructions on how to create your first Application Firewall profile, your first Application Firewall policy, and globally bind the policy. This process enables the Application Firewall to start protecting Web servers.

8 ii Citrix Application Firewall Guide Chapter 4, Profiles. Describes Application Firewall profiles and how to configure the security checks and other settings associated with profiles. Chapter 5, Policies. Describes Application Firewall policies, how to create a policy, and the structure of the expressions language used in creating policies. Chapter 6, Confidential Fields. Provides instructions on how to configure the Application Firewall Confidential Field settings. Chapter 7, Field Types. Provides instructions on how to configure the Application Firewall field types. Chapter 8, Imports. Provides instructions on how to import HTML error pages, XML error pages, XML schemas, and WSDL pages into the Application Firewall configuration. Chapter 9, The Engine Settings. Provides instructions on how to configure the Application Firewall global engine settings. Chapter 10, The Common Security Checks. Describes each Application Firewall security check that is common to all types of profile. Chapter 11, The HTML Security Checks. Describes each Application Firewall security check that applies to HTML-based Web applications and HTML content. Chapter 12, The XML Security Checks. Describes each Application Firewall security check that applies to XML-based Web services and XML content. Chapter 13, The PCI DSS Report. Describes the PCI DSS report. Chapter 14, Use Cases. Provides two use cases that describe how to configure the Application Firewall to protect a back-end SQL database, and scripted content that accesses and/or modifies information on other Web servers. Appendix A, PCRE Character Encoding. Provides a primer on using PCRE character encoding to represent non-ascii characters in Application Firewall regular expressions. Appendix B, PCI DSS Standard. Provides a copy of the official Payment Card Industry (PCI) Data Security (DSS) Standard. Appendix C, Configuring for Large Files and Web Pages. Provides instructions on how to configure the Application Firewall to handle large uploaded files and large, complex Web pages with minimal impact on performance. Appendix D, SQL Injection Check Keywords. Lists the SQL keywords that the Application Firewall SQL Injection security check uses when examine requests.

9 iii New in This Release Audience Appendix E, Cross-Site Scripting: Allowed Tags and Attributes. Lists the HTML tags and attributes that the Application Firewall Cross-Site Scripting security check will allow in requests without blocking the request. NetScaler 9.1 ncore Technology is a new software release that uses CPU cores for packet handling and greatly improves the performance of many NetScaler features. NetScaler 9.1 ncore does not support Application Firewall. For a summary of the features that are not supported in NetScaler 9.1 ncore, see the Citrix NetScaler 9.1 and NetScaler 9.1 ncore Release Notes. This guide is intended for the following audience: IT Managers. IT managers or other individuals responsible for managing your network. System Administrators. Any system administrators responsible for managing your standalone Citrix Application Firewall, or your Citrix NetScaler Application Accelerator or NetScaler appliance. The concepts and tasks described in this guide require you to have a basic understanding of networking and firewall concepts and terminology, the HTTP protocol, HTML and XML Soap, and Web security. Formatting Conventions This documentation uses the following formatting conventions. Formatting Conventions Convention Boldface Italics %SystemRoot% Meaning Information that you type exactly as shown (user input); elements in the user interface. Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks). The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.

10 iv Citrix Application Firewall Guide Formatting Conventions Convention Monospace Meaning System output or characters in a command line. User input and placeholders also are formatted using monspace text. { braces } A series of items, one of which is required in command statements. For example, { yes no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example, in the following command, [-range positiveinteger] means that you have the option of entering a range, but it is not required: add lb vserver name servicetype IPAddress port [-range positiveinteger] Do not type the brackets themselves. (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods: lbmethod = ( ROUNDROBIN LEASTCONNECTION LEASTRESPONSETIME URLHASH DOMAINHASH DESTINATIONIPHASH SOURCEIPHASH SRCIPDESTIPHASH LEASTBANDWIDTH LEASTPACKETS TOKEN SRCIPSRCPORTHASH LRTM CALLIDHASH CUSTOMLOAD ) Getting Service and Support Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at You can also get support from Citrix Customer Service at On the Support menu, click Customer Service. In addition to the CSN program and Citrix Customer Service, Citrix offers the following support options for the Citrix Application Firewall. Knowledge Center The Knowledge Center offers a variety of self-service, Web-based technical support tools at Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment

11 v An online product documentation library Interactive support forums for every Citrix product Access to the latest hotfixes and service packs Knowledge Center Alerts that notify you when a topic is updated Note: To set up an alert, sign in at and, under Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts. Security bulletins Online problem reporting and tracking (for organizations with valid support contracts) Silver and Gold Maintenance In addition to the standard support options, Silver and Gold maintenance options are available. If you purchase either of these options, you receive documentation with special Citrix Technical Support numbers you can call. Silver Maintenance Option The Silver maintenance option provides unlimited system support for one year. This option provides basic coverage hours, one assigned support account manager for nontechnical relations management, four named contacts, and advanced replacement for materials. Technical support is available at the following times: North America, Latin America, and the Caribbean: 8 A.M. to 9 P.M. U.S. Eastern Time, Monday through Friday Asia (excluding Japan): 8 A.M. to 6 P.M. Hong Kong Time, Monday through Friday Australia and New Zealand: 8 A.M. to 6 P.M. Australian Eastern Standard Time (AEST), Monday through Friday Europe, Middle East, and Africa: 8 A.M. to 6 P.M. Coordinated Universal Time (Greenwich Mean Time), Monday through Friday

12 vi Citrix Application Firewall Guide Gold Maintenance Option The Gold maintenance option provides unlimited system support for one year. Support is available 24 hours a day, 7 days a week. There is one assigned support account manager for nontechnical relations management, and there are six named contacts. Subscription Advantage Your product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information. You can find more information on the Citrix Web site at (on the Support menu, click Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information. Education and Training Citrix offers a variety of instructor-led and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available at Documentation Feedback You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version. For NetScaler documentation, send to nsdoc_feedback@citrix.com. For Command Center documentation, send to ccdocs_feedback@citrix.com.

13 vii For Access Gateway documentation, send to You can also provide feedback from the Knowledge Center at support.citrix.com/. To provide feedback from the Knowledge Center home page 1. Go to the Knowledge Center home page at 2. On the Knowledge Center home page, under Products expand NetScaler Application Delivery, and click NetScaler Application Delivery Software On the Documentation tab, click the guide name, and then click Article Feedback. 4. On the Documentation Feedback page, complete the form and click Submit.

14 viii Citrix Application Firewall Guide

15 CHAPTER 1 Introduction The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to web sites that access sensitive business or customer information. It accomplishes this by filtering both requests and responses, examining them for evidence of malicious activity and blocking those that exhibit it. To use the Application Firewall, you must configure at least one profile to tell it what to do with the connections it filters, one policy to tell it which connections to filter, and then associate the profile with the policy. You can configure an arbitrary number of different profiles and policies to protect more complex web sites. You can adjust how the Application Firewall operates on all connections in the Engine Settings. You can enable, disable, and adjust the setting of each security check separately. Finally, you can configure and use the included PCI- DSS report to assess your security configuration for compliance with PCI-DSS standard. You can configure the Application Firewall using either the Citrix NetScaler Configuration Utility (configuration utility) or the Citrix NetScaler Command Line Interface (NetScaler command line). Note: The Application Firewall is not supported in NetScaler 9.1 ncore. What is the Application Firewall? The Application Firewall is a filter that sits between web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects web servers and web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, web server software, and the underlying operating system.

16 2 Citrix Application Firewall Guide The Application Firewall is available on two platforms. First, the Citrix Application Firewall is a standalone appliance based on the Citrix NetScaler Application Accelerator platform and Citrix NetScaler Application Delivery System operating system. Second, the Citrix NetScaler Application Firewall feature is part of the Citrix NetScaler Application Delivery System, which runs on all models of thecitrix NetScaler Application Accelerator or Citrix NetScaler appliance. Therefore, users who want a dedicated Application Firewall can purchase a standalone Citrix Application Firewall. Users who want the Application Firewall functionality in addition to other NetScaler operating system features can purchase a new Citrix NetScaler appliance, or upgrade to version 9.1 of the NetScaler operating system and install it on their existing appliance appliance. Note: Citrix also supports the Citrix Application Firewall EX, which is built on a different hardware and operating system platform than the Application Firewall discussed in this manual. The Citrix Application Firewall EX has its own separate documentation set. This manual does not apply to the Citrix Application Firewall EX. If you need to obtain the Citrix Application Firewall EX documentation, contact Citrix Customer Support for further assistance. What the Application Firewall Does The Citrix Application Firewall protects web servers and web sites from misuse by hackers and malware, such as viruses and trojans, by filtering traffic between each protected web server and users that connect to any web site on that web server. The Application Firewall examines all traffic for evidence of attacks on web server security or misuse of web server resources, and takes the appropriate action to prevent these attacks from succeeding. Most types of attacks against web servers and web sites are launched to accomplish two overall goals. These are: Obtaining private information. The Application Firewall watches for attacks intended to obtain sensitive private information from your web sites and the databases that your web sites can access. This information can include customer names, addresses, phone numbers, social security numbers, credit card numbers, medical records, and other private information. The hacker or malware author can then use this information directly, sell it to others, or both. Much of the information obtained by such attacks is protected by law, and all of it by custom and expectation. A breach of this type can have extremely serious consequences for customers whose private information was compromised. At best, these customers will have to exercise vigilance

17 Chapter 1 Introduction 3 to prevent others from abusing their credit cards, opening unauthorized credit accounts in their name, or appropriate the customer s identity outright to commit criminal activities in their name (or identity theft). At worst, the customers may face ruined credit ratings or even be blamed for criminal activities in which they had no part. If a hacker or malware author manages to obtain such information through your web site and then misuses it, that can create an embarrassing situation at best, and may expose your company to legal consequences. Obtaining unauthorized access and control. The Application Firewall watches for attacks intended to give the attacker access to and control of your web server without your knowledge or permission. This prevents hackers from using your web server to host unauthorized content, act as a proxy for content hosted on another server, provide SMTP services to send unsolicited bulk , or provide DNS services to support these activities on other compromised web servers. Such activities constitute theft of your server capacity and bandwidth for purposes you did not authorize. By preventing unauthorized access to and control of your web servers, the Application Firewall also helps prevent the common practice of unauthorized modifications of your home page or other pages on your web site (or web site defacement). Most web sites that are hosted on hacked web servers (or compromised web servers) promote questionable or outright fraudulent businesses. For example, the majority of pharming web sites, phishing web sites, and child pornography web sites (or CP web sites) are hosted on compromised web servers. So are many sites that sell prescription medications without a prescription, illegal OEM copies of copyrighted software, and untested and often worthless quack medical remedies. If a hacker or malware author manages to host such a web site on your company s web server, or use your company s web server to provide spam support services, that can create an embarrassing incident at the very least. Many types of attacks can be used to obtain private information from or make unauthorized use of your web servers. These attacks include: Buffer overflow attacks. Sending an extremely long URL, cookie, or other bit of information to a web server in hopes of causing it or the underlying operating system to hang, crash, or behave in some manner useful to the attacker. A buffer overflow attack can be used to gain access to unauthorized information, to compromise a web server, or both. Cookie security attacks. Sending a modified cookie to a web server, usually in hopes of obtaining access to unauthorized content using falsified credentials.

18 4 Citrix Application Firewall Guide Forceful browsing. Accessing URLs on a web site directly, without navigating to the URLs via hyperlinks on the home page or other common start URLs on the web site. Individual instances of forceful browsing may simply indicate a user who bookmarked a page on your web site, but repeated attempts to access non-existent content or content that users should never access directly often represents an attack on web site security. Forceful browsing is normally used to gain access to unauthorized information, but can also include a buffer overflow attack and be used to compromise your server. Web form security attacks. Sending inappropriate content to your web site using a web form. Inappropriate content can include modified hidden fields, HTML or code in a field intended for alphanumeric data only, a overly long string in a field that accepts only a short string, an alphanumeric string in a field that accepts only an integer, and a wide variety of other data that your web site does not expect to receive in that web form. A web form security attack can be used either to obtain unauthorized information from your web site or to compromise the web site outright, usually when combined with a buffer overflow attack. In addition to standard web form security attacks, there are two specialized types of attacks on web form security that deserve special mention: - SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords using a web form, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information. - Cross-site scripting attacks. Using a script on a web page to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different web site. Since scripts can obtain information and modify files on your web site, allowing a script access to content on a different web site can provide an attacker the means to obtain unauthorized information, to compromise a web server, or both. XML security attacks. Sending inappropriate content to an XML-based web service or attempting to breach security on your XML-based web service. There are a number of special attacks that can be made against XMLbased web services using XML requests that contain malicious code or objects. These include attacks based on badly-formed XML requests, or XML requests that do not conform to the W3C XML specification, XML requests used to stage a denial of service (DoS) attack, and on XML requests that contain attached files that can breach site security. In addition to standard XML-based attacks, there are two specialized types of XML attacks that deserve special mention:

19 Chapter 1 Introduction 5 - SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords in a XMLbased request, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information. - Cross-site scripting attacks. Using a script included in an XML-based web service URL to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different web service. Since scripts can obtain information and modify files using your web service, allowing a script access to content belonging to a different web service can provide an attacker the means to obtain unauthorized information, to compromise the web service, or both. The Application Firewall has special filters, or checks, that look for each of these types of attack and prevent them from succeeding. The checks use a range of filters and techniques to detect each attack, and respond to different types of attacks or potential attacks differently. A potential attack that does not pose a significant threat may simply be logged. If the same pattern of activity does not reoccur, it probably was not a deliberate attack and no further action was needed. A series of potential attacks may require a different response, which may include blocking further requests from that source. The greatest threat against web sites and web services does not come from known attacks, however. It comes from new and unknown attacks, attacks for which the Application Firewall may not yet have a specific check. For this reason, the core Application Firewall methodology does not rely upon specific checks. It relies upon comparing requests and responses to a profile of normal use of a protected web site or web service. The user helps create the profile during initial configuration and at intervals thereafter by providing certain information to the Application Firewall. The Application Firewall then generates the rest of this profile using its learning feature. Thereafter, if a request or response falls outside of the profile for that web site or web service, either the threat in the request or response is neutralized, or the request or response is blocked. This is called a positive security model, and allows the Application Firewall to protect a web site or web service against attacks for which it may not yet have specific checks. In summary, the Application Firewall prevents outsiders from misusing your web sites and web services for their own purposes. It ensures that your web sites and web services are used as you intended them to be used, for your benefit and that of your customers. The following section explains in more detail how the Application Firewall performs these tasks.

20 6 Citrix Application Firewall Guide How the Application Firewall Works The Application Firewall protects your web sites and web services by filtering traffic to and from them, and blocking or rendering harmless any attacks or threats that it detects. This subsection provides an outline of the filtering process it uses to accomplish this. The platform on which the Application Firewall is built is the Citrix NetScaler Application Delivery product line, which can be installed as either a layer 3 network device or a layer 2 network bridge between your servers and your users, usually behind your company s router or firewall. Depending on which Application Firewall model you have and which other tasks it performs, you may install it in different locations and configure it differently. To function, however, an Application Firewall must be installed in a location where it can intercept traffic between the web servers you want to protect and the hub or switch through which users access those web servers. You then configure the network to send requests to the Application Firewall instead of directly to your web servers, and responses to the Application Firewall instead of directly to your users. The Application Firewall then filters that traffic before forwarding it to its final destination. It examines each request or response using both its internal rule set and your additions and modifications. In addition to profiling the web servers it protects using its learning feature, the Application Firewall also profiles each specific user s session in real time to determine if incoming traffic from that user to your web server, and outgoing traffic from your web server to that user, is appropriate in light of previous requests from the user during the current session. It then blocks or renders harmless any that trigger a specific check or that fail to match the web site profile. The figure below provides an overview of the filtering process.

21 Chapter 1 Introduction 7 A Flowchart of Application Firewall Filtering As the figure shows, when a user requests a URL on a protected web server, the Application Firewall first examines the request to ensure that it violates no network security rules. These rules check for DoS attacks and other types of network attacks that are not specific to web servers. Many of those attacks do not require the same level of analysis to detect as many web site or web services attacks do. Detecting and stopping these attacks before analyzing requests further reduces overall load on the Application Firewall. If the request passes network security inspection, the Application Firewall checks to see if the request needs further filtering. Requests for certain types of content, such as image files, do not require further analysis. Requests for HTML-based web pages, web services, or active content do require further analysis, and are passed to the Application Firewall filtering engine.

22 8 Citrix Application Firewall Guide The Application Firewall then examines the request, applying all relevant checks and comparing it to the profile it has of the protected web site or web service. If the request passes the Application Firewall security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall passes the request on to the server. The web site or web service sends its response back to the Application Firewall, which examines the response. If the response does not violate any security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall forwards the response to the user. This process is repeated for each request and response. In summary, the Application Firewall filters HTTP traffic for security-related issues at two points in the HTTP request/response cycle: it filters requests before they are sent to the server, and responses before they are sent to the user. When it detects a problem, it either neutralizes the problem or, if it cannot, blocks the request or response. The Application Firewall Platform The Citrix Application Firewall is built on the NetScaler operating system (NetScaler operating system) platform. It is fully integrated into the appliance platform and interoperates cleanly with all other appliance features. The appliance software runs on several types of hardware and a range of different servers optimized for different levels and types of network traffic. All are collectively referred to as the Citrix NetScaler Application Delivery product line. As of the NetScaler operating system 8.0 release, the Application Firewall has been available as a licensed feature. You can also purchase a standalone Citrix Application Firewall based on the same platform. For more information about the hardware platforms in the Citrix NetScaler Application Delivery product line, see Installing the Server on page 19. For complete information about the Citrix NetScaler Application Delivery product line, see the Installation and Configuration Guide. The Application Firewall on a Network To do its work properly, any Application Firewall model must be installed in the right place on your network. The location must allow traffic to and from your protected web servers to be routed through the Application Firewall. You can ensure this by installing the Application Firewall in a location where traffic to and from your web servers must pass through it, or you can use virtual LANs (VLANS) to ensure that your network can distinguish between packets that need to be routed to the Application Firewall, and packets that the Application Firewall has already filtered and that can be sent to the web server or user, as appropriate.

23 Chapter 1 Introduction 9 The User Interfaces Although the appliances in the Citrix NetScaler Application Delivery product line are normally installed as a layer 3 devices, none of them acts like a traditional layer 3 or layer 4 firewall when filtering traffic to and from your protected web servers. The Application Firewall itself analyzes only HTTP requests and responses, and analyzes HTTP traffic at a different level than a traditional firewall does. Therefore, only requests to your web sites or web services that might contain attacks are sent to the Application Firewall. A NetScaler appliance must see and route other types of traffic than simply HTTP connections because it will have multiple appliance features licensed and enabled. Some of the other appliance features block DoS and DDoS attacks, accelerate throughput to and from your applications, and provide secure access to servers and applications. When installing a NetScaler appliance, you will therefore need to determine the best location in light of all the features you plan to use. The appliance OS then determines which packets need to be processed by the Application Firewall and routes only those packets to it. If you are installing or already use a NetScaler appliance and have licensed the Application Firewall feature, you must first determine which other appliance features you will use in addition to the Application Firewall. You should then determine where on your network to install your NetScaler appliance so that it can intercept all incoming traffic that it must process, and as little additional traffic as possible. The best solution will depend heavily on the configuration of your individual network. Because a NetScaler appliance is a multipurpose appliance, you probably will need to install it in a central location in your network, where it can intercept much (if not all) traffic entering your network from the outside. You may also not have the option of installing it within the same subnet as the servers that host your protected web sites or web services. These factors will require some additional configuration of your NetScaler appliance so that they can identify and properly route traffic to the Application Firewall. All models in the Citrix NetScaler Application Delivery product line can be configured and managed from either of two different user interfaces: the command line-based Citrix NetScaler Command Line Interface (the NetScaler command line) and the web-based Citrix NetScaler Configuration Utility (the configuration utility).

24 10 Citrix Application Firewall Guide The Citrix NetScaler Command Line Interface The Citrix NetScaler Command Line Interface (NetScaler command line) is a modified UNIX shell based on the FreeBSD bash shell. To configure the Application Firewall using the NetScaler command line, you type commands at the prompt and press the Enter key, just as you do with any other Unix shell. The figure below shows the NetScaler command line as it appears immediately after you log on. Note: The actual appearance of the NetScaler command line window varies somewhat depending on which SSH program you use to connect to the NetScaler command line. The NetScaler command line after Logging On The format of NetScaler command line commands is: > action groupname entity <entityname> [-parameter]

25 Chapter 1 Introduction 11 For action, you substitute the action you want to perform. For groupname, you substitute the groupname associated with the feature or task. For entity, you substitute the specific type of object you are viewing or changing. For <entityname>, you substitute the IP, hostname, or other specific name for the entity. Finally, for [-parameter], you substitute one or more parameters (if any) that your command requires. For example, you use the add appfirewall profile command to create a profile named HTML with basic defaults, as shown below. > add appfirewall profile HTML -defaults basic Done > In this command, add is the action; appfirewall is the groupname; profile is the entity; HTML is the <entityname>; and -defaults basic is the parameter. Since the command produces no output, the NetScaler command line simply informs you that it has performed the command by printing Done, and then returns to the prompt. You use the show appfirewall profile command to review all profiles that currently exist on your Application Firewall, as shown below: > show appfw profile 3) Name: HTML1 ErrorURL: / StripComments: ON DefaultCharSet: iso StartURLAction: block log stats StartURLClosure: OFF DenyURLAction: block log stats XSSAction: block log stats XSSTransformUnsafeHTML: OFF XSSCheckCompleteURLs: OFF SQLAction: block log stats SQLTransformSpecialChars: OFF SQLOnlyCheckFieldsWithSQLChars: ON FieldConsistencyAction: none CookieConsistencyAction: none BufferOverflowAction: block log stats BufferOverflowMaxURLLength: 1024 BufferOverflowMaxHeaderLength: 4096 BufferOverflowMaxCookieLength: 4096 FieldFormatAction: block log stats DefaultFieldFormatType: "" DefaultFieldFormatMinLength: 0 DefaultFieldFormatMaxLength: CommerceAction: block log stats CommerceCard: CommerceMaxAllowed: 0 CommerceXOut: OFF Done > Unlike the add appfirewall profile command, this command has output, and that output is displayed beneath the line where you typed the command. The output terminates with Done, and beneath that, a new prompt is displayed. Another useful command, the show config command, lacks everything after the groupname. It has no entity or parameters, as shown below.

26 12 Citrix Application Firewall Guide > show config NetScaler IP: (mask: ) Number of MappedIP(s): 1 Node: Standalone Done > Global configuration settings: HTTP port(s): (none) Max connections: 0 Max requests per connection: 0 Client IP insertion: DISABLED Cookie version: 0 Min Path MTU: 576 Path MTU entry timeout: 10 FTP Port Range: 0 You use the show config command to determine the appliance IP and global configuration settings. To determine the settings for any specific configuration area, you use the show action with the appropriate groupname and entity, as you did above to view the Application Firewall profile settings. There are an enormous number of commands and variations available at the NetScaler command line. A small number of these commands that you can use to configure various parts of the Application Firewall are described in this manual. For a complete description of the commands available at the NetScaler command line, see the Citrix NetScaler Command Reference Guide. The Citrix NetScaler Configuration Utility The configuration utility is a web-based interface used to configure the Application Firewall. You can perform almost any configuration task using the configuration utility. Less experienced users usually find the configuration utility the easiest interface to use. The figure below shows the configuration utility s System Overview screen.

27 Chapter 1 Introduction 13 The Citrix NetScaler Configuration Utility, System Overview Note: The items displayed in the navigation tree on the left of the configuration utility window differ depending on which features are licensed on your NetScaler appliance. The configuration utility screen has three areas that organize the work of configuring all the features you licensed on your Citrix NetScaler Application Accelerator or NetScaler appliance. Logo bar. The logo bar extends along the top of the configuration utility window. On the left the Citrix logo and Access Gateway Enterprise Edition title appear. On the right is a horizontal row of global hyperlinks that allow you to control the look and feel of the configuration utility screen, save your settings, do a complete refresh of the entire configuration utility display, log out, and access the online help. Navigation tree. The navigation tree extends down the left side of the screen, and provides a collapsible menu that contains links to all screens in the configuration utility. To navigate to a screen within a category, you click the plus (+) sign to expand that category. When a submenu is open, the plus sign changes to a minus (-) sign and all screens and subcategories within that category are displayed. - To display a category or subcategory, you click the plus sign beside the category or subcategory title.