Citrix Application Firewall Guide. Citrix NetScaler 9.1

Transcription

1 Citrix Application Firewall Guide Citrix NetScaler 9.1

2 CONTENTS 1 Preface Chapter 1 Chapter 2 Chapter 3 About This Guide i New in This Release iii Audience iii Formatting Conventions iii Getting Service and Support iv Knowledge Center iv Silver and Gold Maintenance v Subscription Advantage vi Education and Training vi Documentation Feedback vi Introduction What is the Application Firewall? What the Application Firewall Does How the Application Firewall Works The Application Firewall Platform The Application Firewall on a Network The User Interfaces The Citrix NetScaler Command Line Interface The Citrix NetScaler Configuration Utility Installation Planning the Installation Installing the Server The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler The Citrix NetScaler MPX The Citrix NetScaler MPX Performing Initial Configuration Using the Configuration Utility Using the Citrix NetScaler Command Line Interface Simple Configuration Enabling the Application Firewall Creating and Configuring a Profile

3 iv Citrix Application Firewall Guide Creating and Configuring Policies Globally Binding Policies Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Profiles About Application Firewall Profiles Creating, Configuring, and Deleting a Profile Configuring the Security Checks Configuring the Security Checks at the Configuration Utility Configuring the Security Checks at the NetScaler Command Line Configuring the Profile Settings Configuring the Profile Settings at the Configuration Utility Configuring the Profile Settings at the NetScaler Command Line Configuring the Learning Feature Policies An Overview of Policies Creating and Configuring Policies Globally Binding a Policy Confidential Fields Adding Confidential Field Designations Managing Confidential Field Designations Field Types Configuring the Field Types Settings Imports Importing Configuration Elements The Engine Settings Session Cookie Name Session Timeout Client IP Header Name The Common Security Checks The Start URL Check The Deny URL Check

4 Contents v The Cookie Consistency Check The Buffer Overflow Check The Credit Card Check The Safe Object Check Chapter 11 Chapter 12 Chapter 13 Chapter 14 The HTML Security Checks The Form Field Consistency Check The Field Formats Check The HTML Cross-Site Scripting Check The HTML SQL Injection Check The XML Security Checks The XML Format Check The XML Denial of Service Check The XML Cross-Site Scripting Check The XML SQL Injection Check The XML Attachment Check The Web Services Interoperability Check The XML Message Validation Check The PCI DSS Report About PCI DSS An Overview of the PCI DSS Report An Overview of the PCI DSS Standard Use Cases Protecting a Shopping Cart Application Creating and Configuring the Shopping Cart Profile Creating and Configuring a Shopping Cart Policy Protecting a Product Information Query Page Creating and Configuring a Product Query Profile Creating and Configuring a Product Query Policy Managing Learning Glossary Index

5 vi Citrix Application Firewall Guide Appendix A Appendix B Appendix C Appendix D Appendix E PCRE Character Encoding Format Representing UTF-8 Characters PCI DSS Standard Configuring for Large Files and Web Pages Overview Three Workarounds SQL Injection Check Keywords Cross-Site Scripting: Allowed Tags and Attributes Allowed Tags Allowed Attributes

6 Copyright and Trademark Notice CITRIX SYSTEMS, INC., ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, WANScaler, Citrix XenApp, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, , 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, The Regents of the University of Michigan and Merit Network, Inc. Copyright , RSA Data Security, Inc. Created Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) University of Cambridge. All rights reserved. Copyright (c) David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, Bill Paul. All rights reserved. Copyright (c) Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Last Updated: June 2009

7 PREFACE Preface About This Guide Before you begin to configure the Citrix Application Firewall, take a few minutes to review this chapter and learn about related documentation, other support options, and ways to send us feedback. In This Preface About This Guide New in This Release Audience Formatting Conventions Getting Service and Support Documentation Feedback The Citrix Application Firewall Guide provides an overview of two products: the standalone Citrix Application Firewall, and the Citrix NetScaler Application Firewall feature, an integrated part of the Citrix NetScaler Application Delivery System. Except for certain installation and basic configuration steps, these products are nearly identical. The guide explains what the Application Firewall is and does, and provides detailed instructions on installing, configuring, and managing it. This guide provides the following information: Chapter 1, Introduction. Provides an overview of the Application Firewall, including what it does and how it works. Chapter 2, Installation. Provides installation and configuration information for the standalone Citrix Application Firewall. Chapter 3, Configuration. Provides instructions on how to create your first Application Firewall profile, your first Application Firewall policy, and globally bind the policy. This process enables the Application Firewall to start protecting Web servers.

8 ii Citrix Application Firewall Guide Chapter 4, Profiles. Describes Application Firewall profiles and how to configure the security checks and other settings associated with profiles. Chapter 5, Policies. Describes Application Firewall policies, how to create a policy, and the structure of the expressions language used in creating policies. Chapter 6, Confidential Fields. Provides instructions on how to configure the Application Firewall Confidential Field settings. Chapter 7, Field Types. Provides instructions on how to configure the Application Firewall field types. Chapter 8, Imports. Provides instructions on how to import HTML error pages, XML error pages, XML schemas, and WSDL pages into the Application Firewall configuration. Chapter 9, The Engine Settings. Provides instructions on how to configure the Application Firewall global engine settings. Chapter 10, The Common Security Checks. Describes each Application Firewall security check that is common to all types of profile. Chapter 11, The HTML Security Checks. Describes each Application Firewall security check that applies to HTML-based Web applications and HTML content. Chapter 12, The XML Security Checks. Describes each Application Firewall security check that applies to XML-based Web services and XML content. Chapter 13, The PCI DSS Report. Describes the PCI DSS report. Chapter 14, Use Cases. Provides two use cases that describe how to configure the Application Firewall to protect a back-end SQL database, and scripted content that accesses and/or modifies information on other Web servers. Appendix A, PCRE Character Encoding. Provides a primer on using PCRE character encoding to represent non-ascii characters in Application Firewall regular expressions. Appendix B, PCI DSS Standard. Provides a copy of the official Payment Card Industry (PCI) Data Security (DSS) Standard. Appendix C, Configuring for Large Files and Web Pages. Provides instructions on how to configure the Application Firewall to handle large uploaded files and large, complex Web pages with minimal impact on performance. Appendix D, SQL Injection Check Keywords. Lists the SQL keywords that the Application Firewall SQL Injection security check uses when examine requests.

9 iii New in This Release Audience Appendix E, Cross-Site Scripting: Allowed Tags and Attributes. Lists the HTML tags and attributes that the Application Firewall Cross-Site Scripting security check will allow in requests without blocking the request. NetScaler 9.1 ncore Technology is a new software release that uses CPU cores for packet handling and greatly improves the performance of many NetScaler features. NetScaler 9.1 ncore does not support Application Firewall. For a summary of the features that are not supported in NetScaler 9.1 ncore, see the Citrix NetScaler 9.1 and NetScaler 9.1 ncore Release Notes. This guide is intended for the following audience: IT Managers. IT managers or other individuals responsible for managing your network. System Administrators. Any system administrators responsible for managing your standalone Citrix Application Firewall, or your Citrix NetScaler Application Accelerator or NetScaler appliance. The concepts and tasks described in this guide require you to have a basic understanding of networking and firewall concepts and terminology, the HTTP protocol, HTML and XML Soap, and Web security. Formatting Conventions This documentation uses the following formatting conventions. Formatting Conventions Convention Boldface Italics %SystemRoot% Meaning Information that you type exactly as shown (user input); elements in the user interface. Placeholders for information or parameters that you provide. For example, FileName in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks). The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.

10 iv Citrix Application Firewall Guide Formatting Conventions Convention Monospace Meaning System output or characters in a command line. User input and placeholders also are formatted using monspace text. { braces } A series of items, one of which is required in command statements. For example, { yes no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example, in the following command, [-range positiveinteger] means that you have the option of entering a range, but it is not required: add lb vserver name servicetype IPAddress port [-range positiveinteger] Do not type the brackets themselves. (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods: lbmethod = ( ROUNDROBIN LEASTCONNECTION LEASTRESPONSETIME URLHASH DOMAINHASH DESTINATIONIPHASH SOURCEIPHASH SRCIPDESTIPHASH LEASTBANDWIDTH LEASTPACKETS TOKEN SRCIPSRCPORTHASH LRTM CALLIDHASH CUSTOMLOAD ) Getting Service and Support Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at You can also get support from Citrix Customer Service at On the Support menu, click Customer Service. In addition to the CSN program and Citrix Customer Service, Citrix offers the following support options for the Citrix Application Firewall. Knowledge Center The Knowledge Center offers a variety of self-service, Web-based technical support tools at Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment

11 v An online product documentation library Interactive support forums for every Citrix product Access to the latest hotfixes and service packs Knowledge Center Alerts that notify you when a topic is updated Note: To set up an alert, sign in at and, under Products, select a specific product. In the upper-right section of the screen, under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and, under Tools, click Remove from your Hotfix Alerts. Security bulletins Online problem reporting and tracking (for organizations with valid support contracts) Silver and Gold Maintenance In addition to the standard support options, Silver and Gold maintenance options are available. If you purchase either of these options, you receive documentation with special Citrix Technical Support numbers you can call. Silver Maintenance Option The Silver maintenance option provides unlimited system support for one year. This option provides basic coverage hours, one assigned support account manager for nontechnical relations management, four named contacts, and advanced replacement for materials. Technical support is available at the following times: North America, Latin America, and the Caribbean: 8 A.M. to 9 P.M. U.S. Eastern Time, Monday through Friday Asia (excluding Japan): 8 A.M. to 6 P.M. Hong Kong Time, Monday through Friday Australia and New Zealand: 8 A.M. to 6 P.M. Australian Eastern Standard Time (AEST), Monday through Friday Europe, Middle East, and Africa: 8 A.M. to 6 P.M. Coordinated Universal Time (Greenwich Mean Time), Monday through Friday

12 vi Citrix Application Firewall Guide Gold Maintenance Option The Gold maintenance option provides unlimited system support for one year. Support is available 24 hours a day, 7 days a week. There is one assigned support account manager for nontechnical relations management, and there are six named contacts. Subscription Advantage Your product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information. You can find more information on the Citrix Web site at (on the Support menu, click Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information. Education and Training Citrix offers a variety of instructor-led and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available at Documentation Feedback You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send to the following alias or aliases, as appropriate. In the subject line, specify Documentation Feedback. Be sure to include the document name, page number, and product release version. For NetScaler documentation, send to [email protected]. For Command Center documentation, send to [email protected].

13 vii For Access Gateway documentation, send to You can also provide feedback from the Knowledge Center at support.citrix.com/. To provide feedback from the Knowledge Center home page 1. Go to the Knowledge Center home page at 2. On the Knowledge Center home page, under Products expand NetScaler Application Delivery, and click NetScaler Application Delivery Software On the Documentation tab, click the guide name, and then click Article Feedback. 4. On the Documentation Feedback page, complete the form and click Submit.

14 viii Citrix Application Firewall Guide

15 CHAPTER 1 Introduction The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to web sites that access sensitive business or customer information. It accomplishes this by filtering both requests and responses, examining them for evidence of malicious activity and blocking those that exhibit it. To use the Application Firewall, you must configure at least one profile to tell it what to do with the connections it filters, one policy to tell it which connections to filter, and then associate the profile with the policy. You can configure an arbitrary number of different profiles and policies to protect more complex web sites. You can adjust how the Application Firewall operates on all connections in the Engine Settings. You can enable, disable, and adjust the setting of each security check separately. Finally, you can configure and use the included PCI- DSS report to assess your security configuration for compliance with PCI-DSS standard. You can configure the Application Firewall using either the Citrix NetScaler Configuration Utility (configuration utility) or the Citrix NetScaler Command Line Interface (NetScaler command line). Note: The Application Firewall is not supported in NetScaler 9.1 ncore. What is the Application Firewall? The Application Firewall is a filter that sits between web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects web servers and web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, web server software, and the underlying operating system.

16 2 Citrix Application Firewall Guide The Application Firewall is available on two platforms. First, the Citrix Application Firewall is a standalone appliance based on the Citrix NetScaler Application Accelerator platform and Citrix NetScaler Application Delivery System operating system. Second, the Citrix NetScaler Application Firewall feature is part of the Citrix NetScaler Application Delivery System, which runs on all models of thecitrix NetScaler Application Accelerator or Citrix NetScaler appliance. Therefore, users who want a dedicated Application Firewall can purchase a standalone Citrix Application Firewall. Users who want the Application Firewall functionality in addition to other NetScaler operating system features can purchase a new Citrix NetScaler appliance, or upgrade to version 9.1 of the NetScaler operating system and install it on their existing appliance appliance. Note: Citrix also supports the Citrix Application Firewall EX, which is built on a different hardware and operating system platform than the Application Firewall discussed in this manual. The Citrix Application Firewall EX has its own separate documentation set. This manual does not apply to the Citrix Application Firewall EX. If you need to obtain the Citrix Application Firewall EX documentation, contact Citrix Customer Support for further assistance. What the Application Firewall Does The Citrix Application Firewall protects web servers and web sites from misuse by hackers and malware, such as viruses and trojans, by filtering traffic between each protected web server and users that connect to any web site on that web server. The Application Firewall examines all traffic for evidence of attacks on web server security or misuse of web server resources, and takes the appropriate action to prevent these attacks from succeeding. Most types of attacks against web servers and web sites are launched to accomplish two overall goals. These are: Obtaining private information. The Application Firewall watches for attacks intended to obtain sensitive private information from your web sites and the databases that your web sites can access. This information can include customer names, addresses, phone numbers, social security numbers, credit card numbers, medical records, and other private information. The hacker or malware author can then use this information directly, sell it to others, or both. Much of the information obtained by such attacks is protected by law, and all of it by custom and expectation. A breach of this type can have extremely serious consequences for customers whose private information was compromised. At best, these customers will have to exercise vigilance

17 Chapter 1 Introduction 3 to prevent others from abusing their credit cards, opening unauthorized credit accounts in their name, or appropriate the customer s identity outright to commit criminal activities in their name (or identity theft). At worst, the customers may face ruined credit ratings or even be blamed for criminal activities in which they had no part. If a hacker or malware author manages to obtain such information through your web site and then misuses it, that can create an embarrassing situation at best, and may expose your company to legal consequences. Obtaining unauthorized access and control. The Application Firewall watches for attacks intended to give the attacker access to and control of your web server without your knowledge or permission. This prevents hackers from using your web server to host unauthorized content, act as a proxy for content hosted on another server, provide SMTP services to send unsolicited bulk , or provide DNS services to support these activities on other compromised web servers. Such activities constitute theft of your server capacity and bandwidth for purposes you did not authorize. By preventing unauthorized access to and control of your web servers, the Application Firewall also helps prevent the common practice of unauthorized modifications of your home page or other pages on your web site (or web site defacement). Most web sites that are hosted on hacked web servers (or compromised web servers) promote questionable or outright fraudulent businesses. For example, the majority of pharming web sites, phishing web sites, and child pornography web sites (or CP web sites) are hosted on compromised web servers. So are many sites that sell prescription medications without a prescription, illegal OEM copies of copyrighted software, and untested and often worthless quack medical remedies. If a hacker or malware author manages to host such a web site on your company s web server, or use your company s web server to provide spam support services, that can create an embarrassing incident at the very least. Many types of attacks can be used to obtain private information from or make unauthorized use of your web servers. These attacks include: Buffer overflow attacks. Sending an extremely long URL, cookie, or other bit of information to a web server in hopes of causing it or the underlying operating system to hang, crash, or behave in some manner useful to the attacker. A buffer overflow attack can be used to gain access to unauthorized information, to compromise a web server, or both. Cookie security attacks. Sending a modified cookie to a web server, usually in hopes of obtaining access to unauthorized content using falsified credentials.

18 4 Citrix Application Firewall Guide Forceful browsing. Accessing URLs on a web site directly, without navigating to the URLs via hyperlinks on the home page or other common start URLs on the web site. Individual instances of forceful browsing may simply indicate a user who bookmarked a page on your web site, but repeated attempts to access non-existent content or content that users should never access directly often represents an attack on web site security. Forceful browsing is normally used to gain access to unauthorized information, but can also include a buffer overflow attack and be used to compromise your server. Web form security attacks. Sending inappropriate content to your web site using a web form. Inappropriate content can include modified hidden fields, HTML or code in a field intended for alphanumeric data only, a overly long string in a field that accepts only a short string, an alphanumeric string in a field that accepts only an integer, and a wide variety of other data that your web site does not expect to receive in that web form. A web form security attack can be used either to obtain unauthorized information from your web site or to compromise the web site outright, usually when combined with a buffer overflow attack. In addition to standard web form security attacks, there are two specialized types of attacks on web form security that deserve special mention: - SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords using a web form, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information. - Cross-site scripting attacks. Using a script on a web page to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different web site. Since scripts can obtain information and modify files on your web site, allowing a script access to content on a different web site can provide an attacker the means to obtain unauthorized information, to compromise a web server, or both. XML security attacks. Sending inappropriate content to an XML-based web service or attempting to breach security on your XML-based web service. There are a number of special attacks that can be made against XMLbased web services using XML requests that contain malicious code or objects. These include attacks based on badly-formed XML requests, or XML requests that do not conform to the W3C XML specification, XML requests used to stage a denial of service (DoS) attack, and on XML requests that contain attached files that can breach site security. In addition to standard XML-based attacks, there are two specialized types of XML attacks that deserve special mention:

19 Chapter 1 Introduction 5 - SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords in a XMLbased request, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information. - Cross-site scripting attacks. Using a script included in an XML-based web service URL to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different web service. Since scripts can obtain information and modify files using your web service, allowing a script access to content belonging to a different web service can provide an attacker the means to obtain unauthorized information, to compromise the web service, or both. The Application Firewall has special filters, or checks, that look for each of these types of attack and prevent them from succeeding. The checks use a range of filters and techniques to detect each attack, and respond to different types of attacks or potential attacks differently. A potential attack that does not pose a significant threat may simply be logged. If the same pattern of activity does not reoccur, it probably was not a deliberate attack and no further action was needed. A series of potential attacks may require a different response, which may include blocking further requests from that source. The greatest threat against web sites and web services does not come from known attacks, however. It comes from new and unknown attacks, attacks for which the Application Firewall may not yet have a specific check. For this reason, the core Application Firewall methodology does not rely upon specific checks. It relies upon comparing requests and responses to a profile of normal use of a protected web site or web service. The user helps create the profile during initial configuration and at intervals thereafter by providing certain information to the Application Firewall. The Application Firewall then generates the rest of this profile using its learning feature. Thereafter, if a request or response falls outside of the profile for that web site or web service, either the threat in the request or response is neutralized, or the request or response is blocked. This is called a positive security model, and allows the Application Firewall to protect a web site or web service against attacks for which it may not yet have specific checks. In summary, the Application Firewall prevents outsiders from misusing your web sites and web services for their own purposes. It ensures that your web sites and web services are used as you intended them to be used, for your benefit and that of your customers. The following section explains in more detail how the Application Firewall performs these tasks.

20 6 Citrix Application Firewall Guide How the Application Firewall Works The Application Firewall protects your web sites and web services by filtering traffic to and from them, and blocking or rendering harmless any attacks or threats that it detects. This subsection provides an outline of the filtering process it uses to accomplish this. The platform on which the Application Firewall is built is the Citrix NetScaler Application Delivery product line, which can be installed as either a layer 3 network device or a layer 2 network bridge between your servers and your users, usually behind your company s router or firewall. Depending on which Application Firewall model you have and which other tasks it performs, you may install it in different locations and configure it differently. To function, however, an Application Firewall must be installed in a location where it can intercept traffic between the web servers you want to protect and the hub or switch through which users access those web servers. You then configure the network to send requests to the Application Firewall instead of directly to your web servers, and responses to the Application Firewall instead of directly to your users. The Application Firewall then filters that traffic before forwarding it to its final destination. It examines each request or response using both its internal rule set and your additions and modifications. In addition to profiling the web servers it protects using its learning feature, the Application Firewall also profiles each specific user s session in real time to determine if incoming traffic from that user to your web server, and outgoing traffic from your web server to that user, is appropriate in light of previous requests from the user during the current session. It then blocks or renders harmless any that trigger a specific check or that fail to match the web site profile. The figure below provides an overview of the filtering process.

21 Chapter 1 Introduction 7 A Flowchart of Application Firewall Filtering As the figure shows, when a user requests a URL on a protected web server, the Application Firewall first examines the request to ensure that it violates no network security rules. These rules check for DoS attacks and other types of network attacks that are not specific to web servers. Many of those attacks do not require the same level of analysis to detect as many web site or web services attacks do. Detecting and stopping these attacks before analyzing requests further reduces overall load on the Application Firewall. If the request passes network security inspection, the Application Firewall checks to see if the request needs further filtering. Requests for certain types of content, such as image files, do not require further analysis. Requests for HTML-based web pages, web services, or active content do require further analysis, and are passed to the Application Firewall filtering engine.

22 8 Citrix Application Firewall Guide The Application Firewall then examines the request, applying all relevant checks and comparing it to the profile it has of the protected web site or web service. If the request passes the Application Firewall security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall passes the request on to the server. The web site or web service sends its response back to the Application Firewall, which examines the response. If the response does not violate any security checks, it is passed to the Rewrite feature, which applies any Rewrite rules. Finally, the Application Firewall forwards the response to the user. This process is repeated for each request and response. In summary, the Application Firewall filters HTTP traffic for security-related issues at two points in the HTTP request/response cycle: it filters requests before they are sent to the server, and responses before they are sent to the user. When it detects a problem, it either neutralizes the problem or, if it cannot, blocks the request or response. The Application Firewall Platform The Citrix Application Firewall is built on the NetScaler operating system (NetScaler operating system) platform. It is fully integrated into the appliance platform and interoperates cleanly with all other appliance features. The appliance software runs on several types of hardware and a range of different servers optimized for different levels and types of network traffic. All are collectively referred to as the Citrix NetScaler Application Delivery product line. As of the NetScaler operating system 8.0 release, the Application Firewall has been available as a licensed feature. You can also purchase a standalone Citrix Application Firewall based on the same platform. For more information about the hardware platforms in the Citrix NetScaler Application Delivery product line, see Installing the Server on page 19. For complete information about the Citrix NetScaler Application Delivery product line, see the Installation and Configuration Guide. The Application Firewall on a Network To do its work properly, any Application Firewall model must be installed in the right place on your network. The location must allow traffic to and from your protected web servers to be routed through the Application Firewall. You can ensure this by installing the Application Firewall in a location where traffic to and from your web servers must pass through it, or you can use virtual LANs (VLANS) to ensure that your network can distinguish between packets that need to be routed to the Application Firewall, and packets that the Application Firewall has already filtered and that can be sent to the web server or user, as appropriate.

23 Chapter 1 Introduction 9 The User Interfaces Although the appliances in the Citrix NetScaler Application Delivery product line are normally installed as a layer 3 devices, none of them acts like a traditional layer 3 or layer 4 firewall when filtering traffic to and from your protected web servers. The Application Firewall itself analyzes only HTTP requests and responses, and analyzes HTTP traffic at a different level than a traditional firewall does. Therefore, only requests to your web sites or web services that might contain attacks are sent to the Application Firewall. A NetScaler appliance must see and route other types of traffic than simply HTTP connections because it will have multiple appliance features licensed and enabled. Some of the other appliance features block DoS and DDoS attacks, accelerate throughput to and from your applications, and provide secure access to servers and applications. When installing a NetScaler appliance, you will therefore need to determine the best location in light of all the features you plan to use. The appliance OS then determines which packets need to be processed by the Application Firewall and routes only those packets to it. If you are installing or already use a NetScaler appliance and have licensed the Application Firewall feature, you must first determine which other appliance features you will use in addition to the Application Firewall. You should then determine where on your network to install your NetScaler appliance so that it can intercept all incoming traffic that it must process, and as little additional traffic as possible. The best solution will depend heavily on the configuration of your individual network. Because a NetScaler appliance is a multipurpose appliance, you probably will need to install it in a central location in your network, where it can intercept much (if not all) traffic entering your network from the outside. You may also not have the option of installing it within the same subnet as the servers that host your protected web sites or web services. These factors will require some additional configuration of your NetScaler appliance so that they can identify and properly route traffic to the Application Firewall. All models in the Citrix NetScaler Application Delivery product line can be configured and managed from either of two different user interfaces: the command line-based Citrix NetScaler Command Line Interface (the NetScaler command line) and the web-based Citrix NetScaler Configuration Utility (the configuration utility).

24 10 Citrix Application Firewall Guide The Citrix NetScaler Command Line Interface The Citrix NetScaler Command Line Interface (NetScaler command line) is a modified UNIX shell based on the FreeBSD bash shell. To configure the Application Firewall using the NetScaler command line, you type commands at the prompt and press the Enter key, just as you do with any other Unix shell. The figure below shows the NetScaler command line as it appears immediately after you log on. Note: The actual appearance of the NetScaler command line window varies somewhat depending on which SSH program you use to connect to the NetScaler command line. The NetScaler command line after Logging On The format of NetScaler command line commands is: > action groupname entity <entityname> [-parameter]

25 Chapter 1 Introduction 11 For action, you substitute the action you want to perform. For groupname, you substitute the groupname associated with the feature or task. For entity, you substitute the specific type of object you are viewing or changing. For <entityname>, you substitute the IP, hostname, or other specific name for the entity. Finally, for [-parameter], you substitute one or more parameters (if any) that your command requires. For example, you use the add appfirewall profile command to create a profile named HTML with basic defaults, as shown below. > add appfirewall profile HTML -defaults basic Done > In this command, add is the action; appfirewall is the groupname; profile is the entity; HTML is the <entityname>; and -defaults basic is the parameter. Since the command produces no output, the NetScaler command line simply informs you that it has performed the command by printing Done, and then returns to the prompt. You use the show appfirewall profile command to review all profiles that currently exist on your Application Firewall, as shown below: > show appfw profile 3) Name: HTML1 ErrorURL: / StripComments: ON DefaultCharSet: iso StartURLAction: block log stats StartURLClosure: OFF DenyURLAction: block log stats XSSAction: block log stats XSSTransformUnsafeHTML: OFF XSSCheckCompleteURLs: OFF SQLAction: block log stats SQLTransformSpecialChars: OFF SQLOnlyCheckFieldsWithSQLChars: ON FieldConsistencyAction: none CookieConsistencyAction: none BufferOverflowAction: block log stats BufferOverflowMaxURLLength: 1024 BufferOverflowMaxHeaderLength: 4096 BufferOverflowMaxCookieLength: 4096 FieldFormatAction: block log stats DefaultFieldFormatType: "" DefaultFieldFormatMinLength: 0 DefaultFieldFormatMaxLength: CommerceAction: block log stats CommerceCard: CommerceMaxAllowed: 0 CommerceXOut: OFF Done > Unlike the add appfirewall profile command, this command has output, and that output is displayed beneath the line where you typed the command. The output terminates with Done, and beneath that, a new prompt is displayed. Another useful command, the show config command, lacks everything after the groupname. It has no entity or parameters, as shown below.

26 12 Citrix Application Firewall Guide > show config NetScaler IP: (mask: ) Number of MappedIP(s): 1 Node: Standalone Done > Global configuration settings: HTTP port(s): (none) Max connections: 0 Max requests per connection: 0 Client IP insertion: DISABLED Cookie version: 0 Min Path MTU: 576 Path MTU entry timeout: 10 FTP Port Range: 0 You use the show config command to determine the appliance IP and global configuration settings. To determine the settings for any specific configuration area, you use the show action with the appropriate groupname and entity, as you did above to view the Application Firewall profile settings. There are an enormous number of commands and variations available at the NetScaler command line. A small number of these commands that you can use to configure various parts of the Application Firewall are described in this manual. For a complete description of the commands available at the NetScaler command line, see the Citrix NetScaler Command Reference Guide. The Citrix NetScaler Configuration Utility The configuration utility is a web-based interface used to configure the Application Firewall. You can perform almost any configuration task using the configuration utility. Less experienced users usually find the configuration utility the easiest interface to use. The figure below shows the configuration utility s System Overview screen.

27 Chapter 1 Introduction 13 The Citrix NetScaler Configuration Utility, System Overview Note: The items displayed in the navigation tree on the left of the configuration utility window differ depending on which features are licensed on your NetScaler appliance. The configuration utility screen has three areas that organize the work of configuring all the features you licensed on your Citrix NetScaler Application Accelerator or NetScaler appliance. Logo bar. The logo bar extends along the top of the configuration utility window. On the left the Citrix logo and Access Gateway Enterprise Edition title appear. On the right is a horizontal row of global hyperlinks that allow you to control the look and feel of the configuration utility screen, save your settings, do a complete refresh of the entire configuration utility display, log out, and access the online help. Navigation tree. The navigation tree extends down the left side of the screen, and provides a collapsible menu that contains links to all screens in the configuration utility. To navigate to a screen within a category, you click the plus (+) sign to expand that category. When a submenu is open, the plus sign changes to a minus (-) sign and all screens and subcategories within that category are displayed. - To display a category or subcategory, you click the plus sign beside the category or subcategory title.

28 14 Citrix Application Firewall Guide - To collapse a category or subcategory that has been displayed, you click the minus sign beside the title of that category. Page Title bar. The page title bar extends horizontally across the screen, directly beneath the logo bar and to the right of the navigation menu. It contains the title of the current page, and on the right a button that allows you to refresh just that page. Page Data area. The page data area contains the information for the page you have displayed at the time. If the data area contains more information that can easily be fit on one page, it may have multiple pages that you access by clicking tabs at the top of the data area. For example, the System Overview screen shown in the screen shot titled The Citrix NetScaler Configuration Utility, System Overview on page 13 has two tabs: the System Information and System Sessions tabs. Note: The data area on most pages in the configuration utility is readonly. To add a configuration entry or modify an existing configuration entry, you normally click the appropriate button at the bottom of the data area and use the dialog box that appears to make your changes. In addition to the main screens, the configuration utility makes considerable use of wizards and other types of dialog boxes. A dialog box is a standalone window that asks you a question or prompts you to fill in a form that asks for a set of related data points. You click a button at the bottom or the right of the dialog box to respond to the question (usually a Yes or No button) or to indicate that you ve finished filling in the form (usually an OK or Cancel button). Wizards organize a related set of tasks in a logical workflow, displaying each task on a separate page and prompting you to perform that task before you proceed to the next task. The pages within a wizard also contain short explanations of what each task is for and what it does. To use the a wizard, you simply follow the instructions on each page, and when you have finished, click the Next > button to proceed to the next page and next task. If at any point, you need to change a setting you made on a previous page, you can click the < Back button to return to that page and modify your work. Then, you click the Next > button to return to the task you were completing previously. You are likely to encounter two wizards quickly: the Setup Wizard and Upgrade Wizard. The figure below shows the first screen of the Setup Wizard.

29 Chapter 1 Introduction 15 The Setup Wizard, First Screen The Setup Wizard takes you through the process of initial configuration of your NetScaler appliance, prompting you for the necessary information at each step. The Setup Wizard and other wizards in the configuration utility can make the sometimes-daunting job of configuring a new NetScaler appliance much easier. The figure below shows the first screen of the Upgrade Wizard. The Upgrade Wizard, First Screen

30 16 Citrix Application Firewall Guide The Upgrade Wizard, like the Setup Wizard, takes you through a set of screens. Instead of performing an initial configuration, however, it takes you through the process of upgrading your NetScaler appliance, prompting you for the necessary information at each step. This concludes the current chapter. If you are installing a new Citrix NetScaler appliance, proceed to Chapter 2, Installation, on page 17. If you are upgrading the NetScaler operating system on a Citrix NetScaler appliance that you already own, and want to enable and configure the Citrix NetScaler Application Firewall feature, proceed directly to Chapter 3, Simple Configuration, on page 67.

31 CHAPTER 2 Installation This chapter contains basic installation instructions for two types of system: The standalone Citrix Application Firewall, built on the Citrix NetScaler platform. Any appliance in the Citrix NetScaler Application Delivery product line that runs the Citrix NetScaler Application Firewall feature. Note: If you already have a NetScaler appliance installed on your network, have just upgraded to the NetScaler 9.1 release, and have licensed the Citrix NetScaler Application Firewall feature, you do not need to read this chapter. Your appliance is already installed and has already had initial configuration performed on it. Skip to Chapter 3, Simple Configuration, on page 67. The first section provides a detailed look at all of the hardware platforms (or appliances) on which the standalone or embedded Application Firewall runs, shows where ports and other important features are located on each unit, and explains what you must do to get the appliance properly installed on your network. The second section describes what you must do to perform initial configuration of the NetScaler operating system. When you have finished installing the appliance and performing initial configuration, your appliance will be ready for you to configure the Application Firewall itself. Planning the Installation The Citrix NetScaler Application Delivery product line supports a wide range of installation modes, depending on which NetScaler features you will use and how your network is set up. This section provides instructions for installing a standalone Citrix Application Firewall, or for performing a simple installation of a single Citrix NetScaler appliance. For more detailed information about a wider range of available configurations, including high availability (HA) pairs and SSL VPN, see the Installation and Configuration Guide, Volume 1, Chapter 2, Installing the Application Switch.

32 18 Citrix Application Firewall Guide The NetScaler appliance can be installed with a single connection via one hub or switch to your network (called one-arm mode), or with two connections to different hubs or switches to two different subnets (called two-arm mode). The following figure provides a conceptual illustration of both modes. One-Arm Mode Two-Arm Mode Router Router Layer 2 Switch Layer 2 Switch Application Firewall Protected Web Servers Application Firewall Layer 2 Switch Protected Web Servers Citrix NetScaler appliance Installation Modes Each installation mode has its advantages. With a one-arm mode installation, you do not have to worry about complex webs of connections. You simply connect the appliance and the web servers it protects to a single layer 2 switch, and set up VLANs to handle routing. With a two-arm mode installation, however, the appliance is physically located between the web servers it protects and your users. Connections must pass through it, minimizing chances that a route can be found around it. This may enhance security. You must also consider whether to install the appliance on the same subnet as the web servers it protects, or on a different subnet from some or all of them. In a single subnet networking environment, the appliance s IP address, mapped IP address (MIP) and the IP address of all servers the Application Firewall manages are on the same subnet. Installation on a single subnet is easier to configure, but may require more work overall if the web servers you want to protect are currently on different subnets or are installed on a subnet which cannot accommodate the appliance.

33 Chapter 2 Installation 19 Installing the Server In a multiple subnet networking environment, the appliance s IP address, mapped IP address (MIP), and the IP addresses of the servers it connects to are on two or more subnets. Installation on multiple subnets may require that you add static routes and make other configuration adjustments to ensure that the appliance and the servers it manages are able to connect to each other correctly, and that incoming traffic to a managed server goes through the NetScaler appliance before being sent to the managed server. There is no single right configuration for installations. You should review your network and decide where to install your appliance based on which features you will enable and which servers it will manage. Once you have decided where to install your appliance and how to connect it to your net, you can proceed with the installation. This section describes how to install your NetScaler appliance in your server room. It describes the hardware platforms on which these servers are built, and tells you how to operate each unit properly. As of the current release, the hardware platforms on which all models in the Citrix NetScaler Application Delivery product line are available are the Citrix NetScaler 7000, the Citrix NetScaler 9000, the Citrix NetScaler 9010, the Citrix NetScaler 10000, the Citrix NetScaler 10010, the Citrix NetScaler 12000, the Citrix NetScaler MPX 15000, and the Citrix NetScaler MPX The Application Firewall can be licensed on any of these hardware platforms as part of any model of the NetScaler appliance. The standalone Citrix Application Firewall is available on the Citrix NetScaler 7000 and the Citrix NetScaler platforms. Before installing your appliance, you must first determine which hardware platform your Application Firewall uses. Citrix NetScaler If you are installing unit built on the 7000 platform, proceed to The Citrix NetScaler 7000 on page 20. Citrix NetScaler If you are installing a unit built on the 9010 platform, proceed to The Citrix NetScaler 9010 on page 22. Citrix NetScaler If you are installing a unit built on the platform, proceed to The Citrix NetScaler on page 26. Citrix NetScaler If you are installing a unit built on the platform, proceed to The Citrix NetScaler on page 30. Citrix NetScaler MPX If you are installing a unit built on the platform, proceed to The Citrix NetScaler MPX on page 33.

34 20 Citrix Application Firewall Guide Citrix NetScaler MPX If you are installing a unit built on the platform, proceed to The Citrix NetScaler MPX on page 33. The Citrix NetScaler 7000 The Citrix NetScaler 7000 model is a single processor, 1U unit that supports both Fast Ethernet and copper Gigabit Ethernet. The unit ships with 1 GB of memory by default. The 7000 handles up to 50,000 HTTP requests per second and up to 4,400 SSL transactions per second. It has a system throughput of 600 Mbps, and SSL and compression throughputs of 150 Mbps. The figure below contains a drawing of the 7000 as seen from the front, with ports and important features labeled. The Citrix NetScaler 7000, From the Front You use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide. The Citrix NetScaler 7000 has the following ports on the front of the unit: Four 10/100Base-T network interfaces (labeled 1/1, 1/2, 1/3, and 1/4) Two 10/100/1000Base-T network interfaces (labeled 1/5 and 1/6) Serial port (9600 baud, 8 bits, 1 stop bit, No parity) You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable, as described in Using the Configuration Utility, on page 40.

35 Chapter 2 Installation 21 The figure below shows a drawing of the 7000 from the back, with important features labeled. Second Power Switch Fan Power Supply Hard Disk Power Switch Compact Flash Drive and Release Button The Citrix NetScaler 7000, From the Back To plug in the 7000, simply insert the supplied power cord into the power supply, and plug the other end into an appropriately grounded outlet. To power down the 7000, you should first execute a controlled shutdown via the CLI or GUI. Then, press the main power supply switch on the rear right-hand side of the unit to switch the unit off. Before you install the 7000, ensure that you have the following items available: The power cord and serial cable, which are supplied with the One to four ethernet cables, which are not supplied with the unit. Four rack screws and a screwdriver. You are now ready to install the To install the Citrix NetScaler 7000 in your server room 1. Open the packing box the appliance arrive d in, and lift the appliance carefully out of the box. Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another. 2. Place the appliance on an open rack in your server room, or in a temporary location with easy access for initial configuration. If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance. Use four rack screws to secure the unit to the rack.

36 22 Citrix Application Firewall Guide 3. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet. Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations. 4. Turn on the appliance by tapping the power switch quickly, and then letting up. The appliance will perform a series of power-on tests that take approximately a minute as it comes up. You have now successfully installed your Citrix NetScaler Proceed to Performing Initial Configuration, on page 39 to configure it. The Citrix NetScaler 9010 The Citrix NetScaler 9010 is a single processor, 2U unit that ships with 2 GB of memory. The user can specify either four fiber Gigabit 1000Base-X optical ethernet ports (fiber version) or four 10/100/1000Base-T copper ethernet ports (copper version) when ordering the unit. The 9010 can process up to 125,000 HTTP requests per second and 4,400 SSL requests per second. It has 2,000 Mbps system throughput, 500 Mbps SSL throughput, and 400 Mbps compression throughput. The figure below shows a drawing of the 9010 (fiber version) as seen from the front, with ports and important features labeled clearly. Rack mounts Handle to carry the unit. LCD Display RS232 Serial Port Four Optical 1000base-X Ethernet Ports Handle to carry the unit. The Citrix NetScaler 9010 (fiber version), From the Front The 9010 (fiber version) has the following ports on the front:

37 Chapter 2 Installation 23 Four fiber Gigabit 1000-Base-X optical network interfaces, labeled 1/1, 1/ 2, 1/3, and 1/4. Serial port (9600 baud, 8 bits, 1 stop bit, No parity) When facing the bezel, the upper LEDs to the left of each port inset represent connectivity. They are lit and amber in color when active. The lower LEDs represent throughput. They are lit and green when active. The figure below shows a drawing of the 9010 (copper version) as seen from the front, with ports and important features labeled clearly. Rack mounts Handle to carry the unit. LCD Display RS232 Serial Port Four 10/100/1000base-T Copper Ethernet Ports Handle to carry the unit. The Citrix NetScaler 9010 (copper version), From the Front The 9010 (copper version) has the following ports on the front: Four 10/100/1000-Base-T copper ethernet network interfaces, labeled 1/1, 1/2, 1/3, and 1/4. Serial port (9600 baud, 8 bits, 1 stop bit, No parity) For both 9010 versions, you use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display on both versions consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide. You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable. The figure below shows the 9010 from the back, with ports and important features clearly labeled.

38 24 Citrix Application Firewall Guide Power switch Non-maskeable interrupt (NMI) button Disable alarm button Two removable power supplies 10/100Base-T copper Ethernet port Hard disk Compact flash drive and release button The Citrix NetScaler 9010, From the Back To power the unit off, you press the left side of the power switch until it clicks down. To power it on, you press the right side until it clicks down. You can use the 10/100/1000Base-T copper ethernet port to connect the unit to a secure control network that you then use to configure and manage the unit. The compact flash drive contains the NetScaler operating system (OS) software. The hard disk can be used to store logs and backups. The appliance has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution. In the event that one power supply fails, or if you choose to connect only one power cord to the unit, an alarm sounds. You push the Disable Alarm button to silence the alarm. Caution: If you choose to continue operating the 9010 with only one functioning or one connected power supply, you forfeit the built-in fail-safe protection. Before you install the 9010, ensure that you have the following items available: The power cord and serial cable, which are supplied with the One to four ethernet cables, which are not supplied with the unit. If you are installing a 9010 (fiber version), four Finisar Active Copper SFP transceivers, which are also supplied with the appliance. Four rack screws and a screwdriver. You are now ready to install the 9010.

39 Chapter 2 Installation 25 To install the Citrix NetScaler 9010 in your server room 1. Open the packing box the appliance arrived in, and lift the appliance carefully out of the box. Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another. 2. Place the appliance on an open rack in your server room, or in a temporary location with easy access for initial configuration. If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance. Use four rack screws to secure the unit to the rack. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet. Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations. 3. Turn on the appliance by tapping the power switch quickly, and then letting up. The appliance will perform a series of power-on tests that take approximately a minute as it comes up. 4. Take an ethernet cable, connect one end to interface number 1/4 and connect the other end to the switch or hub that leads to your WAN or the internet. If you want, you can use a different interface number. The appliance detects which interfaces are in use and which networks they are connected to automatically. 5. If you are installing your appliance in two-arm mode, take another ethernet cable, connect one end to interface number 1/3, and connect the other end to the switch or hub that leads to your LAN. Again, if you want, you can use a different interface number. You have now successfully installed your Citrix NetScaler Proceed to Performing Initial Configuration, on page 39 to configure it.

40 26 Citrix Application Firewall Guide The Citrix NetScaler The Citrix NetScaler is a single processor, 2U unit that ships with 2 GB of memory, four fiber Gigabit 1000Base-X optical ethernet ports, and four 10/100/ 1000Base-T copper ethernet ports by default. The unit can process up to 255,000 HTTP requests per second and 8,800 SSL requests per second. It has 4,800 Mbps system throughput, 760 Mbps SSL throughput, and 555 Mbps compression throughput. The following figure shows a drawing of the as seen from the front, with ports and other important features clearly labeled. Rack mounts Handle to carry the unit LCD display RS232 Four serial console 10/100/1000Base-T port copper Ethernet ports Four gigabit SFP ports Handle to carry the unit The Citrix NetScaler 10010, From the Front The has the following ports on the front: Four fiber Gigabit 1000-Base-X optical network interfaces, labeled 1/1, 1/ 2, 1/3, and 1/4. Four 10/100/1000-Base-T copper ethernet network interfaces, labeled 1/5, 1/6, 1/7, and 1/8. Serial port (9600 baud, 8 bits, 1 stop bit, No parity). When facing the bezel, the upper LEDs to the left of each fiber port represent connectivity. They are lit and amber in color when active. The lower LEDs represent throughput. They are lit and green when active. You use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide.

41 Chapter 2 Installation 27 If you choose, you can convert the 1000Base-X ports on the unit to 10/100/ 1000Base-T ports using the Finisar Active Copper SFP transceiver. The following figure shows examples of the transceivers, and how they plug into the 1000base-X ports to convert them to copper ethernet ports. Finisar Active Copper SFP Transceivers Plugged in and locked in place. Transceiver unlocked position from side Transceiver locked position from side The Citrix NetScaler 10010, From the Front, Details To insert a transceiver into a 1000Base-X port, you must first lower the transceiver lock bar into its unlocked position. You next insert the transceiver into the port, and press firmly until it clicks into place. Finally, you raise the lock bar to its up/locked position, and plug an ethernet cable into the port. Note: If you do not insert and lock the transceiver correctly, you will be unable to plug an ethernet cable into the port. You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable. For more information on how to do this, see To log on to the NetScaler command line via the serial port on page 60. The following figure shows the from the back, with ports and important features clearly labeled.

42 28 Citrix Application Firewall Guide Power switch Non-maskeable interrupt (NMI) button Disable alarm button Two removable power supplies 10/100Base-T copper Ethernet port Hard disk Compact flash drive and release button The Citrix NetScaler 10010, From the Back To power the unit off, you press the left side of the power switch until it clicks down. To power it on, you press the right side until it clicks down. You can use the 10/100/1000Base-T copper ethernet port to connect the unit to a secure control network that you then use to configure and manage the unit. The compact flash drive contains the NetScaler operating system (OS) software. The hard disk can be used to store logs and backups. The unit has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution. In the event that one power supply fails, or if you choose to connect only one power cord to the unit, an alarm sounds. You push the Disable Alarm button to silence the alarm. Caution: If you choose to continue operating the with only one functioning or one connected power supply, you forfeit the built-in fail-safe protection. Before you install the 10010, ensure that you have the following items available: The power cord and serial cable, which are supplied with the Four Finisar Active Copper SFP transceivers, which are also supplied with the appliance. One to four ethernet cables, which are not supplied with the unit. Four rack screws and a screwdriver. You are now ready to install the

43 Chapter 2 Installation 29 To install the Citrix NetScaler in your server room 1. Open the packing box the appliance arrived in, and lift the appliance carefully out of the box. Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another. 2. Place the appliance on an open rack in your server room, or in a temporary location with easy access for initial configuration. If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance. Use four rack screws to secure the unit to the rack. 3. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet. Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations. 4. Turn on the appliance by tapping the power switch quickly, and then letting up. The appliance will perform a series of power-on tests that take approximately a minute as it comes up. 5. Take an ethernet cable, connect one end to interface number 1/8 and connect the other end to the switch or hub that leads to your WAN or the internet. If you want, you can use a different interface number. The appliance detects which interfaces are in use and which networks they are connected to automatically. 6. If you are installing your appliance in two-arm mode, take another ethernet cable, connect one end to interface number 1/7, and connect the other end to the switch or hub that leads to your LAN. Again, if you want, you can use a different interface number. You have now successfully installed your Citrix NetScaler Proceed to Performing Initial Configuration, on page 39 to configure it.

44 30 Citrix Application Firewall Guide The Citrix NetScaler The Citrix NetScaler is a high-capacity, fault-tolerant hardware platform intended for heavy use in enterprise environments. The unit is a double form factor (2U) rack-mountable unit, 24 in/61 cm deep, that weighs 52 lbs/24 kg. It is designed to be installed on a rack in an air-conditioned server room. The unit can process up to 275,000 HTTP requests per second and 28,000 SSL requests per second. It has 6,000 Mbps system throughput, 3,000 Mbps SSL throughput, and 1,300 Mbps compression throughput. The following figure shows the unit from the front, with ports and other important features clearly labeled. Rack mounts 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8 Handle to carry the unit LCD display RS232 serial console port Eight Gigabit SFP Ports Handle to carry the unit The Citrix NetScaler 12000, From the Front You use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Installation and Configuration Guide, Volume 1, Chapter 3, Configuring the Application Switch, Understanding the LCD Monitor, on page You can use the serial port to connect a notebook computer directly to the unit using the supplied serial cable, as described in To log on to the NetScaler command line via the serial port on page 60. The following figure shows examples of the Finisar Active Copper SFP transceivers, and how they plug into the 1000base-X ports.

45 Chapter 2 Installation 31 Finisar Active Copper SFP Transceivers Plugged in and locked in place. Transceiver unlocked position from side Transceiver locked position from side The Citrix NetScaler 12000, From the Front, Details To insert a transceiver into a 1000Base-X port, you must first lower the transceiver lock bar into its unlocked position. You next insert the transceiver into the port, and press firmly until it clicks into place. Finally, you raise the lock bar to its up/locked position, and plug an ethernet cable into the port. Note: If you do not insert and lock the transceiver correctly, you will be unable to plug an ethernet cable into the port. The following figure shows the back of the 12000, with ports and other important features clearly labeled. Power switch Non-maskeable interrupt (NMI) button Disable alarm button Two removable power supplies 10/100Base-T copper Ethernet port Hard disk Compact flash drive and release button The Citrix NetScaler 12000, From the Back To power the unit off, you press the left side of the power switch until it clicks down. To power it on, you press the right side until it clicks down.

46 32 Citrix Application Firewall Guide You can use the 10/100/1000Base-T copper ethernet port to connect the unit to a secure control network that you then use to configure and manage the unit. The compact flash drive contains the NetScaler operating system (OS) software. The hard disk can be used to store logs and backups. The unit has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution. In the event that one power supply fails, or if you choose to connect only one power cord to the unit, an alarm sounds. You push the Disable Alarm button to silence the alarm. Caution: If you choose to continue operating the with only one functioning or one connected power supply, you forfeit the built-in fail-safe protection. Before you install the 12000, ensure that you have the following items available: The power cord and serial cable, which are supplied with the Eight Finisar Active Copper SFP transceivers, which are also supplied with the appliance. One to eight ethernet cables, which are not supplied with the unit. Four rack screws and a screwdriver. You are now ready to install the To install the Citrix NetScaler in your server room 1. Open the packing box the appliance arrived in, and lift the appliance carefully out of the box. Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another. 2. Place the appliance on an open rack in your server room, or in a temporary location with easy access for initial configuration. If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance. Use four rack screws to secure the unit to the rack.

47 Chapter 2 Installation Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet. Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations. 4. Turn on the appliance by tapping the power switch quickly, and then letting up. The appliance will perform a series of power-on tests that take approximately a minute as it comes up. 5. Take a Finisar transceiver and an ethernet cable, insert the transceiver into interface number 1/8, and connect the cable to that interface. If you want, you can use a different interface number. The appliance detects which interfaces are in use and which networks they are connected to automatically. 6. Connect the other end to a hub or switch that connects to your network. 7. If you are installing your appliance in two-arm mode, repeat the previous two steps, connecting a cable from interface 1/7 to another hub or switch that connects to a different part of your network. Again, if you want, you can use a different interface number. You have now successfully installed your Citrix NetScaler Proceed to Performing Initial Configuration, on page 39 to configure it. The Citrix NetScaler MPX The Citrix NetScaler MPX is a high-capacity, fault-tolerant hardware platform intended for heavy use in enterprise environments. The unit is a double form factor (2U) rack-mountable unit, 18.5 in/47 cm deep, that weighs 52 lbs/24 kg. It is designed to be installed on a rack in an air-conditioned server room. The following figure shows the unit from the front, with ports and other important features clearly labeled.

48 34 Citrix Application Firewall Guide Rack mounts Handle to carry the unit LCD display RS232 Serial console port 1000Base-T MGMT port Eight 1000Base-X SFP ports Two 10G XFP ports Handle to carry the unit The Citrix NetScaler MPX 15000, From the Front You use the handles to carry the unit. You mount the unit onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide. You can use the RS232 serial console port to connect a notebook computer directly to the unit using the supplied serial cable, as described in To log on to the NetScaler command line via the serial port on page 60. You use the 10/100/1000Base-T copper ethernet MGMT port to connect the unit to a secure control network that you then use to configure and manage the unit. The has 8 Gigabit SFP ports, and two 10 Gigabit XFP ports. You convert the SFP ports to either 10/100/1000Base-T copper Ethernet ports or 1 GB Fiber ports using the appropriate transceivers, included with the unit. You convert the XFP ports to 10 GB fiber ports using the XFP transceivers included with the unit. The following figure shows the back of the 15000, with ports and other important features clearly labeled.

49 Chapter 2 Installation 35 Removable compact flash drive and release button Power supplies with fan The Citrix NetScaler MPX 15000, From the Back The compact flash drive contains the NetScaler operating system (OS) software. The hard disk can be used to store logs and backups. The unit has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution. Caution: If you choose to continue operating the with only one functioning or one connected power supply, you forfeit the built-in fail-safe protection. Before you install the 15000, ensure that you have the following items available: The power cord and serial cable, which are supplied with the Eight Finisar Active Copper SFP transceivers or eight Finisar SFP Fiber transceivers, which are supplied with the Two Finisar XFP Fiber transceivers, which are supplied with the One to eight network cables of the appropriate type, which are not supplied with the unit. Four rack screws and a screwdriver. You are now ready to install the To install the Citrix NetScaler MPX in your server room 1. Open the packing box the arrived in, and lift the appliance carefully out of the box. Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another.

50 36 Citrix Application Firewall Guide 2. Place the on an open rack in your server room, or in a temporary location with easy access for initial configuration. If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance. Use four rack screws to secure the unit to the rack. 3. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet. Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations. The appliance will perform a series of power-on tests that take approximately a minute as it comes up. 4. Take a transceiver and a network cable, insert the transceiver into interface number 1/8, and connect the cable to that interface. If you want, you can use a different interface number. The detects which interfaces are in use and which networks they are connected to automatically. 5. Connect the other end to a hub or switch that connects to your network. 6. If you are installing your in two-arm mode, repeat the previous two steps, connecting a cable from interface 1/7 to another hub or switch that connects to a different part of your network. Again, if you want, you can use a different interface number. You have now successfully installed your Citrix NetScaler MPX Proceed to Performing Initial Configuration, on page 39 to configure it. The Citrix NetScaler MPX The Citrix NetScaler MPX is a high-capacity, fault-tolerant hardware platform intended for heavy use in enterprise environments. The unit is a double form factor (2U) rack-mountable unit, 18.5 in/47 cm deep, that weighs 52 lbs/24 kg. It is designed to be installed on a rack in an air-conditioned server room. The following figure shows the unit from the front, with ports and other important features clearly labeled.

51 Chapter 2 Installation 37 Rack mounts Handle to carry the unit LCD display RS232 Serial console port 1000Base-T MGMT port Four 10G XFP ports Handle to carry the unit The Citrix NetScaler MPX 17000, Four Port Model, From the Front You use the handles to carry the You mount the appliance onto your server room rack and screw the rack mounts to the rack using standard rack-mount screws. The LCD display consists of two lines of 16 characters each, a neon backlight, and a screen refresh rate of 3 seconds. It provides real-time information about the unit s state and activity in sequential screens with real-time statistics, diagnostic information and active alerts. For more information about the LCD and how to configure it, see the Hardware Installation and Setup Guide. You can use the RS232 serial console port to connect a notebook computer directly to the unit using the supplied serial cable, as described in To log on to the NetScaler command line via the serial port on page 60. You use the 10/100/1000Base-T copper ethernet MGMT port to connect the to a secure control network that you then use to configure and manage the appliance. Depending upon which model of the you have, the appliance has the following network ports: The 17000, four port model, has four 10 Gigabit XFP ports. You convert these XFP ports to 10 GB fiber ports using the XFP transceivers included with the unit. The 17000, ten port model, has two 10 Gigabit XFP ports and eight 1 Gigabit SFP ports. You convert the SFP ports to either 10/100/1000Base-T copper Ethernet ports or 1 GB Fiber ports using the appropriate transceivers, included with the unit. You convert the XFP ports to 10 GB fiber ports using the XFP transceivers included with the unit. The following figure shows the back of the 17000, with ports and other important features clearly labeled.

52 38 Citrix Application Firewall Guide Removable compact flash drive and release button Power supplies with fan The Citrix NetScaler MPX 17000, From the Back The compact flash drive contains the NetScaler operating system (OS) software. The hard disk can be used to store logs and backups. The unit has two power supplies. Normally you will want to plug two power cords, one into each power supply and then into separate wall sockets. The unit functions properly with only one working power supply, however; the extra power supply serves as a fail-safe precaution. Caution: If you choose to continue operating the with only one functioning or one connected power supply, you forfeit the built-in fail-safe protection. Before you install the 17000, ensure that you have the following items available: The power cord and serial cable, which are supplied with the If you are installing the 17000, ten port model, eight Finisar Active Copper SFP transceivers or eight Finisar SFP Fiber transceivers and two Finisar XFP Fiber transceivers, which are all supplied with the If you are installing the 17000, ten port model, four Finisar XFP Fiber transceivers, which are supplied with the One to ten network cables of the appropriate type, which are not supplied with the unit. Four rack screws and a screwdriver. You are now ready to install the To install the Citrix NetScaler MPX in your server room 1. Open the packing box the arrived in, and lift the appliance carefully out of the box.

53 Chapter 2 Installation 39 Caution: Handle the appliance with care. Like all servers, it is sensitive to sudden jolts and shaking. Do not stack appliances on top of one another. 2. Place the on an open rack in your server room, or in a temporary location with easy access for initial configuration. If you are installing the appliance on your server room rack, you should install it in an open rack. If you must install the unit in an enclosed rack, ensure that the rack has adequate temperature control, and that nothing blocks the vents on the front or rear of the appliance. Use four rack screws to secure the unit to the rack. 3. Plug the power cord into the back of the appliance, and then plug the other end into a standard 110V/220V power outlet. Caution: The unit must be connected to a properly grounded and regulated power source. Like all servers, it is sensitive to power fluctuations. The appliance will perform a series of power-on tests that take approximately a minute as it comes up. 4. Take a transceiver and a network cable, insert the transceiver into interface number 1/8, and connect the cable to that interface. If you want, you can use a different interface number. The detects which interfaces are in use and which networks they are connected to automatically. 5. Connect the other end to a hub or switch that connects to your network. 6. If you are installing your in two-arm mode, repeat the previous two steps, connecting a cable from interface 1/7 to another hub or switch that connects to a different part of your network. Again, if you want, you can use a different interface number. You have now successfully installed your Citrix NetScaler MPX Proceed to Performing Initial Configuration, on page 39 to configure it. Performing Initial Configuration After you have installed your Citrix Application Firewall or Citrix NetScaler appliance in your server room, you must log on and perform initial configuration, so that the appliance can properly connect to other network devices and they can connect to the appliance.

54 40 Citrix Application Firewall Guide If you want to configure your appliance using the Citrix NetScaler Configuration Utility, proceed to Using the Configuration Utility. If you want to configure your appliance using the NetScaler command line, proceed to Using the Citrix NetScaler Command Line Interface, on page 59. Using the Configuration Utility This section describes how to log on to the Citrix NetScaler Configuration Utility and use it to perform initial configuration of a new Citrix NetScaler appliance. Most system administrators prefer to configure the NetScaler appliance using the Citrix NetScaler Configuration Utility (configuration utility), a Java-based GUI client. Logging On to the Configuration Utility This section describes how to log on to the configuration utility for the first time. For those who prefer to install the configuration utility applet on their desktop, it also describes how to do so. To log on to the configuration utility 1. Run the web browser of your choice, and open the following URL: Note: The NetScaler operating system is preconfigured with a default IP address and associated netmask to allow you to access it to configure it. The default IP is and the default netmask is The Citrix NetScaler Web Logon screen is displayed, as shown below.

55 Chapter 2 Installation 41 The Citrix NetScaler Web Logon Screen 2. In the User Name text box, type the initial user name assigned to your NetScaler appliance, and in the Password text box, type the initial password. You can obtain the initial user name and password from your sales representative or from Citrix Customer Support. Note: You do not need to change the setting in the System window. 3. Click the Login button to log on. The logon screen disappears, and the default Citrix NetScaler home page appears, as shown below.

56 42 Citrix Application Firewall Guide The Citrix NetScaler Home Page, Monitoring Screen 4. In the menu bar on the upper right part of the home page, click the Configuration link to display the System Configuration page, shown below. The Citrix NetScaler Configuration Page The Configuration page provides links to the two different versions of the Citrix NetScaler Configuration Utility: the Applet Client, and the Web Start

57 Chapter 2 Installation 43 Client. Both utilities require that you have the Sun Microsystems Java Client, version 1.5 or above, installed on your workstation. 5. Install the Citrix NetScaler Configuration Utility on your workstation. You can install the Applet client. A. Click the Applet Client link to the right of the Configuration Utility label. The Sun Microsystems Java logo is displayed as the applet downloads from the NetScaler appliance and loads into memory. After it has loaded, the applet configuration utility opening screen appears, shown below. The Applet Configuration Utility Opening Screen You can install the Web Start client. A. Click the Web Start Client link to the right of the Applet Client link. Windows prompts you to open the web start client script, as shown below.

58 44 Citrix Application Firewall Guide The Windows Web Start Client Prompt B. If the Open With radio button is not already selected, click it to tell Windows to open the web start client script using the Java engine. C. Click the OK button. Java starts up, and displays a splash screen. The configuration utility logon screen is then opened in a separate window. as shown below. The Citrix NetScaler Configuration Utility Logon Screen D. Type the logon in the User Name text box, type the password in the Password text box, and click the OK button to log on.

59 Chapter 2 Installation 45 You are logged on, and the configuration utility Setup wizard is displayed, shown below. The Configuration Utility Setup Wizard An icon for the configuration utility is also installed on your Windows desktop. In the future, you click the icon to load the configuration utility and display the logon screen. You have successfully logged onto the configuration utility. You must now perform initial configuration of your NetScaler appliance. Initial Configuration using the Configuration Utility This section describes how to perform initial configuration of your NetScaler appliance using the configuration utility Setup Wizard. The underlying operating system of these servers is the same, and the process of initial configuration is also the same. Note: In all procedures that explain how to perform tasks using the configuration utility, the Web Start client is shown in screenshots that illustrate different steps. It differs from the Applet client only in that the Applet client appears inside a web browser window. In all other respects, they are identical.

60 46 Citrix Application Firewall Guide To configure the NetScaler operating system using the Setup Wizard 1. If you have not already done so, log onto the configuration utility. For instructions, see To log on to the configuration utility on page 40. The opening screen of the Setup Wizard should be displayed after you install the utility. 2. Click the Next > button to display the IP Addresses page, shown below, and begin configuration. The Setup Wizard, IP Addresses Page 3. Complete the IP Addresses page. A. In the NetScaler IP Address Configuration area, IP Address* field, enter the IP address you will use as the NSIP. The NSIP is the management IP you will use to connect to and configure your appliance. It replaces the default IP ( ) that you used to connect to the appliance and install the configuration utility. You should choose a non-routable IP on your company LAN for this IP, to prevent an attacker that breaches your other defenses from being able to send packets to the appliance. B. In the Netmask field, enter the netmask for the NSIP. C. In the Gateway field, enter the default gateway for the NSIP.

61 Chapter 2 Installation 47 D. Enter an appropriate hostname in the Hostname field. If a hostname is assigned to your Application Firewall in your company DNS, enter that hostname. If no hostname is assigned to your Application Firewall in DNS, enter an appropriate hostname that is not assigned to another host. E. In the Mapped IP Address Configuration area, IP Address field, enter an IP address to be used as an MIP. An MIP is the logical IP address used to communicate with back-end services, such as your protected web servers. F. In the Netmask field, enter the netmask for the MIP. 4. Click the Next > button to display the Time Zone page, shown below. The Setup Wizard, Time Zone Page 5. Click the down arrow to the right of the Time Zone list box, and choose the time zone you want to use on your NetScaler appliance from the drop-down list. Normally you would choose your local time zone. However, if your local network runs on a different time zone, such as GMT, you should choose that time zone. 6. Click the Next > button to display the Manage Licenses page, shown below, and complete that page.

62 48 Citrix Application Firewall Guide The Setup Wizard, Manage Licenses Page A. Locate the license files you received from your reseller or Citrix Customer Support, and copy them to a directory to which you have access. If you do not have additional license files to install, skip to step B. B. Click the Add button to display the Select License Files dialog box, shown below.

63 Chapter 2 Installation 49 The Select License Files Dialog Box C. Navigate to the local or network directory where you stored your license files. D. Click the first license file once, to highlight it, then click the Select button. The Uploading message box appears, shown below, and your license file is uploaded. The Uploading. Message Box After the upload is complete, the Uploading. message box closes. You can also close it manually by clicking the Close button. E. Repeat step D for each license file you have, until they have all been uploaded. 7. Click the Next > button to display the Change Password page, shown below, and complete that page.

64 50 Citrix Application Firewall Guide The Setup Wizard, Change Password Page The default nsroot account is displayed at the top. This field is read-only; you cannot change it. A. In the Password* text box, type the new password. You should choose a secure password. A secure password is a password of at least eight characters that contains a mixture of upperand lower-case letters, numbers, and symbols. A secure password does not contain words of more than two syllables that you can find in a dictionary of any commonly spoken language, and is not based on commonly known information such as a significant date to the individual or company. B. In the Confirm Password* text box, retype the same password. 8. Click the Next > button to display the Summary Page, shown below.

65 Chapter 2 Installation 51 The Setup Wizard, Summary Page 9. Review your configuration choices. If any choices are mistaken, use the < Back button to navigate back to the appropriate page and make the necessary changes. 10. When you are satisfied with the configuration, click the Finish button to save your changes in the NetScaler configuration file. The Setup Wizard Summary page notifies you that your changes were successfully written to nonvolatile memory, as shown below.

66 52 Citrix Application Firewall Guide The Setup Wizard, Summary Page Confirmation Message 11. Click the Exit button to close the Setup Wizard and return to the main configuration utility screen. To complete initial configuration of your Citrix Application Firewall or Citrix NetScaler appliance, you may also need to enable the Application Firewall feature. To enable the Application Firewall using the configuration utility 1. In the Menu tree, click the System entry to display the System Settings Overview page, as shown below.

67 Chapter 2 Installation 53 The Configuration Utility, System Settings Overview Page The page contains a series of sections that contain hyperlinks to various configuration details. 2. In the Modes & Features section, click the Basic Features hyperlink to display the Configure Basic Features dialog box, shown below. The Configure Basic Features Dialog Box

68 54 Citrix Application Firewall Guide 3. If it is not already checked, check the Application Firewall check box at the bottom of the list. 4. Click the OK button in the lower lefthand corner of the data area. The screen refreshes, and the Application Firewall entry is now checked. 5. In the Menu tree, click the Load Balancing entry, then the Servers page, shown below, and create a server. The Load Balancing Servers Page A. In the lower left-hand corner of the data area, click the Add button. The Create Server dialog box appears, shown below.

69 Chapter 2 Installation 55 The Create Server Dialog Box B. Type a name for your server in the Server Name text box. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. C. Type the IP address or FQDN of your first protected web server in the IP Address/Domain Name text box. D. Click the Create button to create the server. Your new server appears in the servers list. E. Repeat steps a through d to create a new server configuration for each of your web servers. F. Click the Close button to close the Create Server dialog box and return to the Servers page. 6. Click the Services entry to display the Services page, shown below, and create a service.

70 56 Citrix Application Firewall Guide The Load Balancing Services Page A. In the lower left-hand corner of the data area, click the Add button. The Create Service dialog box appears, shown below. The Create Service Dialog Box

71 Chapter 2 Installation 57 B. Type a name for your service in the Service Name text box. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (- ), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. C. If your service will receive HTTPS traffic, click the down arrow to the right of the Protocol list box and choose SSL. If your service will receive unencrypted HTTP traffic, leave the Protocol set to HTTP. D. Click the down arrow to the right of the Server text box, and choose the appropriate server from the list of servers you created in step 7. E. Type the port number on which this service should listen in the Port text box. For web servers, this will usually be port 80. For secure web servers, this will usually be port 443. For now, you can ignore the other options. See the Installation and Configuration Guide for more information about these options if you wish. F. Click the Create button to create the service. Your new service appears in the services list. G. Repeat steps a through f to create a new service for each server you added in step 7. H. Click the Close button to close the Create Service dialog box and return to the Services page. 7. Click the Virtual Servers entry to display the Virtual Servers page, shown below, and create a virtual server (vserver).

72 58 Citrix Application Firewall Guide The Configuration Utility Virtual Servers Page A. In the lower left-hand corner of the data area, click the Add button to display The Create Virtual Server dialog box, shown below. The Create Virtual Server Dialog Box B. In the Name text box, type a name for the virtual server.

73 Chapter 2 Installation 59 The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (- ), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. C. If your virtual server will receive HTTPS traffic, click the down arrow to the right of the Protocol list box and choose SSL. If your virtual server will receive unencrypted HTTP traffic, leave the Protocol set to HTTP. D. In the IP address text box, type an unused IP within the same subnet as the protected web server. For example, if your protected web server is at and subnets on your network are created within CIDR /24s, you can use any unused IP in the /24 range. E. In the Port text box, type the same port number you did in step 8(d). F. In the Services list beneath the text boxes, check the check box beside the service you want to associate with this virtual server. Note: Do not check more than one check box in this list. If you do, only one checked service chosen at random will be associated with this virtual server. G. Click the Create button to create the vserver. Your new virtual server appears in the Virtual Servers list. H. Repeat steps a through g to create a new vserver for each server/ service pair you configured. I. Click the Close button to close the Create Virtual Server dialog box and return to the Virtual Servers page. You have successfully completed initial configuration of your Citrix Application Firewall or Citrix NetScaler appliance. Proceed to Chapter 3, Simple Configuration, on page 67, to begin configuring the Application Firewall itself. Using the Citrix NetScaler Command Line Interface This section describes how to log on to the NetScaler command line and use it to perform initial configuration of a new Citrix Application Firewall or Citrix NetScaler appliance.

74 60 Citrix Application Firewall Guide Logging On to the NetScaler Command Line Some system administrators prefer a Unix command line to a GUI interface. Those users can configure the Application Firewall from the NetScaler command line instead of using the configuration utility. In addition, a few advanced tasks must be performed at the NetScaler command line. When logging on to the NetScaler command line on a new Citrix Application Firewall or Citrix NetScaler appliance, you must use the following procedure. To log on to the NetScaler command line via the serial port 1. Plug the supplied serial cable into the serial port on your Citrix Application Firewall or Citrix NetScaler appliance. For a picture that shows the location of the serial port on your unit, see the appropriate section for your hardware platform under Installing the Server beginning on page Plug the other end of the serial cable into your workstation or laptop serial port. 3. Run the vt100 terminal emulation program of your choice. For Microsoft Windows, you can use Hyperterminal, which is installed with all modern versions of Windows. For Apple Macintosh OSX, you can use the GUI-based Terminal program or the shell-based telnet client. Note: OSX is a based on the FreeBSD Unix platform. Most standard Unix shell programs are available from the OSX command line. For Unix-based workstations, you can use the shell-based telnet client or any terminal emulation program that comes with your GUI. 4. Set the terminal parameters as shown below. Parameter Setting Port The port to which you connected the serial cable, usually COM1. Bits Per Second 9600 (BPS) Data Bits 8 Parity N (none) Stop Bits 1 Flow Control None 5. Press the Enter key, or (if you are using a Macintosh) the Return key.

75 Chapter 2 Installation 61 The terminal screen displays the Logon prompt. Note: You might have to press the Enter key twice or three times, depending on which terminal program you are using. 6. Type the system account logon, nsroot, and press the Enter key. The terminal screen displays the Password prompt. 7. Type the default password, and press the Enter key again. You obtain the default password from your sales representative or from Citrix Customer Support. You are logged onto the NetScaler command line, and the initial prompt appears, as shown below. Last login: Sun Nov 12 16:20: from Done > After initial configuration, you can log onto the Application Firewall NetScaler command line via SSH to the NSIP, the IP assigned to the appliance during initial configuration. Most system administrators find this more convenient than connecting a computer directly to the appliance. To log onto the NetScaler command line via SSH 1. Run the SSH client of your choice. For Microsoft Windows, you can use a commercial SSH program, or install and use the open source PuTTY program. For Apple Macintosh OSX, you can use a commercial GUI-based SSH program, or the shell-based ssh client included with OSX. For Unix-based workstations, you can use the shell-based ssh client or any SSH client that operates with your GUI. 2. Connect to the NSIP of your Citrix Application Firewall or Citrix NetScaler appliance. If you are using a shell-based SSH client, it displays a username or login prompt on the screen. If you are using a GUI-based SSH client, it displays a dialog box that may prompt you for a username, or may prompt you for a login. These are the same thing; different SSH clients simply call them by different names.

76 62 Citrix Application Firewall Guide Note: If you have not yet assigned an NSIP to your appliance, your SSH client will not connect. You cannot log on via SSH until you have done the initial configuration on your appliance. Discontinue this procedure, and instead log on as described in To log on to the NetScaler command line via the serial port on page At the login prompt, type the logon for the default system account, which is nsroot. If the dialog box does not show a field for the password, or if you are using a shell-based SSH client, press the Enter key or click the OK button, as appropriate, to display the password prompt. If the dialog box shows a field for the password, skip to the next step. 4. At the password prompt, type the password, and press the Enter key or click the OK button, as appropriate. You are logged onto the NetScaler command line, and the initial prompt appears, as shown below. Last login: Sun Nov 12 16:20: from Done > You have successfully logged onto the NetScaler command line. Proceed to Initial Configuration using the NetScaler command line to begin configuring the NetScaler operating system. Initial Configuration using the NetScaler command line This section describes how to perform initial configuration of your Citrix Application Firewall or Citrix NetScaler appliance manually, using the NetScaler command line. 1. To enable the Application Firewall using the NetScaler command line 2. Save your Citrix NetScaler licenses to an easily-accessible location on your local hard disk. You obtain these licenses from your Citrix sales representative, Citrix reseller, or Citrix Customer Support. Each feature has a separate license file. License files are in a proprietary binary format. 3. Run the SFTP client of your choice. There are many different SFTP clients. Which you will use depends on which type of computer and operating system you use and personal preference. Any SFTP client capable of opening an SFTP Level 2 connection should work correctly with an Application Accelerator or NetScaler appliance.

77 Chapter 2 Installation Open a connection to the NSIP of your Application Accelerator or NetScaler appliance. 5. Navigate to the /nsconfig directory. 6. If the /nsconfig/license directory does not already exist, create it. If you are upgrading from a previous version of the Citrix NetScaler Application Delivery System to version 8.1, the directory may not exist. 7. Do a binary-mode transfer of your new licenses from your local hard drive to your Application Accelerator or NetScaler appliance, and put them into the /nsconfig/license directory. Some SFTP clients automatically detect the file type of files and perform the correct type of transfer. Other clients will prompt you to tell them whether to perform a binary or an ASCII transfer. Yet others will assume that they should perform a binary transfer unless instructed otherwise. You must ensure that your SFTP client performs the correct type of transfer. Caution: You must not change the filenames of your license files, or your Application Accelerator or NetScaler appliance will be unable to detect your licenses. 8. If you have not already done so, log onto the NetScaler command line on your appliance. For instructions on how to do this, see To log on to the NetScaler command line via the serial port on page Enter the following command to change the Root Password. > set system user nsroot <newpass> For <newpass>, substitute the new password you have chosen. Caution: Your new password is echoed on the command line as you type it. For that reason, you should be careful to change it only when no unauthorized persons might see the new password. In addition to this, the NetScaler command line does not confirm your new password by requiring that you retype it before putting the new password into effect. For this reason, you must review the password you typed before you press the Enter key to ensure that you actually typed what you intended to type. 10. Enter the following command to add a mapped IP (MIP) to your configuration. > add ns ip <MIP> <netmask> -type mip

78 64 Citrix Application Firewall Guide For <MIP>, substitute the IP you will use as the MIP. For <netmask>, substitute the MIP netmask. The NetScaler operating system uses MIPs as aliases for the servers it manages when communicating with them. You must create one MIP for your appliance to function, and may need to create several if your web sites are hosted on multiple web servers or if those servers answer requests to multiple IP/port combinations. 11. Enter the following command to set the default gateway. > add route <MIP> <LOCALIP> <gateway> For <MIP>, substitute the MIP you assigned in the previous step. For <LOCALIP>, substitute the internal, non-routable IP assigned to your web server. For <gateway>, substitute the default gateway for the LANIP. This command tells the NetScaler operating system to route packets to sent to the web server at <LOCALIP>, which is not routable from outside your LAN, to the default gateway at <gateway>. 12. Enter the following command to configure the NetScaler IP (NSIP). > set ns config -ipaddress <NSIP> -netmask <netmask> For <NSIP>, substitute the IP you will use for the NSIP. For <netmask>, substitute the netmask for that IP. The NSIP is the management IP address for the appliance, and is used for all management related access to the appliance. 13. Enter the following command to enable the Application Firewall. > enable ns feature appfw 14. Save your configuration, as shown below. > save ns config 15. Enter the following command to display your current configuration, with the changes you made. > show ns config If any of your changes are not as you want them to be, repeat the command that configures that item, then repeat the previous step to save your configuration again. 16. When every part of your configuration is exactly as you want it, enter the following command to reboot your appliance. > reboot 17. Log back on to the appliance as nsroot, using the new administrative password you set. 18. Enter the following command to confirm connectivity to the appliance.

79 Chapter 2 Installation 65 > ping <NSIP> For <NSIP>, substitute the NSIP you assigned to the appliance. You have successfully completed initial configuration of your Application Firewall or NetScaler appliance. Proceed to Chapter 3, Simple Configuration, on page 67, to begin configuring the Application Firewall itself.

80 66 Citrix Application Firewall Guide

81 CHAPTER 3 Simple Configuration The simplest Application Firewall configuration consists of one profile and one associated policy. Such a configuration, which requires little customization or detailed knowledge about the Application Firewall s operation, is sufficient for many users. Users with more complex web sites can perform a simple configuration to provide immediate protection, and then do additional configuration later. To perform a simple configuration, you enable the Application Firewall, create profile, create a policy, and bind the profile to the policy. Enabling the Application Firewall If you are upgrading an existing Citrix NetScaler appliance from a version of the NetScaler operating system prior to 8.0 to the current version, you must first update the licenses on your appliance and then enable the Application Firewall before you configure it. If you are installing a new Citrix Application Firewall or Citrix NetScaler appliance, you do not need to perform this procedure. To enable the Application Firewall using the NetScaler command line Type the following command at the prompt: enable ns feature ApplicationFirewall To enable the Application Firewall using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the Settings pane, under Modes & Features, click basic features. 3. In the Configure Basic Features dialog box, select the Application Firewall check box. 4. Click OK.

82 68 Citrix Application Firewall Guide Creating and Configuring a Profile A profile is a collection of security settings that are used to protect specific types of web content or specific parts of your web site or web service. There are three types of Application Firewall profile: HTML profile. Protects standard HTML-based web content. You use this type of profile for Web sites that consist of standard HTML-based content. This includes Web sites that contain web forms, Javascript, and dynamic content. XML profile. Protects XML-based Web services. You use this type of profile to protect XML-based content, and specifically Web services based on the XML SOAP protocol. Web 2.0 profile. Protects Web 2.0 content containing both XML and HTML content.you use this type of profile to protect ATOM newsfeeds, blogs, RSS feeds and other types of Web 2.0 content that contains mixed XML and HTML-based elements. Note: Creating and configuring an Application Firewall profile is a complex task. Inexperienced users usually find that this task is much simpler to perform using the Citrix NetScaler Configuration Utility (configuration utility) than the NetScaler command line (NetScaler command line). To create and configure an HTML profile using the NetScaler command line At the NetScaler command prompt, type the following commands: add appfw profile <name> -defaults basic set appfw profile <name> -type ( HTML XML HTML XML ) save ns config Parameters for Creating and Configuring a New Profile Parameter Name (<name>) Description A name for the profile. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect.

83 Chapter 3 Simple Configuration 69 Parameters for Creating and Configuring a New Profile Parameter Defaults (-defaults (basic advanced)) Type (-type ( HTML XML HTML XML)) Description You can choose one of two default configurations when you create a profile: Basic or Advanced. A profile created with basic defaults should protect most web sites while requiring little additional configuration.a profile created with advanced defaults is intended to protect more complex web sites requiring additional configuration. You can create three types of profile: HTML, XML, or Web 2.0. To designate a Web 2.0 profile, you type HTML XML after the -type parameter. To create and configure a profile using the configuration utility 1. Log on to the configuration utility, using either the Java client or the Web Start client. For instructions on doing this, see To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry to display the choices in that category. 3. Click Profiles to display the Profiles page, shown below. The Application Firewall Profiles Page

84 70 Citrix Application Firewall Guide If you have not yet created your first profile, this page will be blank. If you have created one or more profiles, those profiles will be listed in the data area of this page. 4. In the lower left-hand corner of the data area, click the Add button to display the Create Application Firewall Profile dialog box, shown below. The Create Application Firewall Profile Dialog Box 5. In the Profile Name text box, type a name for your profile. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect. 6. Choose the type of profile you want to create. If your profile will protect an XML SOAP-based web service, click the down arrow to the right of the Profile Type list box and choose XML. If your profile will protect Web 2.0 content consisting of mixed XML and HTML content (such as an ATOM feed, a blog, or an RSS feed),

85 Chapter 3 Simple Configuration 71 click the down arrow to the right of the Profile Type list box and choose Web 2.0. If your profile will protect standard HTML-based web content, you can skip this step. The default setting, HTML, is correct. If you are unsure what types of content your profile will protect, you can choose Web 2.0 to make the full range of Application Firewall security checks available to protect your web site. 7. If you created an HTML profile in the previous step, and your profile will protect web sites containing complex Javascripts or web forms that access back-end SQL databases, in the Defaults radio button array click the Advanced radio button. If your web sites do not contain complex HTML content, you do not need to change the default settings for your new profile; the Basic radio button is already selected. If you created a Web 2.0 profile, the Advanced radio button is selected and the radio button array is disabled because all Web 2.0 profiles are created with advanced defaults. For more information about the default settings and what those settings are for each Application Firewall check, see Chapter 4, Profiles, on page Click the Create button to create your profile. Your new profile appears in the data area of the Application Firewall Profiles page. 9. Repeat steps 5 through 8 to create any additional profiles you might need to protect other types of content. 10. Click the Close button to close the Create Application Firewall Profile dialog box, and return to the Application Firewall Profiles page. 11. In the Profiles page data area, click the entry for the first profile you created once, to highlight it. 12. Click the Open button to display the Configure Application Firewall Profile dialog box for that profile. This dialog box contains four tabs. When you are configuring your initial profiles, you can safely ignore all but the Settings tab. For detailed information about each of these tabs, see Chapter 4, Profiles, on page Click the Checks tab to display the Checks screen, and configure the Deny URL check. A. Click the Deny URL entry once, to highlight it. B. Click the Modify button to display the Modify Deny URL check dialog box. C. Click the Settings tab to display the default Deny URLs list.

86 72 Citrix Application Firewall Guide All of the Deny URLs on this list are disabled by default. The first Deny URL is highlighted when you open the Settings tab. D. Click the scroll button to the right of the Deny URLs list and scroll down to the bottom of the list. E. Hold down the Shift key, and click the last entry in the Deny URLs list to select all Deny URLs on the list. F. Click the Enable button to enable all of the default Deny URLs. G. Click the OK button to save your changes. All of the default Deny URLs are now enabled, protecting your web sites from a number of known attacks. H. Click the Close button to close the Modify Deny URL check dialog box, and return to the Configure Application Firewall Profiles dialog box. I. Click the Close button to close the Configure Application Firewall Profiles dialog box and return to the Application Firewall Profiles screen. 14. Repeat steps 12 and 13 for each profile you created. Creating and Configuring Policies When configuring a new Application Firewall, after you create your profiles, you must create a policy for each profile. Policies are used to determine whether a request or a response meets specific criteria. When a request or response meets a policy s criteria, or matches a policy, the Application Firewall then filters the request or response using the associated profile. A policy is a set of parameters that defines a particular type of web content or particular part of a web site. The Application Firewall uses policies to determine which profile to use when filtering specific requests or responses. During initial configuration, you create a policy that protects all vulnerable content on your web sites. Later, if necessary, you can create additional policies that better protect specific parts of your web site. If you create more than one policy, you also must set the order in which the Application Firewall tests requests and responses against each policy. This lets you easily create specific policies for special content without requiring changes to the more general policy. You simply set a higher priority for a specific policy than a more general policy.

87 Chapter 3 Simple Configuration 73 The following procedures explain how to create a policy that filters based on any of several simple criteria. You can create significantly more complex policies in the Application Firewall, policies that designate specific web pages, specific types of connections, or a complex combination of factors. For a more complete description of how to create Application Firewall policies, see Chapter 5, Policies, on page 137. You can create a policy either in the configuration utility or at the NetScaler command line. To create a policy using the configuration utility 1. Log on to the configuration utility, using either the Java client or the Web Start client. For instructions on doing this, see To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry to display the choices in that category, and click Policies to display the Policies page, shown below. The Application Firewall Policies Page If you have not yet created any policies, this page will be blank. If you have created one or more policies, they will be displayed on the page. 3. In the lower left-hand corner of the data area, click the Add button to display the Create Application Firewall Policy dialog box, shown below.

88 74 Citrix Application Firewall Guide The Create Application Firewall Policy Dialog Box 4. In the Policy Name* text box, type a name for your new policy. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this policy was created to detect. 5. Click the down arrow to the right of the Action list box, and click the name of the profile you just created to associate with this policy. 6. Click the Add button to display the Add Expression dialog box, shown below, and construct an expression that describes the type of web connections you want this policy to match. The Add Expression Dialog Box

89 Chapter 3 Simple Configuration 75 Note: You should leave the expression type set to General Expression for Application Firewall policies. The Flow Type is set to REQ by default. This tells the Application Firewall to look at incoming connections, or requests, and the associated outgoing connection, or response. Since the Application Firewall treats a request and its associated response as a single entity, all Application Firewall policies begin with REQ. A. If the Protocol is not already set to HTTP, click the down arrow to the right of the Protocol list box and choose HTTP. This tells the Application Firewall to look at HTTP requests, requests sent to a web server. You have several other choices available in this list box, but the majority of Application Firewall policies use the HTTP protocol. Note: In the NetScaler operating system expressions language, HTTP includes HTTPS requests, as well. B. Click the down arrow to the right of the Qualifier list box, and choose a qualifier for your policy. The qualifier tells the Application Firewall what part of the protocol it should look at. To filter HTTP Requests to a particular host, choose HOST as your qualifier. To filter HTTP Requests to a specific web page, choose URL as your qualifier. To filter HTTP Requests that contain a particular query string, choose URLQUERY as your qualifier. For a description of all the available choices, see To create a policy using the configuration utility, step C on page 142. After you make this choice, the Add Expression dialog box display refreshes, and displays the Header Name* text box beneath the Flow Type list box, as shown below.

90 76 Citrix Application Firewall Guide The Add Expression Dialog Box, URL Qualifier C. Click the down arrow to the right of the Operator list box and choose the operator for your expression. The operator tells the Application Firewall what type of comparison or criterion to use. To filter HTTP Requests to a particular host, choose == as your qualifier. To filter HTTP Requests to a specific web page, choose == as your qualifier. To filter HTTP Requests that contain a particular query string, choose CONTAINS as your qualifier. For a description of all the available choices, see To create a policy using the configuration utility, step D on page 143. After you make this choice, the dialog box display refreshes again, as shown below. The Add Expression Dialog Box, URL == Operator

91 Chapter 3 Simple Configuration 77 D. If you see a text box labeled Value*, type the string or number you want the policy to check for. To filter HTTP Requests to a specific host, type that host name. For example, if the host of your company s web site is type that in the Value* text box. To filter HTTP Requests to a specific web page, type the complete URL of the web page. For example, if you want to filter all requests to login.php, type that in the Value* text box. To filter HTTP Requests that contain a particular query string, type that string. For example, if you want to search queries for strings that contain the string prod_lit, type that in the Value* text box. E. If you chose HEADER as your Qualifier, type the header name you want in the Header Name* text box. This tells the Application Firewall to check all requests to see if the URL header exists. Since all requests by definition have a URL header, this expression matches all requests. If you did not choose HEADER as your Qualifier, this text box will not appear. F. If you chose HEADER or URLQUERY as your Qualifier, type the appropriate values in the Len and Offset text boxes if you wish This tells the Application Firewall to check a specific portion of the header or URL query. These fields are optional; you can leave them blank. If you did not choose HEADER or URLQUERY as your Qualifier, these text boxes will not appear. G. Click the OK button to add your expression to the list in the middle of the Create Application Firewall Policy dialog box. H. Click the Close button to close the Add Expression dialog box, and return to the Create Application Firewall Policy dialog box. 7. Click the Create button to create your policy. 8. Click the Close button to close the Create Application Firewall Policy dialog box and return to the Policies page. Your new policy appears in the data area of the Policies page list. The figure below shows the Profiles page with three policies defined but not yet globally bound.

92 78 Citrix Application Firewall Guide The Policies Page, with Three New Policies Defined but not yet Globally Bound To create a policy using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page Enter the following command to create the policy. > add appfw policy <name> <rule> <profile> Make the following substitutions: For <name>, substitute a name for the policy. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this policy was created to detect. For <rule>, substitute the following NetScaler expression: "REQ.HTTP.HEADER HOST CONTAINS (" For substitute the hostname of your company s web site. Note: All rules must be enclosed in double quotes.

93 Chapter 3 Simple Configuration 79 This expression tells the Application Firewall to check the Host header of all requests to see whether it contains your company s web site host. This will match all requests to that web site. For <profile>, substitute the name of the profile you just created. This policy tells the Application Firewall to apply the default profile you created to all requests that it matches. Since this policy matches all HTTP requests, it will match all connections to your protected web servers. You can later create profiles and policies to protect specific types of content that require additional protection, and set their priorities appropriately so that they are evaluated first. Then, you can use this policy and profile to protect any part of your web sites that is not covered by a more specific policy. 3. Enter the following command to save your configuration. > save ns config 4. Enter the following command to confirm that your policy was correctly created. > show appfw policy <name> For <name>, substitute the name of the policy you created. If your policy was correctly created, you do not need to do anything further. If you want to change your policy s name, expression, or profile, you must delete it as shown below, and then recreate it. > rm appfw policy <name> You have successfully created your first policy. You must next globally bind that policy to put it and its associated profile into effect. Globally Binding Policies To put a policy and its associated profile into effect, you globally bind the policy and assign it a priority. The priority you assign determines the order in which your policies are evaluated, allowing you to evaluate the most specific policy first, and more general policies in descending order, finishing with your most general policy. You globally bind each policy to activate that policy, so that the NetScaler operating system knows to implement it. When you are globally binding your first policy and profile, which are generic and should apply to all HTTP traffic that is not covered by a more specific policy, you assign that policy the lowest priority.

94 80 Citrix Application Firewall Guide You can globally bind a policy either in the configuration utility or at the NetScaler command line. To globally bind a policy using the configuration utility 1. Log on to the configuration utility, using either the Java client or the Web Start client. For instructions on doing this, see To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry and click Policies to display the Policies page. 3. In the list of policies in the data area, click your new policy once to highlight it. 4. Click the Global Bindings button to display the Bind/Unbind Firewall Policy(s) to Global dialog box, shown below. The Bind/Unbind Policy(s) to Global Dialog Box 5. Click the Insert Policy button to insert a row in the data area of this dialog box and display available policies, as shown below.

95 Chapter 3 Simple Configuration 81 The Bind/Unbind Policy(s) to Global Dialog Box, after Insert Policy Button is Clicked In addition to listing any policies you have created that are not already in the Bind/Unbind Policy(s) to Global Dialog box data area, the drop-down list includes the New Policy entry. If you choose this entry, the Create Application Firewall Policy dialog box is displayed, allowing you to create a new policy. 6. Click the policy you created to insert it in the list. The policy you chose is inserted, and the check box in the State column is selected, which indicates that it is bound and activated. 7. If you want to globally bind your policy, but temporarily keep it inactive, in the State column clear the check box. When you globally bind a policy, by default it is enabled and goes immediately into effect. In some cases, you might want to have a policy reviewed before you put it into effect, but want to be able to enable it quickly. You can do this by clearing the State check box or setting the policy to DISABLED. 8. In the Priority column, click the default integer and edit the number to assign the appropriate priority to this policy. You can set the priority to any positive integer. In the NetScaler operating system, policy priorities work in reverse order the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy assigned an order of Since the Application Firewall implements only the first

96 82 Citrix Application Firewall Guide policy that a request matches, not any additional policies that it might also match, policy priority is important to get the results you intended. If you give your first policy a low priority (such as 1000), you tell the Application Firewall to perform it only if other policies with a higher priority do not match a request. If you give your first policy a high priority (such as 1), you tell the Application Firewall to perform it first, and skip any other policies that might also match. You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the order you want, by setting priorities with intervals of 50 or 100 between each policy when you globally bind it. If you do this, you can add additional policies at any time without having to reassign the priority of an existing policy. You simply look at the priorities assigned to the preceding and following policies, and assign a new policy a priority between that of those two numbers. 9. Click the OK button to save your changes. The Bind/Unbind Firewall Policy(s) to Global dialog box closes, and you return to the Policies page. The figure below shows two globally-bound policies in the data area of the Policies page. The Policies Page, with two Globally-Bound Policies To globally bind a policy using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line.

97 Chapter 3 Simple Configuration 83 For instructions on doing this, see To log onto the NetScaler command line via SSH on page Enter the following command to globally bind the policy. > bind appfw global <policy> <priority> For <policy>, substitute the name of the policy you just created. For <priority>, substitute a positive integer that represents the priority you want to assign to that policy. In the NetScaler operating system, policy priorities work in reverse order the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy assigned an order of Since the Application Firewall implements only the first policy that a request matches, not any additional policies that it might also match, policy priority is important to get the results you intended. If you give your first policy a low priority (such as 1000), you tell the Application Firewall to perform it only if other policies with a higher priority do not match a request. If you give your first policy a high priority (such as 1), you tell the Application Firewall to perform it first, and skip any other policies that might also match. You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the order you want, by setting priorities with intervals of 50 (or, better, 100) between each policy when you globally bind it. If you do this, you can add additional policies at any time without having to reassign the priority of an existing policy. You simply look at the priorities assigned to the preceding and following policies, and assign a new policy a priority between that of those two numbers. 3. Enter the following command to save your configuration. > save ns config You have successfully globally bound your policy and associated profile. The Application Firewall is now filtering HTTP traffic to your company web server using the basic profile you created. If your web server or web site does not support SQL or have access to sensitive private information, you can safely stop here. The default profile and default policy will protect it sufficiently. If your web server hosts web forms that connect to SQL databases, or uses active scripts that access other web sites, you should create additional profiles to protect that content, and additional policies to detect this special content. You can proceed to Chapter 14, Use Cases, on page 303 for examples that show how to best protect SQL databases and scripted content.

98 84 Citrix Application Firewall Guide If you want to know more about the advanced features of the Application Firewall, proceed to Chapter 4, Profiles, on page 85 for a detailed description of how to create an advanced profile; Chapter 10, The Common Security Checks, on page 187 for detailed descriptions of each Application Firewall security check; or Chapter 5, Policies, on page 137 for a detailed description of how to create complex policies to detect certain types of content you might want to protect using an advanced profile.

99 CHAPTER 4 Profiles This chapter describes in detail what Application Firewall profiles are and do, and explains how to configure each check available in a profile. The Application Firewall has a number of security checks, all of which can be enabled or disabled, and configured in a number of ways in each profile. You can also enable the learning feature and use it to customize the Application Firewall s settings for the web content it protects using that profile. Note: You do not need to read this chapter if the default configuration you performed in Chapter 3, Simple Configuration, on page 67 meets your needs. You can find the following types of information in the designated sections of this chapter: For an overview of Application Firewall profiles that describes what they are and do, see About Application Firewall Profiles. For procedures that describe how to add, configure, and delete profiles, using either the configuration utility or the NetScaler command line, see Creating, Configuring, and Deleting a Profile, on page 86. For specific information about profile settings, see Configuring the Profile Settings, on page 121. For specific information about learning and the configuration options for each type of security check that includes the learning feature, see Configuring the Learning Feature, on page 126. For specific information about the configuration options for each security check and how each option affects the functioning of that security check, see Chapter 10, The Common Security Checks, on page 187 and the following two chapters.

100 86 Citrix Application Firewall Guide About Application Firewall Profiles An Application Firewall profile is a collection of settings that tell the Application Firewall which security checks to use when filtering a particular request or response, and how to handle a request or response that fails a security check. You created at least one profile when initially configuring the Application Firewall. Depending upon the type of content you wanted to protect using that profile, you might have created an HTML profile, an XML profile, or a Web 2.0 profile. If that profile was intended to protect HTML or XML content that does not contain legacy code or access back-end SQL databases, you probably created the profile with Basic defaults. That type of profile is configured to prevent forceful browsing, cookie tampering, tampering with web form structure and content, and buffer overflow attacks sufficient protection for web pages that do not contain active scripts, do not access sensitive data, and do not access a backend SQL database. That type of profile also requires little if any additional configuration. If the profile was intended to protect a web site that contains legacy CGI scripts, complex Javascript, or access back-end SQL servers, you probably created the profile with Advanced defaults. For example, a web site that contains embedded javascripts should be checked for cross-site scripting. A shopping cart application that contains web forms that connect to a back-end SQL database and handles sensitive customer information should be checked for signs of tampering with the web form, inappropriate content in form fields, and SQL injection attacks. Responses from such a shopping cart application should be checked for attempts to obtain sensitive customer information, such as credit card numbers and the associated customer records. These types of profiles require additional configuration, either to allow the learning feature to generate the necessary exceptions to various security rules or to tweak the settings manually. The rest of this chapter describes in detail how to create and configure Application Firewall profiles to provide exactly the type and level of protection you need. Creating, Configuring, and Deleting a Profile This section describes how to create, configure, and delete profiles, using either the configuration utility or the NetScaler command line. The instructions in this section are generic: they apply to any type of profile and, in the configuration instructions, to any type of security check within the profile. You create a new profile either in the configuration utility Application Firewall Profiles screen, or at the NetScaler command line, as described below.

101 Chapter 4 Profiles 87 To create a profile using the configuration utility 1. Log on to the Citrix NetScaler Configuration Utility (configuration utility). For more information on logging on, see To log on to the configuration utility on page In the Menu tree, click Application Firewall to display the Application Firewall overview page, shown below. The Application Firewall Overview Page As with most overview pages in the configuration utility, this page contains a brief description of the NetScaler module that you configure using the pages in that category. To do actual configuration, you must access other pages in the category. 3. In the Menu tree, click the plus (+) sign to the left of Application Firewall to expand the Application Firewall category and display the next level of links. 4. In the Menu tree, click Profile to display the Profiles page, shown below.

102 88 Citrix Application Firewall Guide The Application Firewall Profiles Page The Profiles page displays all profiles you have created to this point. 5. Click the Add button to display the Create Application Firewall Profile dialog box, shown below.

103 Chapter 4 Profiles 89 The Create Application Firewall Profile Dialog Box 6. In the Profile Name text box, type a name for your new profile. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect. 7. If you are creating an XML or Web 2.0 profile, click the down arrow to the right of the Profile Type list box and choose the appropriate type. If you are creating an HTML profile, you can skip this step. 8. In the Defaults radio button array beneath the Profile Name text box, click the radio button beside Basic or Advanced to choose the default settings you want for your profile. Choose Basic to enable several of the most important Application Firewall checks and preconfigure them to require very little or no additional configuration and maintenance.

104 90 Citrix Application Firewall Guide Choose Advanced to enable additional features and turn on the Learning feature, so that the Application Firewall can observe traffic on your web sites and help generate the appropriate configuration. The defaults control which Application Firewall checks are enabled and how they are configured when the profile is created. They do not affect how the profile is configured after you create it, however; you can enable and modify the configuration of any Application Firewall checks at any time. For more information about the default settings for each Application Firewall check, see Chapter 10, The Common Security Checks, on page Click the Create button to create the profile. The new profile appears in the list on the Profiles page. 10. Repeat steps 6 through 8 as many times as you like to create multiple new profiles. 11. Click the Close button to close the Create Application Firewall Profile dialog box and return to the Profile page. To create a profile using the NetScaler command line 1. Run the secure shell (SSH) client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page Enter the following command to create the profile. > add appfw profile <name> [-defaults ( basic advanced )] For <name>, substitute a name for the profile. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect. For [-defaults ( basic advanced )], substitute the appropriate string to set the defaults for this profile. If you want to create your profile with basic defaults, type -defaults basic. If you want to create your profile with advanced defaults, type -defaults advanced. 3. Enter the following command to save your configuration. > save ns config 4. Enter the following command to confirm that your profile was correctly created. > show appfw profile <name>

105 Chapter 4 Profiles 91 For <name>, substitute the name of the profile you just created. The NetScaler command line will display a detailed report on the profile, with all settings. The report is usually longer than the screen display can hold, so you may need to scroll back to read it all. If your profile was correctly created, you do not need to do anything further. If your profile was created with the wrong name, you must delete it as shown below, and then recreate it. > rm appfw profile <name> If your profile was created with the wrong defaults, you have two options. You can delete it and recreate it with the correct defaults. You can configure it manually to set the security checks exactly as you want them. You configure a profile either in the configuration utility Application Firewall Profiles screen, or at the NetScaler command line, as described below. To configure a profile using the configuration utility 1. In the list on the Profiles page, click the entry for the profile you want to modify once, to highlight it. 2. Click the Open button to display the Configure Application Firewall Profile dialog box, shown below.

106 92 Citrix Application Firewall Guide The Configure Application Firewall Profile Dialog Box, General Tab This dialog box contains four tabs. They are: General. Displays the profile's name and a general description. This tab is read-only; you cannot modify any of this information. Checks. Lists the Application Firewall security checks, and allows you to modify the settings for each. Settings. Allows you to configure certain aspects of the Application Firewall's behavior in this profile. Learning. Allows you to configure and manage the learning feature for this profile. 3. Click the Checks tab to display the Checks tab, shown below, and make any modifications you like to the settings for any security check on the list.

107 Chapter 4 Profiles 93 The Configure Application Firewall Profile Dialog Box, Checks Tab, for HTML Profiles A. In the security checks list, click the entry for the security check whose settings you want to modify once, to highlight it. B. Click the Modify button to display the Modify Check dialog box for that rule. The Modify Start URL Check dialog box General tab is shown below. The other Modify Check dialog boxes General tabs are similar.

108 94 Citrix Application Firewall Guide The Modify Start URL Check Dialog Box, General Tab The Modify Check dialog box has two tabs of its own, the General tab and the Settings tab. The General tab is displayed by default. It contains a description of the rule and the Check Actions area, which contains a list of actions that are performed when a request or response matches this particular security check. C. Enable or disable each action in the Check Actions area by checking or unchecking the check box to the left of it. Block. The Block action tells the Application Firewall to block requests or responses that match this check. Log. The Log action tells the Application Firewall to add a log entry for any request or response that matches this check. Learn. The Learn action enables learning for this check. When learning is not available for a check, this entry and check box are greyed out. Statistics. The Statistics action tells the Application Firewall to maintain statistics about the numbers and types of requests or

109 Chapter 4 Profiles 95 responses that match this check, and what it did with those requests or responses. Other actions are available with certain security checks. See Chapter 10, The Common Security Checks, on page 187, and the two following chapters, for more information. D. Click the Settings tab to display it. The Modify Start URL Check dialog box Settings tab is shown below. The other Modify Check dialog box Settings tabs are similar. The Modify Start URL Check Dialog Box, Settings Tab The Settings tab contains a list of exceptions (or relaxations) to this security check. For newly-created profiles that you are configuring for the first time, depending on which check you are configuring and whether you originally created the profile with basic or with advanced defaults, the list of relaxations may be empty, or may have default entries.

110 96 Citrix Application Firewall Guide Beneath the list of relaxations are buttons that allow you to add a new relaxation, modify an existing relaxation, and delete a relaxation. Clicking the Add button displays the Add Check Relaxation dialog box, shown below, where you can add a new relaxation. The Add Start URL Check Relaxation Dialog Box Clicking an existing relaxation once to highlight it, then clicking the Modify button, displays the Modify Check Relaxation dialog box, shown below, where you can modify the relaxation you chose.

111 Chapter 4 Profiles 97 The Modify Start URL Check Relaxation Dialog Box Clicking an existing relaxation once to highlight it, then clicking the Remove button, removes the relaxation from the list. Clicking a disabled relaxation once to highlight it, then clicking the Enable button, enables that relaxation. Clicking an active relaxation once to highlight it, then clicking the Disable button, disables that relaxation. Note: For more information on how to how to enter a Start URL, see The Start URL Check on page 187. For more information about using the Regex Editor and Regex Tokens, see Configuring the Security Checks at the Configuration Utility on page 105 and following. E. Click the Close button to close the Modify Check dialog box and return to the Configure Application Firewall Profile dialog box. 4. Back in the Configure Application Firewall Profile dialog box, click the Settings tab to display it, as shown below.

112 98 Citrix Application Firewall Guide The Configure Application Firewall Profile Dialog Box, Settings Tab The Settings tab contains the following configuration options: HTML Settings. HTML Error. When it blocks a user s request, the Application Firewall can either redirect the user s request to a designated Redirect URL, or it can display an HTML Error Object. Redirect URL. To redirect the user s request to a designated Redirect URL, you click the radio button beside Redirect URL, then type the URL you want in the text box to the right. The default setting is /, which redirects the user to the protected web site s home page. HTML Error Object. To display an HTML Error Object from the Application Firewall s cache, you click the radio button beside HTML Error Object, then click the down arrow to the right of the HTML Error Object list box and choose the HTML error object you want to display. If you have not already imported the HTML error object you want into the Application Firewall configuration, you click the Import button to do so.

113 Chapter 4 Profiles 99 Note: If the error object you want to import is on a server that your NetScaler appliance can connect to only via the Internet, rather than the LAN, first verify that the appliance has Internet connectivity. Otherwise you will be unable to import the error object. Charset. The default charset (character set) used by the Citrix NetScaler Configuration Utility. By default, the Application Firewall charset is set to ISO , the western European encoding suitable for English and other western European languages. A list box containing valid ISO character encoding types supported by the Application Firewall appears to the right of the Charset label. You can change the charset for your Application Firewall to any other supported charset by clicking the down arrow to the right of the list box, and picking another encoding from the list. Strip HTML Comments. Tells the Application Firewall to remove any HTML comments from the web pages on your web site before sending them to users. This feature is disabled by default. You enable this feature by checking the Strip HTML Comments check box. Exclude Uploaded Files From Security Checks. Tells the Application Firewall not to scan uploaded files for violations of its security checks. This feature is disabled by default. You can enable it by checking the check box. If users will upload large files to your protected web sites, enabling this feature will improve performance without significantly degrading security. Enable Form Tagging. Tells the Application Firewall to tag the form fields in web forms in the HTML pages on your protected web sites. This feature is enabled by default. You can disable this feature by unchecking the check box. Canonicalize HTML Response. Tells the Application Firewall to modify responses sent by your protected web servers to ensure that they contain only valid HTML. This feature is enabled by default. You can disable this feature by unchecking the check box. XML Settings. XML Error Object. You choose the XML Error Object you want the Application Firewall to display when it blocks a user s

114 100 Citrix Application Firewall Guide request for XML content here, by clicking the down arrow to the right of the XML Error Object list box and choose the XML error object you want to display. If you have not already imported the XML error object you want into the Application Firewall configuration, you click the Import button to do so. Note: If the error object you want to import is on a server that your NetScaler appliance can connect to only via the Internet, rather than the LAN, first verify that the appliance has Internet connectivity. Otherwise you will be unable to import the error object. Common Settings. Post Body Limit. You tell the Application Firewall the maximum size of POST body that it should allow here, by typing the maximum in the text box as an integer representing a number of bytes. 5. Click the Learning tab to display it, as shown below. The Configure Application Firewall Profile Dialog Box, Learning Tab

115 Chapter 4 Profiles 101 The Learning tab consists of the following sections: Security checks list. At the top of the dialog box is a window containing a list of security checks that use the learning feature. To choose a check so that you can configure its learning settings, you click that check once to highlight it. Manage Rules. You click the Manage Rules button to access the Manage Learned Rules dialog box. Learning Thresholds. You configure two settings for the selected check by typing a positive integer into the appropriate text box. The text box labeled, Minimum # of sessions for learning, tells the Application Firewall how many user sessions it must observe before it can start learning relaxations for this check. The text box labeled, % of sessions seen, tells the Application Firewall what percentage of total sessions it has observed must contain a violation of this check before it should learn a relaxation for this check. Both of these settings are set to ten (10) by default. Profile Learned Rules. In this section you click the Remove all Learned Data button to delete all learned information on the Application Firewall for the current profile. Clicking this button will not remove any rules that have been deployed, skipped or ignored. It merely removes learned data that you have not yet reviewed and acted on. Caution: Do not click this button unless you want to remove all learned data for this profile, not just the selected check, and start the learning process over again. 6. Click the OK button to permanently add your changes to the Application Firewall configuration. 7. Click the Close button to close the Configure Application Firewall Profile dialog box and return to the Profiles page. 8. To configure a different profile, click the entry for that profile once to highlight it, and repeat this procedure to configure that profile. To configure a profile using the NetScaler command line 1. Run the secure shell (SSH) client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page 61.

116 102 Citrix Application Firewall Guide 2. Enter the following command to set the profile type. > set appfw profile <name> [-type ( HTML XML ) ] For [-type ( HTML XML ) ], substitute the appropriate string to create the type of profile you want. If your profile will protect standard HTML content, type -type HTML. If your profile will protect an XML SOAPbased web service, type -type XML. If your profile will protect a Web 2.0 application, type -type HTML XML. 3. Enter the following command to configure the security checks and settings for your profile. > set appfw profile <name> -<arg1> [-<arg2> ] For <arg1> and any subsequent arguments, substitute the appropriate parameter for the security check parameter you want to set. For a list of valid parameters and a description of each, see the table titled, Application Firewall Profile Security Check Parameters, on page 116 and following. For more information about the parameters of each Application Firewall security check and how they function, see the appropriate chapter: Common security checks. For security checks that apply to all kinds of profile, see Chapter 10, The Common Security Checks, on page 187. HTML security checks. For security checks that apply only to HTML and Web 2.0 profiles, see Chapter 11, The HTML Security Checks, on page 229. XML security checks. For security checks that apply only to XML and Web 2.0 profiles, see Chapter 12, The XML Security Checks, on page Enter the following command to save your configuration. > save ns config 5. Enter the following command to confirm that your profile was correctly created. > show appfw profile <name> To remove a profile using the configuration utility, in the Profile page list, you click it once to highlight it. Then, you click the Remove button. When the configuration utility asks you to confirm your choice, you click the Yes button. To remove a profile using the NetScaler command line, you log onto the NetScaler command line and enter the following command: > rm appfw profile <name> For <name>, you substitute the name of the profile you want to remove.

117 Chapter 4 Profiles 103 If the profile is not associated with an active policy, the profile is removed. If the profile is associated with an active policy, an error message is displayed notifying you that the profile is in use, and the profile is not removed. You must first remove the policy associated with the profile, and then you can remove the profile. This concludes the generic procedures for configuring profiles. The remainder of this chapter contains specific information about configuring a profile s security checks and settings, and configuring and managing learning. This information is organized in the same order in which it appears in the Citrix NetScaler Configuration Utility, but all Application Firewall features and their associated options can be configured at the NetScaler command line as well. Configuring the Security Checks This section describes how to configure the Application Firewall security checks, and navigate the Configure Application Firewall Profile dialog box, Checks tab. The security checks supported by the Application Firewall are: Start URL security check. Examines the URLs to which incoming requests are directed, and blocks connections to URLs that are not listed in the Start URLs list, or that a user has not reached by navigating to them from listed start URLs. This check applies to all profiles. Cookie Consistency security check. Examines cookies returned with user requests to see that they match the cookies your web server set for that user. If a modified cookie is found, the cookie is stripped from the request before the request is forwarded to the web server.this check applies to all profiles. Buffer Overflow security check. Examines requests to detect attempts to cause a buffer overflow on the web server. This check applies to all profiles. Deny URL security check. Examines the URLs to which requests are directed, and blocks connections to all URLs specified in this list. This check applies to all profiles. Credit Card security check. Examines web server responses, including headers, for credit card numbers. If it finds a credit card number in a response, it either removes the credit card number from the response before sending it, or blocks the response. This check applies to all profiles. Safe Object security check. Allows you to create classes of protected content, such as social security numbers, and protects them in much the same manner as it does credit cards. This check applies to all profiles. Form Field Consistency security check. Examines the structure of the web forms returned by users to your web server, and verifies that the structure of

118 104 Citrix Application Firewall Guide the web form and any default data are unchanged. This check applies to HTML profiles and to HTML content in Web 2.0 profiles. Field Formats security check. Examines the data a user returns using a web form on your web site and verifies that the data being returned for each field is valid for that field. This check applies to HTML profiles and to HTML content in Web 2.0 profiles. HTML Cross-Site Scripting security check. Examines requests and responses for scripts that attempt to access or modify content on a different web site than the web site where the script is located. When it finds such a script, it either renders the script harmless before forwarding the request or response to its destination, or blocks the connection. This check applies to HTML profiles and to HTML content in Web 2.0 profiles. HTML SQL Injection security check. Examines requests that contain form field data for attempts to inject SQL commands into a back-end SQL database, and when it detects injected SQL code, either renders the injected SQL code harmless before forwarding the request to the web server, or blocks the request. This check applies to HTML profiles and to HTML content in Web 2.0 profiles. Caution: If you enable the HTML Cross-Site Scripting check or the HTML SQL Injection check (or both), your NetScaler appliance is a single CPU unit, and your protected web sites accept file uploads or contain web forms that produce extremely large POST bodies when a user fills them out, you should ensure that your Application Firewall is configured appropriately. For detailed information, see Appendix C, Configuring for Large Files and Web Pages, on page 405. XML Denial-of-Service (DoS) security check. Examines requests to determine if they are part of an XML denial-of-service attack, and when it detects a request that meets the XML DoS criteria, blocks that request. This check applies to XML profiles and to XML content in Web 2.0 profiles. XML Format security check. Examines requests to determine if they meet the criteria set by the W3 consortium for well-formed XML, and when it detects a request that does not meet these criteria, blocks that request. This check applies to XML profiles and to XML content in Web 2.0 profiles. XML Cross-Site Scripting security check. Examines requests and responses for scripts that attempt to access or modify content on a different server than the server that hosts the web service that hosts the script. When it finds such a script, it blocks the connection. This check applies to XML profiles and to XML content in Web 2.0 profiles.

119 Chapter 4 Profiles 105 XML SQL Injection security check. Examines requests for attempts to inject SQL commands into a back-end SQL database, and when it detects injected SQL code, blocks the request. This check applies to XML profiles and to XML content in Web 2.0 profiles. XML Attachment security check. Examines XML requests for attachments that might constitute an attack, and when it detects such an attachment, blocks that request. This check applies to XML profiles and to XML content in Web 2.0 profiles. XML Message Validation security check. This check applies to XML profiles and to XML content in Web 2.0 profiles. WS-I security check. Examines requests to determine if they meet the Web Services Interoperability (WS-I) standard, and when it detects a request that does not meet this standard, blocks that request. This check applies to XML profiles and to XML content in Web 2.0 profiles. For a detailed description of the security checks that apply to all profiles, see Chapter 10, The Common Security Checks, on page 187. For a list of the security checks that apply to HTML profiles and to HTML content in Web 2.0 profiles, see Chapter 11, The HTML Security Checks, on page 229. For a list of security checks that apply to XML profiles and to XML content in Web 2.0 profiles, see Chapter 12, The XML Security Checks, on page 271. Configuring the Security Checks at the Configuration Utility You configure the security checks for your profiles in the Configure Application Firewall Profile dialog box, Checks tab. This dialog box contains a list of all security checks and the tools you need to configure every option and feature associated with each check. The figure below shows the Checks tab for a Web 2.0 profile. HTML and XML profiles have shorter lists of security checks, but are otherwise the same.

120 106 Citrix Application Firewall Guide The Configure Application Firewall Profile Dialog Box, Checks Tab, Web 2.0 Profile The Security Checks list consists of six columns. The first contains the name of the Application Firewall security check. The second, third, fourth, and fifth show whether blocking, logging, statistics, and learning are enabled or disabled for that check. The sixth shows the type of check: common, HTML, or XML. In the lower left-hand corner of the dialog box, beneath the Security Checks list, is the Modify button. To modify a particular security check, you first click its name in the Security Checks list. Next, you click the Modify button to display the Modify Check dialog box for that rule. The following figure shows the Modify Cookie Consistency Check dialog box with the General tab displayed.

121 Chapter 4 Profiles 107 The Modify Cookie Consistency Check Dialog Box, General Tab For all checks except the Safe Object check, the General tab is displayed by default when you first open the check. The Safe Object check lacks the General tab, and the Settings tab is therefore displayed by default. In the General tab you configure the Check Actions for each security check. The check actions are the actions that the Application Firewall performs when a request or response violates this particular check. The check actions are: Block. Tells the Application Firewall to block connections that violate this check. You enable blocking for the rule by checking the Block check box, and disable blocking by clearing the Block check box. You might disable blocking for any of a number of reasons, depending on which check you are configuring, the type of profile you are configuring, and the web content that profile protects. If you are installing a new Application Firewall, you might need to disable blocking for some checks to prevent false positives while you allow the learning feature to generate an appropriate list of exceptions (or relaxations) to the security check, to allow it to protect your web sites without blocking legitimate content. If you are configuring a check that offers an alternative to blocking, such as rendering dangerous content harmless or removing protected information from a

122 108 Citrix Application Firewall Guide response, you might prefer to use the alternative means of protection. In some cases, you might want to disable the check entirely. You enable blocking to tell the Application Firewall to prevent a connection that violates a security check from being forwarded to your web server or the user. Learn. Tells the Application Firewall to use its learning feature to observe traffic to and from your protected web sites, and generate a list of recommended relaxations to this particular security check. You enable learning by checking the Learn check box, and disable it by unchecking the Learn check box. Note: Not all security checks support learning. The Learn check box appears in this tab for all security checks, but is greyed out if it is not available for the security check you are configuring. If you are configuring a security check that supports learning and created a profile with basic defaults, learning is disabled by default, and you probably will not want to enable it. The basic defaults are intended to provide good out-of-the-box protection for web sites and web content without requiring the system administrator to do much configuration or interact with the Application Firewall extensively on an ongoing basis. Using the learning feature requires both of these things. If you are configuring a security check that supports learning and created a profile with advanced defaults, learning is enabled by default. Most users will prefer to leave learning enabled while they re configuring a new Application Firewall, or when they ve made any significant changes to the content on a protected web site, unless they are entirely disabling the security check they are configuring. It is usually much easier to let learning do the work of determining the correct relaxations for your web site, rather than having to determine which rules are needed and create them manually. If you are using learning, you normally turn off blocking until learning has seen enough traffic to generate the necessary list of relaxations. You then review the learned relaxations and accept those that you want to use. When learning has seen enough traffic to generate a good list, you re-enable blocking, turn off learning, and are done. Log. Tells the Application Firewall to log any connections that violate the security check you are configuring. You enable logging by checking the Log check box, and disable it by clearing the Log check box. You normally will not want to disable logging for any security check unless you are completely disabling that security check. If anything unexpected happens, the logs are an important resource for troubleshooting.

123 Chapter 4 Profiles 109 Statistics. Tells the Application Firewall to generate statistics for connections that violate the security check you are configuring. You enable statistics by checking the Statistics check box, and disable it by clearing the Statistics check box. You normally will not want to disable statistics for any security check unless you are completely disabling that security check. Statistics can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. There is an important additional check action available for the Start URL rule only. URL closure. Tells the Application Firewall to allow users to access any web page on your web site by clicking a hyperlink on any other web page on your web site. This ensures that users who access your home page can easily navigate to any content that is reachable by clicking hyperlinks from that point. You enable URL closure by checking the Enforce URL Closure check box, and disable it by clearing the Enforce URL Closure check box. If you created a profile with basic defaults, you probably will not want to enable URL closure. By default, profiles created with basic defaults allow connections to HTML pages and any common types of web content. This should allow connections to any legitimate web page on your protected web sites. If you created a profile with advanced defaults, you normally should leave URL closure enabled to ensure that users can access any content on your web site that you have linked to your web site. See The Start URL Check, on page 187 for more on this subject. There is an important additional check action available for the Cross-Site Scripting and SQL Injection checks only: Transformation. Tells the Application Firewall to modify any cross-site scripts or SQL injection code it finds in a user s request to render them harmless and then pass the modified request on to the web server, rather than blocking the request outright. For the Cross-Site Scripting check, this check action is labeled Transform cross-site scripts. For the SQL Injection check, it is labeled Transform SQL special characters. You enable Transformation by checking the appropriate check box, and disable it by clearing that check box. You can use Transformation to allow legitimate user requests to be passed to your protected web servers safely when those requests might inadvertently contain injected SQL special characters or keywords, or cross-site scripting commands. You normally will enable either Transformation or Blocking, but not both. If you have blocking enabled, enabling transformation is redundant because the Application Firewall is already blocking

124 110 Citrix Application Firewall Guide access to those web pages that contain cross-site scripts or injected SQL code. Caution: If you enable this feature, your NetScaler appliance is a single CPU unit, and your protected web sites accept file uploads or contain web forms that produce extremely large POST bodies when a user fills them out, you should ensure that your Application Firewall is configured appropriately. For detailed information, see Appendix C, Configuring for Large Files and Web Pages, on page 405. To configure most options specific to a particular security check, and manually add or modify relaxations, you click the Settings tab. The figure below shows the Cookie Consistency Check dialog box with the Settings tab displayed. The Modify Cookie Consistency Check Dialog Box, Settings Tab

125 Chapter 4 Profiles 111 This tab looks much the same for the majority of the security checks, although it is significantly different in the Modify Check dialog box for the Buffer Overflow, Credit Card, XML DOS, WS-I and Safe Object checks. In the other checks, this dialog box consists of a list of relaxations that covers about three-fourths of the tab, and a details area at the bottom that displays detailed information about the specific relaxation that is selected. You can manually add a new relaxation to the relaxations list by clicking the Add button to display the Add Check Relaxation dialog box for the security check you are configuring. The Add Cookie Consistency Check Relaxation dialog box is shown below. The Add Cookie Consistency Check Relaxation Dialog Box In the Cookie Name section, you have several choices. Literal. You can type a literal string representing the name of the cookie. Regular Expression. You can enter a PCRE-compatible regular expression that represents a cookie name, or a pattern that will match many cookie names. If you choose to type a regular expression, you can enter it in one of three ways: Directly. You can type the regular expression directly into the text field. Using the Regex Tokens. If you prefer to type the regular expression manually into the text field, but would like assistance with certain regular expressions elements, you can click the Regex Tokens button

126 112 Citrix Application Firewall Guide to display the Regex Tokens menu, shown below, and choose regular expressions elements from the drop-down menu. The Add Cookie Consistency Check Relaxation Dialog Box, with Regex Tokens Menu Displayed When you choose an element from the Regex Tokens menu, it is placed at the cursor location in the Cookie Name text area. You can then copy and paste these symbols just as if you had typed them. Using the Regex Editor. You can click the Regex Editor button to display the Regular Expressions Editor, shown below.

127 Chapter 4 Profiles 113 The Application Firewall Regular Expression Editor You use the Regular Expression Editor by editing the default regular expression in the Regular Expression text area. You can modify or remove the default expression, type new text, and use the Regex Tokens menu just below and to the left of the text area to help you add new regular expression elements to your expression. If you want to clear the window and start over, you can click the Clear button just below and to the right of the text area. As you type, the Analyzer window updates its detailed description of your regular expression. To test your expression, you can type or paste a cookie name into the Test Regular Expression text area. If the cookie matches your regular expression, it appears in green. If it does not, it appears in red. When you have finished creating your regular expression and are satisfied that it will do what you want, you click the OK button to close the Regular Expression Editor and return to the Add Cookie Consistency Check Relaxation dialog box. The other Add Check Relaxation dialog boxes differ from this one to a lesser or greater extent. Users who want to manually add a relaxation for a particular security check should see the section about that check beginning in Chapter 10, The Common Security Checks, on page 187, or beginning in Chapter 11, The HTML Security Checks, on page 229, or beginning in Chapter 12, The XML Security Checks, on page 271, and read the specific information about that security check.

128 114 Citrix Application Firewall Guide You can manually edit an existing relaxation by clicking the entry for that relaxation once, to highlight it, then clicking the Modify button to display the Modify Check Relaxation dialog box for the security check you are configuring. The Modify Cookie Consistency Check Relaxation dialog box is shown below. The Modify Cookie Consistency Check Relaxation Dialog Box As you can see, except for the title and the presence in the dialog box of the relaxation data, this dialog box is identical to the corresponding Add Check Relaxation dialog box. Like the Add Check Relaxation dialog boxes, the other Modify Check Relaxation dialog boxes differ from this one to a lesser or greater extent. For specific information about a particular security check, you should see the section about that security check in Chapter 10, The Common Security Checks, on page 187, or one of the following two chapters. You remove a relaxation by clicking the entry for that relaxation once, to highlight it, then clicking the Remove button. The dialog box tab refreshes, and the relaxation you chose is removed. Configuring the Security Checks at the NetScaler Command Line You configure the security checks at the NetScaler command line by typing the following command with the appropriate parameters: set appfw profile <name> -<arg1> [-<arg2> ]

129 Chapter 4 Profiles 115 For <name>, you substitute the name of the profile you are configuring. For <arg1>, you substitute the first parameter setting. For <arg2>, you substitute the second parameter setting, if any. You can add an unlimited number of additional parameter settings after these. For example, to configure the Start URL actions for the profile named Example to block, log and generate statistics for requests that violate the Start URL security check, you would type the following command: set appfw profile Example -starturlaction block log stats This command tells the Application Firewall to block requests that violate the Start URL security check, log all such requests, and generate statistics for the Start URL security check. If you want to configure the XML DoS security check to act similarly, you would type the following: set appfw profile Example -xmldosaction block log stats You can configure the Application Firewall to perform this set of actions for any security check by substituting the appropriate parameter for that security check for -xmldosaction. Caution: When you set a parameter at the NetScaler command line, all options for that parameter are overwritten by the settings you specify. You must therefore explicitly include all options you want when you configure a parameter at the NetScaler command line. If you do not, your command will reset any option you did not explicitly mention to the default setting, which can cause unexpected results. A list of all parameters for the Application Firewall security checks is provided in the following table. To the right of each parameter the description tells you which security check that parameter applies to and which type of profile is affected by that security check. Security checks that affect all profiles are labeled common Security checks that affect HTML profiles and HTML content in Web 2.0 profiles are labeled HTML Security checks that affect XML profiles and XML content in Web 2.0 profiles are labeled XML Beneath this information is a list of the options for that parameter, and a description of the effect of each option.

130 116 Citrix Application Firewall Guide Application Firewall Profile Security Check Parameters Parameter Description -starturlaction <arg> Applies to: Start URL security check. (common) -starturlclosure ( ON OFF ) -denyurlaction <arg> -cookieconsistencyaction <arg> -fieldconsistencyaction <arg> -starturlaction none: Disables the Start URL security check. -starturlaction block: Enables blocking for the Start URL check. -starturlaction learn: Enables learning for the Start URL check. -starturlaction log: Enables logging for the Start URL check. -starturlaction stats: Enables statistics for the Start URL check. Applies to: Start URL security check. (common) ON enables Start URL closure; OFF disables Start URL closure. Applies to: Deny URL security check. (common) -denyurlaction none: Disables the Deny URL security check. -denyurlaction block: Enables blocking for the Deny URL check. -denyurlaction log: Enables logging for the Deny URL check. -denyurlaction stats: Enables statistics for the Deny URL check. Applies to: Cookie Consistency security check. (common) -cookieconsistencyaction none: Disables the Cookie Consistency security check. -cookieconsistencyaction block: Enables blocking for the Cookie Consistency check. -cookieconsistencyaction learn: Enables learning for the Cookie Consistency check. -cookieconsistencyaction log: Enables logging for the Cookie Consistency check. -cookieconsistencyaction stats: Enables statistics for the Cookie Consistency check. Applies to: Form Field Consistency security check. (HTML) -fieldconsistencyaction none: Disables the Form Field Consistency security check. -fieldconsistencyaction block: Enables blocking for the Form Field Consistency check. -fieldconsistencyaction learn: Enables learning for the Form Field Consistency check. -fieldconsistencyaction log: Enables logging for the Form Field Consistency check. -fieldconsistencyaction stats: Enables statistics for the Form Field Consistency check.

131 Chapter 4 Profiles 117 Application Firewall Profile Security Check Parameters Description Applies to: HTML Cross Site Scripting security check. (HTML) Parameter -crosssitescriptingaction <arg> - crosssitescriptingtransform UnsafeHTML ( ON OFF ) - crosssitescriptingcheckcomp leteurls ( ON OFF ) -SQLInjectionAction <arg> - SQLInjectionTransformSpecia lchars ( ON OFF ) - SQLInjectionOnlyCheckFields WithSQLChars ( ON OFF ) -SQLInjectionParseComments <arg> -crosssitescriptingaction none: Disables the Cross-Site Scripting security check. -crosssitescriptingaction block: Enables blocking for the Cross-Site Scripting check. -crosssitescriptingaction learn: Enables learning for the Cross-Site Scripting check. -crosssitescriptingaction log: Enables logging for the Cross-Site Scripting check. -crosssitescriptingaction stats: Enables statistics for the Cross-Site Scripting check. Applies to: HTML Cross Site Scripting security check. (HTML) ON enables the Application Firewall to modify any HTML that violates the Cross-Site Scripting check so that it does not violate this check; OFF disables this feature. Applies to: HTML Cross Site Scripting security check. (HTML) ON tells the Application Firewall to check complete URLs for any HTML that violates the Cross-Site Scripting check; OFF tells the Application Firewall to check only the query portion of URLs. Applies to: HTML SQL Injection security check. (HTML) -SQLInjectionAction none: Disables the SQL Injection security check. -SQLInjectionAction block: Enables blocking for the SQL Injection check. -SQLInjectionAction learn: Enables learning for the SQL Injection check. -SQLInjectionAction log: Enables logging for the SQL Injection check. -SQLInjectionAction stats: Enables statistics for the SQL Injection check. Applies to: HTML SQL Injection security check. (HTML) ON enables the Application Firewall to modify any SQL special characters that violates the SQL Injection check so that they do not violate this check; OFF disables this feature. Applies to: HTML SQL Injection security check. (HTML) ON tells the Application Firewall to check only web form fields that contain SQL special characters for violations of the SQL Injection check; OFF tells the Application Firewall to check all web form fields. Applies to: HTML SQL Injection security check (HTML) -SQLInjectionParseComments checkall: Tells the Application Firewall to check all comments for SQL. -SQLInjectionParseComments ansi: Tells the Application Firewall to skip ANSI comments when checking for SQL. -SQLInjectionParseComments nested: Tells the Application Firewall to skip nested comments when checking for SQL. -SQLInjectionParseComments ansinested: Tells the Application Firewall to skip ANSI and nested comments when checking for SQL.

132 118 Citrix Application Firewall Guide Application Firewall Profile Security Check Parameters Parameter Description -fieldformataction <arg> Applies to: Field Format security check. (HTML) -defaultfieldformattype <string> - defaultfieldformatminlength <int> - defaultfieldformatmaxlength <int> -bufferoverflowaction <arg> -bufferoverflowmaxurllength <int> - bufferoverflowmaxheaderleng th <int> - bufferoverflowmaxcookieleng th <int> -fieldformataction none: Disables the Field Formats security check. -fieldformataction block: Enables blocking for the Field Formats check. -fieldformataction learn: Enables learning for the Field Formats check. -fieldformataction log: Enables logging for the Field Formats check. -fieldformataction stats: Enables statistics for the Field Formats check. Applies to: Field Format security check. (HTML) Sets the default Field Format for all form fields in all web forms protected by the current profile to <string>, where <string> equals either a default or user-defined field type. Applies to: Field Format security check. (HTML) Sets the default minimum length for all form fields in all web forms protected by the current profile to <int>, where <int> equals a positive integer. Applies to: Field Format security check. (HTML) Sets the default maximum length for all form fields in all web forms protected by the current profile to <int>, where <int> equals a positive integer. Applies to: Buffer Overflow security check. (common) -bufferoverflowaction none: Disables the Buffer Overflow security check. -bufferoverflowaction block: Enables blocking for the Buffer Overflow check. -bufferoverflowaction log: Enables logging for the Buffer Overflow check. -bufferoverflowaction stats: Enables statistics for the Buffer Overflow check. Applies to: Buffer Overflow security check. (common) Sets the default maximum length for URLs in requests directed to web sites protected by the current profile to <int>, where <int> equals a positive integer. Applies to: Buffer Overflow security check. (common) Sets the default maximum length for HTTP headers in requests directed to web sites protected by the current profile to <int>, where <int> equals a positive integer. Applies to: Buffer Overflow security check. (common) Sets the default maximum length for cookies in requests directed to web sites protected by the current profile to <int>, where <int> equals a positive integer.

133 Chapter 4 Profiles 119 Application Firewall Profile Security Check Parameters Parameter Description -creditcardaction <arg> Applies to: Credit Card security check. (common) -creditcard ( visa mastercard discover amex jcb dinersclub ) -creditcardmaxallowed <int> -creditcardxout ( ON OFF ) -xmldosaction <arg> -xmlformataction <arg> -xmlsqlinjectionaction <arg> -creditcardaction none: Disables the Credit Card security check. -creditcardaction block: Enables blocking for the Credit Card check. -creditcardaction log: Enables logging for the Credit Card check. -creditcardaction stats: Enables statistics for the Credit Card check. Applies to: Credit Card security check. (common) Enables protection for the designated credit card. Applies to: Credit Card security check. (common) Sets the maximum number of credit card numbers that the Application Firewall should allow before blocking a response to <int>, where <int> equals a positive integer. Applies to: Credit Card security check. (common) ON tells the Application Firewall to mask any credit card numbers it detects in a response using the letter x ; OFF disables this feature. For example, a credit card number of would be displayed as xxxx-xxxxxxxx Applies to: XML Denial-of-Service security check. (XML) -xmldosaction none: Disables the XML Denial-of-Service security check. -xmldosaction block: Enables blocking for the XML Denialof-Service check. -xmldosaction log: Enables logging for the XML Denial-of- Service check. -xmldosaction stats: Enables statistics for the XML Denialof-Service check. Applies to: XML Format security check. (XML) -xmlformataction none: Disables the XML Format security check. -xmlformataction block: Enables blocking for the XML Format check. -xmlformataction log: Enables logging for the XML Format check. -xmlformataction stats: Enables statistics for the XML Format check. Applies to: XML SQL Injection security check. (XML) -xmlsqlinjectionaction none: Disables the XML SQL Injection security check. -xmlsqlinjectionaction block: Enables blocking for the XML SQL Injection check. -xmlsqlinjectionaction log: Enables logging for the XML SQL Injection check. -xmlsqlinjectionaction stats: Enables statistics for the XML SQL Injection check.

134 120 Citrix Application Firewall Guide Application Firewall Profile Security Check Parameters Description Applies to: XML SQL Injection security check. (XML) Parameter - xmlsqlinjectiononlycheckfie ldswithsqlchars ( ON OFF ) - xmlsqlinjectionparsecomment s <arg> -xmlxssaction <arg> -xmlwsiaction <arg> ON tells the Application Firewall to check only XML elements that contain SQL special characters for violations of the SQL Injection check; OFF tells the Application Firewall to check all XML elements. Applies to: XML SQL Injection security check. (XML) -xmlsqlinjectionparsecomments checkall: Tells the Application Firewall to check all comments for SQL. -xmlsqlinjectionparsecomments ansi: Tells the Application Firewall to skip ANSI comments when checking for SQL. -xmlsqlinjectionparsecomments nested: Tells the Application Firewall to skip nested comments when checking for SQL. -xmlsqlinjectionparsecomments ansinested: Tells the Application Firewall to skip ANSI and nested comments when checking for SQL. Applies to: XML Cross-Site Scripting security check. (XML) -xmlxssaction none: Disables the XML Cross-Site Scripting security check. -xmlxssaction block: Enables blocking for the XML Cross- Site Scripting check. -xmlxssaction log: Enables logging for the XML Cross-Site Scripting check. -xmlxssaction stats: Enables statistics for the XML Cross- Site Scripting check. Applies to: WS-I security check. (XML) -xmlwsiaction none: Disables the XML WS-I security check. -xmlwsiaction block: Enables blocking for the XML WS-I check. -xmlwsiaction log: Enables logging for the XML WS-I check. -xmlwsiaction stats: Enables statistics for the XML WS-I check.

135 Chapter 4 Profiles 121 Application Firewall Profile Security Check Parameters Parameter Description -xmlattachmentaction <arg> Applies to: XML Attachment security check. (XML) -xmlvalidationaction <arg> Configuring the Profile Settings -xmlattachmentaction none: Disables the XML Attachment check. -xmlattachmentaction block: Enables blocking for the XML Attachment check. -xmlattachmentaction log: Enables logging for the XML Attachment check. -xmlattachmentaction stats: Enables statistics for the XML Attachment check. Applies to: XML Validation security check. (XML) -xmlvalidationaction none: Disables the XML Validation check. -xmlvalidationaction block: Enables blocking for the XML Validation check. -xmlvalidationaction log: Enables logging for the XML Validation check. -xmlvalidationaction stats: Enables statistics for the XML Validation check. This section describes how to configure the Application Firewall settings. The Application Firewall settings control which error URLs the Application Firewall redirects users to when a request or response is blocked, whether the Application Firewall strips comments from responses before forwarding them to users, and the default charset and default field type. Configuring the Profile Settings at the Configuration Utility This section describes how to configure the Application Firewall settings using the configuration utility. When using the configuration utility, you configure the Application Firewall settings in the Configure Application Firewall Profile dialog box, Settings tab, shown below.

136 122 Citrix Application Firewall Guide The Configure Application Firewall Profile Dialog Box, Settings Tab Depending upon the profile type, this tab may contain any of the following configuration options: HTML Settings. HTML Error. When it blocks a user s request, the Application Firewall can either redirect the user s request to a designated Redirect URL, or it can display an HTML Error Object. Redirect URL. To redirect the user s request to a designated Redirect URL, you click the radio button beside Redirect URL, then type the URL you want in the text box to the right. The default setting is /, which redirects the user to the protected web site s home page. HTML Error Object. To display an HTML Error Object from the Application Firewall s cache, you click the radio button beside HTML Error Object, then click the down arrow to the right of the HTML Error Object list box and choose the HTML error object you want to display. If you have not already imported the HTML error object you want into the Application Firewall configuration, you click the Import button to do so.

137 Chapter 4 Profiles 123 Note: If the error object you want to import is on a server that your NetScaler appliance can connect to only via the Internet, rather than the LAN, first verify that the appliance has Internet connectivity. Otherwise you will be unable to import the error object. Charset. The default charset (character set) used by the Citrix NetScaler Configuration Utility. By default, the Application Firewall charset is set to ISO , the western European encoding suitable for English and other western European languages. A list box containing valid ISO character encoding types supported by the Application Firewall appears to the right of the Charset label. You can change the charset for your Application Firewall to any other supported charset by clicking the down arrow to the right of the list box, and picking another encoding from the list. Strip HTML Comments. Tells the Application Firewall to remove any HTML comments from the web pages on your web site before sending them to users. This feature is disabled by default. You enable this feature by checking the Strip HTML Comments check box. Exclude Uploaded Files From Security Checks. Tells the Application Firewall not to scan uploaded files for violations of its security checks. This feature is disabled by default. You can enable it by checking the check box. If users will upload large files to your protected web sites, enabling this feature will improve performance without significantly degrading security. Enable Form Tagging. Tells the Application Firewall to tag the form fields in web forms in the HTML pages on your protected web sites. This feature is enabled by default. You can disable this feature by unchecking the check box. Canonicalize HTML Response. Tells the Application Firewall to modify responses sent by your protected web servers to ensure that they contain only valid HTML. This feature is enabled by default. You can disable this feature by unchecking the check box. XML Settings. XML Error Object. You choose the XML Error Object you want the Application Firewall to display when it blocks a user s request for XML content here, by clicking the down arrow to the right of the XML Error Object list box and choose the XML error object you want to display. If you have not already imported the XML error object you want into the Application Firewall configuration, you click the Import button to do so.

138 124 Citrix Application Firewall Guide Note: If the error object you want to import is on a server that your NetScaler appliance can connect to only via the Internet, rather than the LAN, first verify that the appliance has Internet connectivity. Otherwise you will be unable to import the error object. Common Settings. Post Body Limit. You tell the Application Firewall the maximum size of POST body that it should allow here, by typing the maximum in the text box as an integer representing a number of bytes. Configuring the Profile Settings at the NetScaler Command Line You configure the settings at the NetScaler command line by typing the following command with the appropriate parameters: set appfw profile <name> -<arg1> [-<arg2> ] For <name>, you substitute the name of the profile you are configuring. For <arg1>, you substitute the first setting. For <arg2>, you substitute the second setting, if any. You can add an unlimited number of additional settings after these. For example, to configure the HTML Error URL for the profile named Example to you would type the following command: set appfw profile Example -errorurl " 404.html" This command tells the Application Firewall to redirect blocked requests and responses to that URL. If you want to enable stripping of HTML comments from responses, you would type the following: set appfw profile Example -stripcomments ON You can configure any of the Application Firewall settings similarly, by substituting the appropriate parameter and options. Caution: When you set a parameter at the NetScaler command line, all options for that parameter are overwritten by the settings you specify. You must therefore explicitly include all options you want when you configure a parameter at the NetScaler command line. If you do not, your command will reset any option you did not explicitly mention to the default setting, which can cause unexpected results.

139 Chapter 4 Profiles 125 A list of all parameters for the Application Firewall settings is provided in the following table. To the right of each parameter is the description, which tells you which setting the parameter controls. It then provides a list of the options for that parameter, and a description of the effect of each option. Application Firewall Profile Settings Parameters Parameter Description -htmlerrorobject <string> Applies to: HTML Error Object, which is sent to the user s browser when a request for an HTML web page is blocked. Sets the HTML Error Object to <string>, where <string> equals the name of an HTML error object uploaded to the Application Firewall in the Engine Settings Imports page. -xmlerrorobject <string> Applies to: XML Error Object, which is sent to the user s browser whenever a request for an XML URL is blocked. Sets the XML Error Page to <string>, where <string> equals the name of an XML error object uploaded to the Application Firewall in the Engine Settings Imports page. -errorurl <expression> Applies to: HTML Redirect URL setting. Sets the HTML Redirect URL to <string>, where <string> equals either a literal URL or a PCRE-compatible regular expression that evaluates to a URL. -usehtmlerrorobject ( ON Applies to: HTML Error Object. OFF ) ON tells the Application Firewall to use the HTML error object when blocking a user request for HTML content; OFF tells the Application Firewall to use the redirect URL when blocking a user request for HTML content. -stripcomments ( ON OFF ) Applies to: HTML Comment Stripping. -defaultcharset <string> -postbodylimit <integer> -canonicalizehtmlresponse ( ON OFF ) ON tells the Application Firewall to strip HTML comments from responses before sending them to users; OFF tells the Application Firewall to send responses to users unmodified. Applies to: Default Character Setting. Sets the default charset to <string>, where <string> equals one of the charsets supported by the Application Firewall. For a list of charsets and an explanation of each, see Appendix A, PCRE Character Encoding Format, on page 383. Applies to: Maximum size of HTML POST body. Sets the maximum size of any HTML POST body a user is allowed to send to your protected web servers to the number of bytes specified in <integer>. The Application Firewall blocks any user request that contains an HTML POST body larger than the maximum limit you set. By default, this parameter is unset, which means that the Application Firewall will not enforce a maximum limit on POST BODY size. Applies to: HTML responses. ON tells the Application Firewall to modify (or canonicalize) HTML responses sent by your protected web servers to users to ensure that they meet the HTML 4.0 standard. OFF tells the Application Firewall to send HTML responses without modifying them.

140 126 Citrix Application Firewall Guide Application Firewall Profile Settings Parameters Parameter Description -enableformtagging ( ON Applies to: HTML web forms. OFF ) ON tells the Application Firewall to tag the form fields in web forms sent by your protected web servers. This allows certain security checks to operate more smoothly. OFF tells the Application Firewall not to tag form fields in your web forms. - Applies to: All Requests (common) excludefileuploadfromchecks ( ON OFF ) ON tells the Application Firewall to skip uploaded files when running security checks on web form requests containing data; OFF tells the Application Firewall to run its security checks on all parts of the request. Configuring the Learning Feature This section describes how to configure Application Firewall learning, and navigate the Configure Application Firewall Profile dialog box, Learning tab. The default filtering rules used by the Application Firewall are restrictive. The Application Firewall recognizes only legitimate activity on protected web applications. If it spots a request or response that falls outside its security rules, the firewall blocks that request or response. This is called a positive security model. A positive security model allows the Application Firewall to protect web applications from unknown types of attacks as well as known or common attacks. It also means that an unconfigured Application Firewall may block legitimate web site traffic. Configuring the Application Firewall (or any firewall that uses a positive security model) is complex because it must know a great deal about the web sites it protects and how users normally interact with those web sites. Profiles created with basic defaults have a set of relaxations already in place that are appropriate for most web site content that does not contain complex scripts, access SQL databases in unorthodox ways, or handle sensitive private information. learning is not enabled by default for these profiles. Unless you need to modify part of this configuration, you probably do not need to enable and use learning. Profiles created with advanced defaults are more restrictive, and require that you spend time configuring them appropriately. learning makes this task considerably easier. You can manually perform some of this configuration, but for any but the simplest web site, the task can become daunting: You must enter all URLS that users will access directly to begin a session on your protected web sites, such as the application home pages, to the list of Start URLs.

141 Chapter 4 Profiles 127 You must add any cookies that are created or modified legitimately by the client browser to the list of cookies that are allowed to violate the Cookie Consistency check. You must add any web forms that contain form fields that the user s browser may add, delete, or whose types the browser may change to the list of web forms allowed to violate the Form Field Consistency check. You must add any web forms that violate the SQL Injection check or Cross- Site Scripting check to the relaxation lists for these checks. In addition, to optimize security, you should consider the following. You should review and enable the default Deny URL expressions in the Deny URL check. You probably should manually create an appropriate Field Format assignment for each form field in each web form on your web site in the Field Format check. If any of your web sites handles customer credit card numbers, you should enable protection for the credit card types it accepts in the Credit Card check. If your company has its own credit cards or other sensitive customer information that can be used to place orders, you should create an appropriate rule to protect that information in the Safe Object check. Web sites are complex, and a system administrator or a webmaster will rarely know enough about all of the web sites they manage to be able to configure the Application Firewall correctly, avoiding mistakes, and therefore avoid blocking legitimate traffic. Fortunately, you don t have to know your web sites this well to configure the Application Firewall to protect them. You can simply enable learning, and let it observe traffic to and from your web sites. The figure below shows the Configure Application Firewall Profile dialog box, Learning tab, where you configure a profile s learning settings for each security check that supports learning.

142 128 Citrix Application Firewall Guide The Configure Application Firewall Profile Dialog Box, Learning Tab The tab consists of two areas: the list of security checks above, and the Learning Details beneath. You click a security check in the list to show its configuration details, then modify its configuration. When you first install your Application Firewall, or whenever you re-enable learning to observe traffic to a new or significantly modified web site or web page, you may need to configure the Application Firewall learning thresholds, or thresholds for learning, so that you base learned relaxations on an appropriate number of user sessions and observed violations of the security check you are configuring. There are two thresholds: the minimum number threshold and the percentage of times threshold. Minimum number threshold. Depending on which security check s learning settings you are configuring, the minimum number threshold might refer to the minimum number of total user sessions that the Application Firewall must observe, or the minimum number of times it has seen a specific form field. Percentage of times threshold. Depending on which security check s learning settings you are configuring, the percentage of times threshold might refer to the percentage of total observed user session that violated the secu-

143 Chapter 4 Profiles 129 rity check, or the percentage of times a form field matched a particular field type. When enabled, the learning feature analyzes all traffic to and from your web sites, and determines how your users normally access and interact with your web sites. It uses this information to create a set of specific recommendations, called learned relaxations, that allow users to continue accessing your web site as they normally do without providing an opening for an attacker. After the Application Firewall generates a list of learned relaxations for a particular security check, you must review those learned relaxations and either accept (deploy) them or reject (skip) them. A learned relaxation is not used until you review and deploy it. Note: If you want to clear all learned data from the Application Firewall configuration and start over, you click the Remove All Learned Data button in the Profile Learned Rules area. To review the learned relaxations for a security check 1. In the Configure Application Firewall Profile dialog box, Learning tab, in the list at the top, click the entry for the security check you want to review learning for once, to highlight it. The figure below shows this dialog box tab, with the Cookies entry selected.

144 130 Citrix Application Firewall Guide The Configure Application Firewall Profile Dialog Box, Learning Tab, with Cookies Selected 2. Click the Manage Rules button to display the Manage Learned Rules dialog box for that rule. The Manage Cookie Consistency Learned Rules dialog box is shown below.

145 Chapter 4 Profiles 131 The Manage Cookie Consistency Learned Rules Dialog Box, Simple Tab The Name window shows a list of all patterns that the Learning engine has observed that violate this security check, but that appear to be normal behavior for your protected web site. 3. Review the learned patterns for your protected web site. You can do this in any of three ways: Simple tab. You can review the actual learned patterns in the Simple tab. A. Click the first learned relaxation once, to highlight it, and choose how you want to handle it. If you want to modify it and then accept it, click the Edit & Deploy button, edit the regular expression, and click the OK button to save your changes and deploy the learned relaxation. If you want to accept it without modifications, click the Deploy button. If you want to remove it from the list without deploying it, click the Skip button.

146 132 Citrix Application Firewall Guide B. Click each learned relaxation in turn, and repeat the previous step to review it. C. When you have finished reviewing learned relaxations, click the Close button to close the Manage Learned Rules dialog box, and return to the Configure Application Firewall Profile dialog box. Learning Visualizer. You can review the learned data in the Learning Visualizer, a graphic window that displays the data hierarchically, allowing you to choose general patterns that match many learned patterns. A. Click the Visualizer button to display the Learning Visualizer dialog box, shown below. The Application Firewall Learning Visualizer, with Data The Learning Visualizer creates a branching tree that contains each learned pattern and proposed generalized expressions that match groups of learned patterns. You can move each leaf or branch on the tree by clicking it once to select it, then dragging it to a new location. Below is the Learning Visualizer after reorganization to make the display easier to view.

147 Chapter 4 Profiles 133 The Application Firewall Learning Visualizer, Reorganized B. Click the node that contains the learned pattern or regular expression you want to review once, to highlight it. Beneath the main window is the Regex display. When you click any learned pattern or suggested generalization once, the regular expression that matches that pattern appears in the Regex display. The figure above shows the Learning Visualizer with a regular expression that matches that particular piece of learned data. If you click a node that has multiple branches, a regular expression that matches all of the learned patterns represented in those branches appears in the Regex display C. Choose how you want to handle this regular expression. If you want to modify it and then accept it, click the Edit & Deploy button, edit the regular expression, and click

148 134 Citrix Application Firewall Guide the OK button to save your changes and deploy the learned relaxation. If you want to accept it without modifications, click the Deploy button. If you want to remove it from the list without deploying it, click the Skip button. After you choose one of these options, that node and any branches and subnodes disappears from the Learning Visualizer display. D. Click each node you want to review in turn, and repeat the previous step to review and process it. E. When you have finished reviewing the learned patterns for this security check, click the Close button to close the Manage Learned Rules dialog box, and return to the Configure Application Firewall Profile dialog box. Generalized tab. You can allow the Application Firewall to choose patterns for you in the Generalized tab. For some security checks, you can tell the Application Firewall to present its relaxations as regular expressions, or generalize them, to reduce the number of relaxations you need and cover more types of rules. The security checks that support generalized rules have two tabs in the Manage Learned Rules dialog box: the Simple tab and the Generalized tab. The figure below shows the Manage Cookie Consistency Learned Rules dialog box, Generalized tab.

149 Chapter 4 Profiles 135 The Manage Cookie Consistency Learned Rules Dialog Box, Generalized Tab Other Generalized tabs are similar. A. Set the # Expressions parameter by typing a positive integer representing how many regular expressions Application Firewall should create from its learned data. The # Expressions text box controls how many regular expressions the Application Firewall will create, and how specific those regular expressions are. B. Click the Generalize button to recalculate the list of generalized regular expressions. C. Click the first learned relaxation once, to highlight it, and choose how you want to handle it. If you want to modify it and then accept it, click the Edit & Deploy button, edit the regular expression, and click

150 136 Citrix Application Firewall Guide the OK button to save your changes and deploy the learned relaxation. If you want to accept it without modifications, click the Deploy button. If you want to remove it from the list without deploying it, click the Skip button. D. Click each learned relaxation in turn, and repeat the previous step to review it. E. When you have finished reviewing learned relaxations, click the Close button to close the Manage Learned Rules dialog box, and return to the Configure Application Firewall Profile dialog box. After you have manually configured your Application Firewall and reviewed the recommendations generated by learning over a period of time, the Application Firewall is properly configured to protect your web sites.

151 CHAPTER 5 Policies This chapter describes in detail what Application Firewall policies are and do, and explains how to create policies for different types of web content. Policies in the Application Firewall resemble those in the rest of the NetScaler operating system (NetScaler operating system), but they have some unusual features and require that you consider certain issues that other NetScaler policies do not. Note: You do not need to read this chapter if the default configuration you performed in Chapter 3, Simple Configuration, on page 67, or any additional configuration you performed in Chapter 14, Use Cases, on page 303 meets your needs. An Overview of Policies This section describes what an Application Firewall policy consists of, and how the Application Firewall uses policies when it protects your web sites. The Application Firewall relies on policies to tell it how to distinguish between different types of content, and how to filter each type. A policy consists of two main parts: Expression. An expression that defines the types of requests and associated responses that the Application Firewall is to filter. The NetScaler operating system uses a proprietary expressions language based on PCRE-format regular expressions with special terms added to allow you to designate any attribute of any connection that it can process. The Application Firewall processes only HTTP connections, and therefore uses a subset of the overall NetScaler expressions language. For more information, see Installation and Configuration Guide, Volume 1, Chapter 15, Policy Expressions. Action. For Application Firewall policies, the action is the profile that the Application Firewall is to use when filtering requests and responses.

152 138 Citrix Application Firewall Guide Policies allow you to assign different filtering rules to different types of web content. Not all web content is alike. A simple web site that uses no complex scripting and accesses and handles no private data might require only the level of protection provided by a profile created with basic defaults. Web content that contains Javascript-enhanced web forms or accesses a back-end SQL database will probably require more tailored protection. You can create a different profile to filter this content, and create a separate policy that can determine which requests are being sent to that content and filter them accordingly You then associate the policy expression with a profile you created and globally bind the policy to put it into effect. The remainder of this chapter describes how you create, configure, and manage Application Firewall policies. Creating and Configuring Policies You create and configure Application Firewall policies in the Application Firewall Policies page. Below are instructions for doing this using the configuration utility and at the NetScaler command line. To create a policy using the configuration utility 1. Log on to the configuration utility, using either the Java client or the Web Start client. For instructions on doing this, see Chapter 2, Installation, To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry to display the choices in that category, and click Policies to display the Policies page, shown below.

153 Chapter 5 Policies 139 The Application Firewall Policies Page The page displays any policies that you have already created. If you are configuring a new Application Firewall, the list will be empty. 3. In the lower left-hand corner of the data area, click the Add button to display the Create Application Firewall Policy dialog box, shown below. The Create Application Firewall Policy Dialog Box

154 140 Citrix Application Firewall Guide 4. In the Policy Name* text box, type a name for your new policy. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this policy was created to detect. 5. Click the down arrow to the right of the Profile list box, and click name of the profile you want to associate with this policy. You can create a new profile to associate with your policy from this dialog by clicking the New button to the right of the Action* list box, and you can modify an existing profile by clicking the Modify button to the right of the New button. Note: In some parts of the Policy page, a profile is referred to as an action. In the Application Firewall context, they are the same thing. 6. Click the down arrow to the right of the Match Any Expression list box, and choose how you want the Application Firewall to evaluate multiple expressions. If you plan to use only one expression, you can skip this step. Your choices are: Match Any Expression. If a request matches any expression in the Expressions list, the request matches this policy. Match All Expressions. If a request matches all expressions in the Expressions list, the request matches this policy. If it does not match them all, it does not. Tabular Expression. Switches the Expressions list to a tabular format with two columns. In the first column, you place an operator. The AND [&&] operator, which tells the Application Firewall to require that a request match both the current expression and the following expression to match the policy. The OR [ ] operator, which tells the Application Firewall to require that a request match either the current expression or the following expression, or both, to match the policy. Only if the request does not match either expression does it not match the policy. The END [)] operator, which tells the Application Firewall that this is the last expression in this policy.

155 Chapter 5 Policies 141 In the second column, you place the regular expression. The Tabular format allows you to create a complex policy that contains both Match Any Expression and Match All Expressions on a perexpression basis. You are not limited to just one or the other. Advanced Free-Form. Switches off the Expressions Editor entirely and modifies the Expressions list into a text area. In the text area, you can type the PCRE-format regular expression of your choice to define this policy. This is both the most powerful and the most difficult method of creating a policy, and is recommended only for those thoroughly familiar with PCRE-format regular expressions and their Citrix NetScaler Application Accelerator or NetScaler appliance. Caution: If you switch to Advanced Free Form expression editing mode, you cannot switch back to any of the other modes. Do not choose this expression editing mode unless you are sure that is what you want. 7. Choose an expression to define your policy. You can choose a predefined expression (or named expression) from the Named Expressions list. A. Click the down arrow to the right of the first Named Expressions list box (the Category list box), and choose the category of named expressions that contains the named expression you want to use. B. Click the down arrow to the right of the second Named Expressions list box, and choose the named expression you want. As you choose a named expressions, the regular expression definition of that named expression appears in the Preview Expression pane beneath the Named Expression list boxes. C. Click the + Add Expression button to add the named expression to the Expression list. You can define a new expression using the Add Expression dialog box. A. Click the Add button to display the Add Expression dialog box, shown below.

156 142 Citrix Application Firewall Guide The Add Expression Dialog Box You should leave the expression type set to General Expression for Application Firewall policies. The Flow Type is set to REQ by default. This tells the Application Firewall to look at incoming connections, or requests, and the associated outgoing connection, or response. Since the Application Firewall treats a request and its associated response as a single entity, all Application Firewall policies begin with REQ. B. If the Protocol is not already set to HTTP, click the down arrow to the right of the Protocol list box and choose HTTP. This tells the Application Firewall to look at HTTP requests, requests sent to a web server. Note: In the NetScaler operating system expressions language, HTTP includes HTTPS requests, as well. C. Click the down arrow to the right of the Qualifier list box, and choose a qualifier for your expression.

157 Chapter 5 Policies 143 Your choices are: METHOD. The HTTP method used in the request. URL. The contents of the URL header. URLTOKENS. The URL tokens in the HTTP header. VERSION. The HTTP version of the connection. HEADER. The header portion of the HTTP request. URLLEN. The length of the contents of the URL header. URLQUERY. The query portion of the contents of the URL header. URLQUERYLEN. The length of the query portion of the URL header. The contents of the remaining list boxes change to the choices appropriate to the Qualifier you pick. If you choose header, a text field labeled Header Name* appears below the Flow Type list box, as shown below. The Add Expression Dialog Box, Partially Filled In D. Click the down arrow to the right of the Operator list box, and choose an operator for your expression.

158 144 Citrix Application Firewall Guide Your choices will vary depending upon the Protocol you chose in the previous step. The complete list of operators you might see are: ==. Matches the following text string exactly.!=. Does not match the following text string. >. Is greater than the following integer. CONTAINS. Contains the following text string. CONTENTS. The contents of the designated header, URL, or URL query. EXISTS. The specified header or query exists. NOTCONTAINS. Does not contain the following text string. NOTEXISTS. The specified header or query does not exist. If you want this policy to operate on requests sent to a specific Host, you can leave the default, the equals sign (=). E. If the Value text box is visible, type the appropriate string or number. If you are testing a string, type the string into the Value* text box. If you are testing an integer, type the integer into the Value* text box. For example, if you want this policy to operate on requests sent to the host shopping.example.com, you would type that string in the Value text box, as shown below. The Add Expression Dialog Box, Completely Filled In

159 Chapter 5 Policies 145 F. If you chose HEADER as the Protocol, type the header you want in the Header Name text box. G. Click the OK button to add your expression to the Expression list. H. Repeat steps B through G to create any additional expressions you want for your profile. I. Click the Close button to close the Expressions Editor and return to the Create Application Firewall Policy dialog box. 8. Repeat step 7 to add any additional expressions you want to the Expressions list. You can mix named expressions and ad-hoc expressions created in the Expressions Editor. To the Application Firewall, they are all the same. 9. Click the Create button to create your new policy. 10. Repeat step 3 through step 9 to create any additional policies you want. 11. Click the Close button to close the Create Application Firewall Policy dialog box and return to the Policies screen. Your new policies appear in the Policies page list, unbound. The figure below shows three unbound policies in the Policies list. The Application Firewall Policies Page, with Three Unbound Policies Displayed

160 146 Citrix Application Firewall Guide To create a policy at the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see Chapter 2, Installation, To log onto the NetScaler command line via SSH on page Enter the following command to create the policy. > add appfw policy <name> <rule> <profile> Make the following substitutions: For <name>, substitute a name for the policy. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this policy was created to detect. For <rule>, substitute a NetScaler expression that defines the web content you want to filter using this policy. This regular expression can take many forms, but all follow this syntax: "<flow type>.<protocol>.<qualifier>.<operator>[.<value>][.<heade r name>]" Note: All rules must be enclosed in double quotes. For each of the designated elements, substitute the appropriate value. The following list describes each element and provides the right values or explains how to determine what they are: Flow type. Whether the policy filters requests or responses. The flow type is always REQ for Application Firewall policies

161 Chapter 5 Policies 147 because the Application Firewall filters each request and its associated response as a unit. Protocol. The protocol of the connections that this policy will filter. For Application Firewall policies, this should be HTTP. Qualifier. The aspect of the protocol that the policy should consider. The following values are valid: METHOD. The HTTP method used in the request. URL. The contents of the URL header. URLTOKENS. The URL tokens in the HTTP header. VERSION. The HTTP version of the connection. HEADER. The header portion of the HTTP request. URLLEN. The length of the contents of the URL header. URLQUERY. The query portion of the contents of the URL header. URLQUERYLEN. The length of the query portion of the URL header. Operator. The symbol that describes the condition you want the Application Firewall to test. Depending on the qualifier you

162 148 Citrix Application Firewall Guide picked, two or more operators may be valid. The complete list of valid operators is: ==. Matches the following text string exactly.!=. Does not match the following text string. >. Is greater than the following integer. CONTAINS. Contains the following text string. CONTENTS. The contents of the designated header, URL, or URL query. EXISTS. The specified header or query exists. NOTCONTAINS. Does not contain the following text string. NOTEXISTS. The specified header or query does not exist. Value. If you chose the equals (==), does not equal (!=), is greater than (>), CONTAINS, or NOTCONTAINS operators, you must include the string or value that the Application Firewall should test the qualifier against. If you are testing a string, type the string into the Value* text box. If you are testing an integer, type the integer into the Value* text box. For example, if you are testing the URL header to see if it contains the subdomain shopping.example.com, you type the string shopping.example.com. Header Name. If you chose HEADER as your Protocol, you must also include the name of the header that contains the attribute or string you want the Application Firewall to use for the test. For example, the following expression tells the Application Firewall to check all requests to see that the URL header exists. "REQ.HTTP.HEADER URL EXISTS" Since all requests by definition have a URL header, this expression matches all requests. For <profile>, substitute the name of the profile you want to associate with this policy.

163 Chapter 5 Policies Enter the following command to save your configuration. > save ns config 4. Enter the following command to confirm that your policy was correctly created. > show appfw policy <name> For <name>, substitute the name of the policy you created. If your policy was correctly created, you do not need to do anything further. If your policy was created with the wrong name, a flawed regular expression, or associated with the wrong profile, you must delete it as shown below, and then recreate it. > rm appfw policy <name> You modify an existing policy in the configuration utility in the Policies page, by clicking it once to highlight it, then clicking the Open button to open the Modify Application Firewall Policy dialog box. Except for the title, this dialog box is identical to the Create Application Firewall Policy dialog box. You modify your policy following the process described in To create a policy using the configuration utility on page 138. You modify an existing policy at the NetScaler command line by re-issuing the create policy command described in To create a policy at the NetScaler command line on page 146, but substituting the set appfw policy command for the add appfw policy command. When you issue the set appfw policy command, it overwrites the existing configuration for that policy. You delete a policy in the configuration utility by clicking it once to highlight it, then clicking the Remove button. You delete a policy at the NetScaler command line by issuing the rm appfw policy command, as described in To create a policy at the NetScaler command line, step 4 on page 149. Globally Binding a Policy To put a policy and its associated profile into effect, you globally bind the policy and assign it a priority. The priority you assign determines the order in which your policies are evaluated, allowing you to evaluate the most specific policy first, and more general policies in descending order, finishing with your most general policy. You can globally bind a policy either in the configuration utility or at the NetScaler command line.

164 150 Citrix Application Firewall Guide To globally bind a policy using the configuration utility 1. Log on to the configuration utility, using either the Java client or the Web Start client. For instructions on doing this, see Chapter 2, Installation, To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry, and click Policies. 3. In the list of policies in the data area, click the entry for the policy you want to globally bind. 4. Click the Global Bindings button to display the Bind/Unbind Firewall Policy(s) to Global dialog box, shown below. The Bind/Unbind Policy(s) to Global Dialog Box 5. Click the Insert Policy button to insert a row in the data area of this dialog box and display available policies, as shown below.

165 Chapter 5 Policies 151 The Bind/Unbind Policy(s) to Global Dialog Box, after Insert Policy Button is Clicked In addition to listing any policies you have created that are not already in the Bind/Unbind Policy(s) to Global Dialog box data area, the drop-down list includes the New Policy entry. If you choose this entry, the Create Application Firewall Policy dialog box is displayed, allowing you to create a new policy. 6. Click the policy you created to insert it in the list. The policy you chose is inserted, and the check box in the State column is checked, which indicates that it is bound and activated. 7. If you want to globally bind your policy, but temporarily keep it inactive, in the State column, clear the check box. When you globally bind a policy, by default it is enabled and goes immediately into effect. In some cases, you might want to have a policy reviewed before you put it into effect, but want to be able to enable it quickly. You can do this by clearing the State check box or setting the policy to DISABLED. 8. In the Priority column, click the default integer and edit the number to assign the appropriate priority to this policy. In the NetScaler operating system, policy priorities work in reverse order the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy assigned an order of Since the Application Firewall implements only the first policy that a request matches, not any additional

166 152 Citrix Application Firewall Guide policies that it might also match, policy priority is important to get the results you intended. 9. Click the OK button to save your changes. The Bind/Unbind Firewall Policy(s) to Global dialog box closes, and you return to the Policies page. The figure below shows the Application Firewall Policies page with three policies, two of them globally bound. The Application Firewall Policies Page, with Two Globally Bound Policies To globally bind a policy using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see For instructions on doing this, see Chapter 2, Installation, To log onto the NetScaler command line via SSH on page Enter the following command to globally bind the policy. > bind appfw global <policy> 1000 For <policy>, substitute the name of the policy you want to globally bind. For <priority>, substitute a positive integer that represents the priority of this policy. In the NetScaler operating system, policy priorities work in reverse order the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and

167 Chapter 5 Policies 153 finally the policy assigned an order of Since the Application Firewall implements only the first policy that a request matches, not any additional policies that it might also match, policy priority is important to get the results you intended. 3. Enter the following command to save your configuration. > save ns config You have successfully globally bound your policy and its associated profile.

168 154 Citrix Application Firewall Guide

169 CHAPTER 6 Confidential Fields A confidential field is a web form field that accepts sensitive private information, such as passwords, credit card numbers and expiration dates, social security numbers, and other bits of information that could potentially be used in identity theft or other types of fraud if the wrong persons were able to obtain them. The Application Firewall Confidential Field feature allows you to designate web form fields as confidential to protect the information users type into them. Normally, any information a user types into a web form on one of your protected web servers is logged in the NetScaler logs. The information typed into a web form field designated as confidential, however, is not logged. That information is saved only where the web site is configured to save this data, normally in a secure database. Common types of information that you may want to protect with a confidential field designation include: Passwords Credit card numbers, validation codes, and expiration dates Social security numbers Private home addresses and telephone numbers In addition to being good server security, proper use of confidential field designations may be necessary for PCI-DSS compliance on ecommerce servers, HIPAA compliance on servers that manage medical information in the United States, and compliance with other data protection standards. Adding Confidential Field Designations To tell your NetScaler appliance to treat a web form field on a protected web site as confidential, you add that field to the Confidential Fields list. To add a new confidential field using the configuration utility 1. In the Application Firewall page, click the Confidential Fields link to display the Manage Confidential Fields page, shown below.

170 156 Citrix Application Firewall Guide The Confidential Fields Page 2. In the Confidential Fields pane, click the Add button to display the Create Confidential Field dialog box, shown below.

171 Chapter 6 Confidential Fields 157 The Create Confidential Field Dialog Box If there are no existing confidential field designations, or if you have not selected a confidential field designation, the dialog box is displayed exactly as shown. If you selected a confidential field designation before clicking the Add button, the dialog box is displayed with the information from that confidential field. Changes to this data will not change the confidential field you selected, but will instead be saved as an additional user-created confidential field. You can use this to your advantage by clicking an existing confidential field that is similar to the one you want to create, and use the information from that confidential field as a basis from which to create the new confidential field. 3. If you want to create a new confidential field listing, but not enable it immediately, clear the Enabled check box. By default, the confidential field is enabled. 4. If you will use a regular expression as the field name, in the Field Name section select the Is Field Name Regular Expression check box.

172 158 Citrix Application Firewall Guide 5. Type the name of the form field or form fields that should be treated as confidential fields. You can do this in the following ways: You can type a literal string that represents a specific field name. You can type a PCRE-compatible regular expression that represents a specific field name, or matches multiple fields with names that follow a pattern. Below are some regular expressions that define field names that you might find useful: If you want to designate all field names that begin with the string passwd_ as confidential fields, you could use the following regular expression: ^passwd_ If you want to designate all field names that begin with the string passwd_, or that contain the string -passwd_ after another string that might contain non-ascii special characters, as confidential fields, you could use the following regular expression: ^(([0-9a-zA-Z._-]* \\x[0-9a-fa-f][0-9a-fa-f])+- )?passwd_ 6. In the Action URL section, in the text area type the action URL of the web form where the form field or form fields that should be treated as confidential fields appears. You can do this in the following ways: You can type a literal string that represents a specific URL. You can type a PCRE-compatible regular expression that represents a specific URL, or that matches multiple URLs with a common pattern. Below are some regular expressions that define specific URL types that you might find useful. You should substitute your own web host(s) and domain(s) for those in the examples. If the web form appears on multiple web pages on the web host but all of those web pages are named logon.pl?, you could use the following regular expression: https?://www[.]example[.]com/([0-9a-za-z][0-9a-zaz_.-]*/)*logon[.]pl\? If the web form appears on multiple web pages on the web host which contains the n-tilde (ñ) special character, you could use the following regular

173 Chapter 6 Confidential Fields 159 expression, which represents the n-tilde special character as an encoded UTF-8 string containing C3 B1, the hexadecimal code assigned to that character in the UTF-8 charset: https?://www[.]example-espa\xc3\xb1ol[.]com/([0-9a- Za-z][0-9A-Za-z_.-]*/)* logon[.]pl Note: When a regular expression appears on two or more lines, you should type it on a single line in the NetScaler command line, and press the Enter key only once at the end. If the web form on query.pl appears on multiple web pages on different hosts within the example.com domain, you could use the following regular expression: "https?://([0-9a-za-z][0-9a-za-z_-.]*[.])*example[.]com/([0-9a-za-z][0-9a-za-z_-.]*/ )*logon[.]pl\?" If the web form on query.pl appears on multiple web pages on different hosts in different domains, you could use the following regular expression: If the web form appears on multiple web pages on the web host but all of those web pages are named logon.pl?, you could use the following regular expression: "https?://([0-9a-za-z][0-9a-za-z_-.]*[.])*[0-9a-zaz][0-9a-za-z_-.]+[.][a-z]{2,6}/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?" "https?://www[.]example[.]com/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?" 7. In the Comments section, type an explanation of why you designated this form field or these form fields as confidential. This field is optional; you can leave it blank. 8. Click the Create button to save your changes. A message box appears notifying you that your new confidential field designation was successfully created. To close the message box, click the OK button. 9. Click the Close button to close the Add Confidential Field dialog box, and return to the Confidential Fields pane.

174 160 Citrix Application Firewall Guide To add a new confidential field using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see Chapter 2, Installation, To log onto the NetScaler command line via SSH on page Enter the following command to add a new confidential field. > add appfw confidfield <name> "<url>" [-isregex ( REGEX NOTREGEX )] [-comment "<string>"] [-state ( ENABLED DISABLED )] Make the following substitutions: For <name>, substitute the name of the confidential field as either a literal string or as a PCRE-compatible regular expression. Below are some regular expressions that define field names that you might find useful. If you want to designate all field names that begin with the string passwd_ as confidential fields, you could use the following regular expression: ^passwd_ If you want to designate all field names that begin with the string passwd_, or that contain the string -passwd_ after another string that might contain non-ascii special characters, as confidential fields, you could use the following regular expression: ^(([0-9a-zA-Z._-]* \\x[0-9a-fa-f][0-9a-fa-f])+- )?passwd_ For <url>, substitute either a literal URL or a PCRE-compatible regular expression, enclosed in double straight quotation marks, that defines the URL or URLs that contain the web forms. Below are some regular expressions that define specific URL types you might find useful. You should substitute your own web host(s) and domain(s) for those in the examples. If the web form appears on multiple web pages on the web host but all of those web pages are named logon.pl?, you could use the following regular expression: "https?://www[.]example[.]com/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?" If the web form appears on multiple web pages on the web host which contains the n-tilde (ñ)

175 Chapter 6 Confidential Fields 161 special character, you could use the following regular expression, which represents the n-tilde special character as an encoded UTF-8 string containing C3 B1, the hexadecimal code assigned to that character in the UTF-8 charset: "https?://www[.]example-espa\xc3\xb1ol[.]com/ ([0-9A-Za-z][0-9A-Za-z_-.]*/)*logon[.]pl" Note: When a regular expression appears on two or more lines, you should type it on a single line in the NetScaler command line, and press the Enter key only once at the end. If the web form on query.pl appears on multiple web pages on different hosts within the example.com domain, you could use the following regular expression: "https?://([0-9a-za-z][0-9a-za-z_-.]*[.])*example[.]com/([0-9a-za-z][0-9a-za-z_-.]*/ )*logon[.]pl\?" If the web form on query.pl appears on multiple web pages on different hosts in different domains, you could use the following regular expression: If the web form appears on multiple web pages on the web host but all of those web pages are named logon.pl?, you could use the following regular expression: "https?://([0-9a-za-z][0-9a-za-z_-.]*[.])*[0-9a-zaz][0-9a-za-z_-.]+[.][a-z]{2,6}/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?" "https?://www[.]example[.]com/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?" Set the -isregex argument to tell the Application Firewall whether the URL you set was a literal string or a regular expression. If you used a literal string for the URL, type -isregex NOTREGEX. If you used a regular expression for the URL, type -isregex REGEX. If you want to add a comment to your field type, for <comment>, substitute a string enclosed in double straight quotation marks. Set the -state argument to specify whether you want to enable or disable this confidential field designation. 3. Enter the following command to save your configuration.

176 162 Citrix Application Firewall Guide > save ns config 4. Enter the following command to confirm that your confidential field designation was created as you wanted. > show appfw confidfield <name> For <name>, substitute the name of the confidential field. If your confidential field designation is correct, you do not need to do anything further. If your confidential field designation has the wrong name, a flawed regular expression, or the wrong priority, you fix it using the set appfw confidfield command: > set appfw confidfield <name> "<url>" [-isregex ( REGEX NOTREGEX )] [-comment "<string>"] [-state ( ENABLED DISABLED )] The set appfw confidfield command takes the same arguments as the add appfw confidfield command. See step 2 for instructions. Managing Confidential Field Designations You can modify an existing confidential field designation using the configuration utility or at the NetScaler command line. To modify an existing confidential field designation using the configuration utility: 1. In the Application Firewall pane, select the Confidential Fields link to display the Manage Confidential Fields page. 2. In the Confidential Fields pane, click the entry for the confidential field you want to modify. 3. Click the Open button to display the Configure Confidential Form Field dialog box with the information for that confidential field designation in it, as shown below.

177 Chapter 6 Confidential Fields 163 Configure Confidential Form Field Dialog Box 4. If you want to disable the confidential field designation temporarily, but not remove it from the configuration, clear the Enabled check box. By default, the confidential field is enabled. 5. If you want to use a regular expression as the field name, select the Is Field Name Regular Expression check box. 6. In the Field Name section, modify the name of the form field or form fields which should be treated as confidential fields. You can do this in the following ways: You can type a literal string that represents a specific field name. You can type a PCRE-compatible regular expression that represents a specific field name, or matches multiple fields with names that follow a pattern. For examples of PCRE-compatible regular expressions that might be useful, see step 5 on page In the Action URL section, in the text area modify the action URL of the web form that contains the confidential field.

178 164 Citrix Application Firewall Guide You can do this in the following ways: You can type a literal string that represents a specific URL. You can type a PCRE-compatible regular expression that represents a specific URL, or that matches multiple URLs with a common pattern. For examples of PCRE-compatible regular expressions that might be useful, see step 6 on page In the Comments section, type an explanation of why you designated this form field or these form fields as confidential. This field is optional; you can leave it blank. 9. Click the OK button to save your changes. 10. To remove a confidential field designation from the confidential fields list, click the confidential field listing you want to remove, then click the Remove button to remove it. 11. To enable a confidential field designation that is currently disabled, click the confidential field listing you want to enable once to highlight it, then click the Enable button. 12. To disable a confidential field designation that is currently enabled, click the confidential field listing you want to disable once to highlight it, then click the Disable button. 13. Click the OK button to close the message box and return to the Manage Confidential Fields dialog box. To modify an existing confidential field designation using the NetScaler command line: 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see Chapter 2, Installation, To log onto the NetScaler command line via SSH on page Enter the following command to modify an existing confidential field. > set appfw confidfield <name> "<url>" [-isregex ( REGEX NOTREGEX )] [-comment "<string>"] [-state ( ENABLED DISABLED )] Make the following substitutions: For <name>, substitute the name of the confidential field you want to modify. For <url>, substitute either a literal URL or a PCRE-compatible regular expression, enclosed in double straight quotation marks, that defines the URL or URLs that contain the web forms.

179 Chapter 6 Confidential Fields 165 Below are some regular expressions that define specific URL types you might find useful. You should substitute your own web host(s) and domain(s) for those in the examples. If the web form appears on multiple web pages on the web host but all of those web pages are named logon.pl?, you could use the following regular expression: If the web form appears on multiple web pages on the web host which contains the n-tilde (ñ) special character, you could use the following regular expression, which represents the n-tilde special character as an encoded UTF-8 string containing C3 B1, the hexadecimal code assigned to that character in the UTF-8 charset: "https?://www[.]example[.]com/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?" "https?://www[.]example-espa\xc3\xb1ol[.]com/([0-9a- Za-z][0-9A-Za-z_-.]*/)* logon[.]pl" Note: When a regular expression appears on two or more lines, you should type it on a single line in the NetScaler command line, and press the Enter key only once at the end. If the web form on query.pl appears on multiple web pages on different hosts within the domain, you could use the following regular expression: "https?://([0-9a-za-z][0-9a-za-z_-.]*[.])*example[.]com/([0-9a-za-z][0-9a-za-z_-.]*/ )*logon[.]pl\?" If the web form on query.pl appears on multiple web pages on different hosts in different domains, you could use the following regular expression: If the web form appears on multiple web pages on the web host but all of those web pages are named logon.pl?, you could use the following regular expression: "https?://([0-9a-za-z][0-9a-za-z_-.]*[.])*[0-9a-zaz][0-9a-za-z_-.]+[.][a-z]{2,6}/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?" "https?://www[.]example[.]com/([0-9a-za-z][0-9a-zaz_-.]*/)*logon[.]pl\?"

180 166 Citrix Application Firewall Guide Set the -isregex argument to specify whether the URL you set was a literal string or a regular expression. If you used a literal string for the URL, type -isregex NOTREGEX. If you used a regular expression for the URL, type -isregex REGEX. If you want to modify the comment, for <comment>, substitute a string enclosed in double straight quotation marks. Set the -state argument to specify whether you want to enable or disable this confidential field designation. 3. Enter the following command to save your configuration. > save ns config 4. Enter the following command to confirm that your confidential field designation is correct. > show appfw confidfield <name> For <name>, substitute the name of the confidential field. If your confidential field designation is correct, you do not need to do anything further. If your confidential field designation has the wrong name, a flawed regular expression, or the wrong priority, you fix it using the set appfw confidfield command:

181 CHAPTER 7 Field Types A field type is a regular expression that defines a particular data format and minimum/maximum data lengths for a form field in a web form. When you are configuring the Field Formats check and making field format assignments, you choose a format for each form field from the Field Types list. Each field type is defined using a PCRE-format regular expression that describes what data type and length a form field can contain when a user returns data in a web form on your web site. The Application Firewall comes with several default field types. These are: integer. A string of any length consisting of numbers only, without a decimal point, and with an optional preceding minus sign (-). alpha. A string of any length consisting of letters only. alphanum. A string of any length consisting of letters and/or numbers. nohtml. A string of any length consisting of characters, including punctuation and spaces, that does not contain HTML symbols or queries. any. Anything at all. Caution: Assigning the any field type as the default field type, or to a field, allows active scripts, SQL commands, and other possibly dangerous content to be returned in that form field. You should use the any type sparingly, if you use it at all. You can add your own field types to the Field Types list. For example, you might want to add a field type for a social security number, postal code, or phone number in your country. You might also want to add a field type for a customer identification number or store credit card number. Configuring the Field Types Settings You can add a new field type, modify an existing user-created field type, remove a field type, and enable or disable a field type using either the Citrix NetScaler Configuration Utility or the NetScaler command line.

182 168 Citrix Application Firewall Guide To add a field type to the Field Types list using the configuration utility 1. Log on to the configuration utility, using either the Java client or the Web Start client. For instructions on doing this, see Chapter 2, Installation, To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry, then click Field Types to display the Field Types pane. 3. Click the Add button to display the Create Field Type dialog box, shown below. Create Field Type Dialog Box 4. In the Field Name text box, type a name for the field type you want to add. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. 5. In the Regular Expression text area, type a PCRE-compatible regular expression that defines the field type you want. Below are two regular expressions that define specific field types you might find useful:

183 Chapter 7 Field Types 169 To define a field type for international phone numbers that begin with the country code and can contain up to 40 additional numerals, spaces, and the hyphen [-], open [(] parenthesis, and close [)] parenthesis characters, you can use the following regular expression: ^+[0-9]{1,3} [0-9() -]{1,40}$ To define a field type for a company credit card with numbers formatted as ##-#####-######, that begins with the two-letter abbreviation for a U.S. state, followed by a five-digit integer, followed by six-digit hexadecimal string, you can use the following regular expression: ^[A-Z][A-Z]-[0-9]{5,5}-[0-9A-F]{6,6}$ 6. In the Priority text box, type a positive integer that sets the priority of this field type. Field types are evaluated in order of priority, with the lowest numbers having the highest priority. The Application Firewall accepts the first field type match, and does not continue evaluating field types after it has found a match. For that reason, you should assign the lowest number to the most specific field type. Then, assign the next lowest number to the next most specific field type, and so on until you have assigned the highest number to the least specific field type. 7. In the Comments text area, type a description of the field type and the purpose for which you created it. This field is optional; you can leave it blank. 8. Click the Create button to create the new field type. 9. Repeat steps 4-8 to create as many new field types as you want. 10. Click the Close button to close the Create Field Type dialog box and return to the Field Types pane. Your new field types are displayed in the list. The figure below shows two custom field types, one for U.S.-style social security numbers and the other for driver s license numbers from the U.S. state of California, beneath the default field types.

184 170 Citrix Application Firewall Guide The Application Firewall Field Types Page, with Custom Field Types Displayed To add a field type to the Field Types list using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see Chapter 2, Installation, To log onto the NetScaler command line via SSH on page Enter the following command to add a new field type. > add appfw fieldtype <name> "<regex>" <priority> [-comment "<string>"]> Make the following substitutions: For <name>, substitute a name for the field type. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this field type defines. For <regex>, substitute a PCRE-compatible regular expression, enclosed in double straight quotation marks, that defines the field type.

185 Chapter 7 Field Types 171 Below are two regular expressions that define specific field types you might find useful: To define a field type for international phone numbers that begin with the country code and can contain up to 40 additional numerals, spaces, and the hyphen [-], open [(] parenthesis, and close [)] parenthesis characters, you can use the following regular expression: "^+[0-9]{1,3} [0-9() -]{1,40}$" To define a field type for a company credit card with numbers formatted as ##-#####-######, that begins with the twoletter abbreviation for a U.S. state, followed by a five-digit integer, followed by six-digit hexadecimal string, you can use the following regular expression: "^[A-Z][A-Z]-[0-9]{5,5}-[0-9A-F]{6,6}$" For <priority>, substitute an integer that defines the priority of this field type. Field types are evaluated in order of priority, with the lowest numbers having the highest priority. The Application Firewall accepts the first field type match, and does not continue evaluating field types after it has found a match. For that reason, you should assign the lowest number to the most specific field type. Then, assign the next lowest number to the next most specific field type, and so on until you have assigned the highest number to the least specific field type. If you want to add a comment to your field type, for <comment>, substitute a string enclosed in double straight quotation marks. 3. Enter the following command to save your configuration: > save ns config 4. Enter the following command to confirm that your field type was created as you wanted: > show appfw fieldtype <name> For <name>, substitute the name of the field type. If your field type is correct, you do not need to do anything further. If your field type has the wrong name, a flawed regular expression, or the wrong priority, you fix it using the set appfw fieldtype command: > set appfw fieldtype <name> "<regex>" <priority> [- comment "<string>"]

186 172 Citrix Application Firewall Guide The set appfw fieldtype command takes the same arguments as the add appfw FieldType command. You can modify any field types you added using either the Citrix NetScaler Configuration Utility or the NetScaler command line. To modify a field type using the configuration utility 1. Log on to the configuration utility, using either the Java client or the Web Start client. For instructions on doing this, see Chapter 2, Installation, To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry, then select Field Types to display the Field Types pane. 3. Select the entry for the field type you want to modify. The Open and Remove buttons are enabled, as shown below. The Field Types Pane, with User-Created Field Type Selected Note: You cannot modify or delete the default field types. If you highlight a default field type, the Remove button remain greyed out. The Open button opens the default field type in a read-only message box. 4. Click the Open button to display the Configure Field Type dialog box, shown below, with the settings for that field type displayed.

187 Chapter 7 Field Types 173 Configure Field Type Dialog Box Note: When you click Open for a default field type, you can view the field type properties, but you cannot modify them. You cannot modify the name of an existing field, so the Field Name text box is greyed out. 5. In the Regular Expression text area, modify the PCRE-compatible regular expression that defines this field type. Below are two regular expressions that define specific field types you might find useful: To define a field type for international phone numbers that begin with the country code and can contain up to 40 additional numerals, spaces, and the hyphen [-], open [(] parenthesis, and close [)] parenthesis characters, you can use the following regular expression: ^+[0-9]{1,3} [0-9() -]{1,40}$ To define a field type for a company credit card with numbers formatted as ##-#####-######, that begins with the two-letter abbreviation for a U.S. state, followed by a five-digit integer, followed by six-digit hexadecimal string, you can use the following regular expression:

188 174 Citrix Application Firewall Guide ^[A-Z][A-Z]-[0-9]{5,5}-[0-9A-F]{6,6}$ 6. In the Priority window, change the priority to any positive integer you want. Field types are evaluated in order of priority, with the lowest numbers having the highest priority. The Application Firewall accepts the first field type match, and does not continue evaluating field types after it has found a match. For that reason, you should assign the lowest number to the most specific field type. Then, assign the next lowest number to the next most specific field type, and so on until you have assigned the highest number to the least specific field type. 7. In the Comments text area, modify the description of the field type. 8. Click the OK button to save your changes. The Configure Field Type dialog box closes, and you return to the Field Types pane. To modify a field type using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see Chapter 2, Installation, To log onto the NetScaler command line via SSH on page Enter the following command to change the attributes of a field type. > set appfw fieldtype <name> "<regex>" <priority> [-comment "<string>"]> Make the following substitutions: For <name>, substitute the name of the field type you want to modify. For <regex>, substitute a PCRE-compatible regular expression, enclosed in double straight quotation marks, that defines the field type. Below are two regular expressions that define specific field types you might find useful: To define a field type for international phone numbers that begin with the country code and can contain up to 40 additional numerals, spaces, and the hyphen [-], open [(] and close [)] parenthesis characters, you can use the following regular expression: "^+[0-9]{1,3} [0-9() -]{1,40}$" To define a field type for a company credit card with numbers formatted as ##-#####-######, that begins with the two-

189 Chapter 7 Field Types 175 letter abbreviation for a U.S. state, followed by a five-digit integer, followed by six-digit hexadecimal string, you can use the following regular expression: "^[A-Z][A-Z]-[0-9]{5,5}-[0-9A-F]{6,6}$" For <priority>, substitute an integer that defines the priority of this field type. Field types are evaluated in order of priority, with the lowest numbers having the highest priority. The Application Firewall accepts the first field type match, and does not continue evaluating field types after it has found a match. For that reason, you should assign the lowest number to the most specific field type. Then, assign the next lowest number to the next most specific field type, and so on until you have assigned the highest number to the least specific field type. If you want to add a comment to your field type, for <comment>, substitute a string enclosed in double straight quotation marks. 3. Enter the following command to save your configuration. > save ns config 4. Enter the following command to confirm that your field type was created as you wanted. > show appfw fieldtype <name> For <name>, substitute the name of the field type. If your field type is correct, you do not need to do anything further. If your field type has the wrong name, a flawed regular expression, or the wrong priority, you fix it using the set appfw fieldtype command, as described in step 2. You delete a field type using the configuration utility by selecting it, and then clicking the Remove button. You delete a field type using the NetScaler command line by typing the following. > rm appfw fieldtype <name> For <name>, you substitute the name of the field type you want to delete. Note: You cannot delete a default field type.

190 176 Citrix Application Firewall Guide

191 CHAPTER 8 Imports Several Application Firewall features make use of external files that you upload to the Application Firewall when configuring it. You manage those files in the Engine Settings page, in the Imports section of the data area. There are four types of files you can import: HTML error pages. You can import an error page you want to return for blocked requests for HTML-based content protected by an HTML or Web 2.0 profile. This error page must be a standard HTML file. XML error pages. You can import the error page you want to return for blocked requests for XML-based content protected by an XML or Web 2.0 profile. This error page must be an XML file. XML schemas. You can import an XML schema you want to use in an XML or Web 2.0 profile for validating XML messages. This file must be a valid XML schema. WSDLs. You can import a WSDL you want to use in an XML or Web 2.0 profile for validating XML messages. This file must be a valid XML SOAP WSDL. The following procedures describe the files you can import to your Application Firewall and explain how to import and use those files in your configuration. Importing Configuration Elements You can import files to the Application Firewall using the configuration utility or using the NetScaler command line. Note: If you are importing an XML schema or WSDL file, or if the HTML or XML error object you want to import is on a server that your NetScaler appliance can connect to only through the Internet rather than through the LAN, before you attempt to import the object you should first verify that the appliance has Internet connectivity. Otherwise, you will be unable to import the error object, XML Schema, or WSDL.

192 178 Citrix Application Firewall Guide To import a file onto your Application Firewall using the configuration utility: 1. Log on to the configuration utility. For instructions on doing this, see Chapter 2, Installation, To log on to the configuration utility on page In the menu tree, expand the Application Firewall entry, and then click Imports to display the Imports pane, shown below. The Imports Pane 3. Click the tab for the type of file you want to import. Note: The upload process on all four tabs is identical from the user point of view. 4. Click the Add button to display the Import New dialog box for the type of file you want to import. The Import New dialog box for HTML Error Pages is shown below.

193 Chapter 8 Imports 179 The Import a New HTML Error Page Dialog Box 5. In the Name text box, type a name for the object you are importing. 6. In the URL text box for the resource you are uploading, type the URL to the resource. The URL should be in standard browser format, shown below: <protocol>://<host>/[<path>/]<filename> For <protocol>, substitute the appropriate protocol, which is normally http, but it could be https or ftp if the file is located on a secure web server or on an FTP server. For <host>, substitute the hostname or IP of the server. For <path>, substitute the path to the object. If the object is in the web root or FTP root directory, the path is zero-length and you do not need to type anything. For <filename>, substitute the filename of the object. 7. Click the Create button to import the object and create the resource. Note: If the NetScaler appliance is unable to locate the resource, and you have verified that the URL and file you requested exists, you should look at the ns.log file to verify that the URL you used is accessible from your NetScaler appliance. After correcting the problem, you repeat steps 6 through 8 to import the object. 8. Click the Close button to close the Import Console message box. 9. Repeat steps 6 through 9 to import any additional files.

194 180 Citrix Application Firewall Guide 10. To modify the URL of an existing object, you click the entry for that object once to highlight it, then click the Modify button to display that object in the Modify Import dialog box. You then modify the URL as you wish, and click the Save button when you are finished to save your changes. 11. To delete an object, you click the entry for that object once to highlight it, then click the Remove button to remove it. The Proceed dialog box appears, asking you to confirm your choice. You click the OK button to remove the object. 12. Click the Close button to close the Import New dialog box and return to the Imports dialog box. 13. If you want to import a different type of resource, click the tab for that resource, and repeat steps 6 through Click the Close button to close the Imports dialog box and return to the Imports screen. To import a file onto your Application Firewall using the NetScaler command line: 1. Run the secure shell (SSH) client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see Chapter 2, Installation, To log onto the NetScaler command line via SSH on page To upload an HTML error page, enter the following command. > import appfw htmlerrorpage <src> <name> For <src>, substitute the URL of the HTML error page file. For <name>, substitute a name for the HTML error page in the Application Firewall configuration. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect. 3. To upload an XML error page, enter the following command. > import appfw xmlerrorpage <src> <name> For <src>, substitute the URL of the XML error page file. For <name>, substitute a name for the XML error page in the Application Firewall configuration. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and

195 Chapter 8 Imports 181 underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect. 4. To upload an XML schema, enter the following command. > import appfw xmlschema <src> <name> For <src>, substitute the URL of the XML schema file. For <name>, substitute a name for the XML schema in the Application Firewall configuration. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect. 5. To upload a WSDL, enter the following command. > import appfw wsdl <src> <name> For <src>, substitute the URL of the WSDL file. For <name>, substitute a name for the WSDL in the Application Firewall configuration. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. You should choose a name that will make it easy for others to tell what type of content this profile was created to protect. 6. Enter the following command to save your configuration. > save ns config 7. Confirm that your object was uploaded correctly by typing the appropriate command. If your object uploaded correctly, you do not need to do anything further. If you assigned the wrong name to an imported object, or uploaded the wrong URL, to fix the problem you delete the object and reimport it If you uploaded an HTML error page, type this command to display the entries for all HTML error pages on the server: > show appfw htmlerrorpage To delete an HTML error page, type this command: > rm appfw htmlerrorpage If you uploaded an XML error page, type this command to display the entries for all XML error pages on the server: > show appfw xmlerrorpage To delete an XML error page, type this command: > rm appfw xmlerrorpage

196 182 Citrix Application Firewall Guide If you uploaded an XML schema, type this command to display the entries for all XML schemas on the server: > show appfw xmlschema To delete an XML schema, type this command: > rm appfw xmlschema If you uploaded a WSDL, type this command to display the entries for all WSDLs on the server: > show appfw wsdl To delete a WSDL, type this command: > rm appfw xmlschema

197 CHAPTER 9 The Engine Settings The engine settings are global settings for the Application Firewall. These settings pertain to all connections that the Application Firewall processes, rather than to specific connections defined by a profile. If the default settings cause a conflict with other servers, however, or if the default time-out causes premature disconnection of your users, you may need to modify these settings. You access the Engine Settings by clicking the Change Engine Settings hyperlink on the Application Firewall pane. The Engine Settings dialog box is shown below. The Engine Settings Dialog Box Session Cookie Name The Application Firewall uses the session cookie name to track user sessions. You do not normally need to modify the cookie name, but if it conflicts in any way with a cookie set by your protected web servers, you can change the name.

198 184 Citrix Application Firewall Guide Session Timeout To change the name of the session cookie using the configuration utility 1. In the navigation pane, click Application Firewall. 2. In the details pane, click Change Engine Settings. 3. In the Application Firewall Engine Settings dialog box, under Cookie Name, type a new cookie name. 4. Click the OK button to save your changes. To change the name of the session cookie using the NetScaler command line At the NetScaler command prompt, type: set appfw settings -sessioncookiename <string> For <string>, substitute your preferred session cookie name. The session timeout is the length of time, in seconds, that the Application Firewall waits before timing out user web site sessions. After the Application Firewall times out the session, the user must re-establish a session by visiting the home page or a designated start URL. To modify the session timeout period using the configuration utility 1. In the navigation pane, click Application Firewall. 2. In the details pane, click Change Engine Settings. 3. In the Application Firewall Engine Settings dialog box, under Session Time-out (seconds), type the number of seconds the Application Firewall waits before timing out a user's session. 4. Click the OK button to save your changes. To modify the session timeout period using the NetScaler command line At the NetScaler command prompt, type: set appfw settings -sessiontimeout <number> For <number>, substitute the timeout value in seconds.

199 Client IP Header Name Chapter 9 The Engine Settings 185 The client IP header is the name of an HTTP header containing the IP that the client used to connect to your protected web server. By default, this setting is blank, which tells the Application Firewall not to add a client IP header. To add a client IP header using the configuration utility 1. In the navigation pane, click Application Firewall. 2. In the details pane, click Change Engine Settings. 3. In the Application Firewall Engine Settings dialog box, under Header Name, type the name of the HTTP request header that will contain the client IP. 4. Click the OK button to save your changes. To add a client IP header using the NetScaler command line At the NetScaler command prompt, type: set appfw settings -clientiploggingheader <string> For <string>, substitute the name of the HTTP request header that will contain the client IP.

200 186 Citrix Application Firewall Guide

201 CHAPTER 10 The Common Security Checks This chapter describes in detail the Application Firewall security checks relevant to all types of profiles. It explains how each security check operates, what types of attacks it helps prevent, and how the configuration details of each affect how that security check filters a request or response. This information is intended for system administrators who need to understand a particular security check to configure it properly for their web sites. Note: You do not need to read this chapter unless you need to understand in detail how specific common security checks work, what all the options are for each, and how each option affects its operation. The Start URL Check The Start URL check examines the URLs to which incoming requests are directed, and blocks connections to URLs that are not listed in the Start URLs list. This check applies to requests only. You can enable URL closure to change the behavior of this check. If URL closure is enabled, the Start URL check requires that a URL either be on the list of allowed URLs, or that the user navigate to it by clicking a link on a web page sent to the user during the current session. If the URL does not meet one of these conditions, the Application Firewall blocks the user s request. The Start URL check exists primarily to prevent repeated attempts to access random URLs on a web site, or forceful browsing. Forceful browsing can be used to trigger a buffer overflow, find content that users were not intended to access directly, or find a back door into secure areas of your web server. In other words, forceful browsing can be used to obtain unauthorized information, gain unauthorized access to and control of your web site, or both.

202 188 Citrix Application Firewall Guide You can configure the Start URL check in either of two dialog boxes. You can modify just the check actions in the Configure Web Application Profile dialog box, Security Checks tab. You access this dialog box by choosing a profile in the Profiles page and clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. This dialog box is shown below. The Configure Web Application Profile Dialog Box, Security Checks Tab, For HTML Profiles, with Start URL Selected. You make more detailed changes in the Modify Start URL Check dialog box. You access this dialog box by clicking the Start URL entry, then click the Modify button to display the Modify Start URL Check dialog box. The figure below shows the default Check Action settings for the Start URL check for profiles created with basic defaults. Basic defaults are appropriate settings for profiles that you do not plan to configure further, or plan to configure minimally and for which you do not need to use the Application Firewall Learning feature. In profiles created with basic defaults, the Start URL feature has both the Learning and URL Enclosure options unchecked, indicating that these features are disabled.

203 Chapter 10 The Common Security Checks 189 Modify Start URL Check Dialog Box, General Tab, Basic Defaults The figure below shows the default Check Action settings for the Start URL check for profiles created with advanced defaults. Advanced defaults are appropriate settings for profiles that you plan to configure further manually, by using the Application Firewall Learning feature, manually, or using both. In profiles created with advanced defaults, the Start URL feature has both the Learning and URL Enclosure options checked, indicating that these features are enabled.

204 190 Citrix Application Firewall Guide Modify Start URL Check Dialog Box, General Tab, Advanced Defaults The General tab, displayed by default when you open the Modify Start URL Check dialog box, contains the Check Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the Start URL check. Enabled by default in profiles created with both basic and advanced defaults. You disable blocking for the Start URL rule by clearing the Block check box, and re-enable blocking after disabling it by selecting the Block check box. If you created a profile with basic defaults, you probably will not want to disable blocking for the Start URL rule. By default, profiles created with basic defaults allow connections to HTML pages and any common types of web content. In the unlikely event that your web site hosts an unsupported content type, or content with an unsupported extension, you can simply add the appropriate extension to the list of Start URLs manually. If you created a profile with advanced defaults, there are many reasons why you might want to disable blocking. The most common is to prevent false positives when you first install the Application Firewall. Profiles created with advanced defaults do not have any Start URLs listed. You must either

205 Chapter 10 The Common Security Checks 191 manually add your web site home pages to the Start URL list when you first configure the profile, or allow the Learning feature to generate a list for you. If you prefer to let learning do the work, you turn off blocking until learning has seen enough traffic to generate the necessary list of start URLs. Learn. Tells the Application Firewall to use its learning feature to observe traffic to and from your protected web sites, and generate a list of recommended URLs to add to the Start URL list. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable learning by checking the Learn check box, and disable it by unchecking the Learn check box. If you created a profile with basic defaults, you probably will not want to enable learning for the Start URL rule. By default, profiles created with basic defaults allow connections to HTML pages and any common types of web content. This will probably allow connections to any legitimate web page on your protected web sites. Since using learning requires you to spend additional time configuring the Start URL check, you probably do not want to use it when you do not need it. If you created a profile with advanced defaults, you have a choice. You can leave learning enabled, or disable it. If you prefer to let learning do the work, you turn off blocking until learning has seen enough traffic to generate the necessary list of start URLs. You then review the learned recommendations for start URLs and accept those that you want to allow. When learning has seen enough traffic to generate a good list, you re-enable blocking, and are done. To disable learning and still avoid false positives, you must manually add your web site home pages to the Start URL list when you first configure the profile, and leave URL closure checked. An Application Firewall configured in this manner will allow users to access your home page, and from there to access any URL on your web site by clicking a link on another web page on your web site. The Application Firewall is therefore unlikely to block any legitimate queries except where a user has bookmarked a web page other than your home page. Caution: If you choose to disable learning and rely on a list of your web site home pages and URL closure to allow access to your web sites, you must either add any URLs your users are likely to bookmark to the Start URL list manually. Otherwise, the Application Firewall will require users to visit a designated home page before accessing any other content on your web site. Log. Tells the Application Firewall to log any connections that violate the Start URL check. Enabled by default in profiles created with both basic and

206 192 Citrix Application Firewall Guide advanced defaults. You disable logging for the Start URL rule by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the Start URL check. Enabled by default in profiles created with both basic and advanced defaults. You disable statistics for the Start URL rule by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally do not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. Enforce URL closure. Tells the Application Firewall to allow users to access any web page on your web site by clicking a hyperlink on any other web page on your web site. This ensures that users who access your home page can easily navigate to any content that is reachable by clicking hyperlinks from that point. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable URL closure by checking the Enforce URL Closure check box, and disable it by unchecking the Enforce URL Closure check box. If you created a profile with basic defaults, you probably will not want to enable URL closure. By default, profiles created with basic defaults allow connections to HTML pages and other common types of web content. This should allow connections to any legitimate web page on your protected web sites. URL closure requires extra processing from the Application Firewall, and with basic defaults is unlikely to offer any advantage. If you created a profile with advanced defaults, you have a choice. You can leave URL closure enabled, or disable it. See the discussion under Blocking, above, for more information on this subject. You add, modify, delete, enable and disable Start URLs in the Modify Start URL Check dialog box, Settings tab. The Start URL list for profiles created with basic defaults is shown below.

207 Chapter 10 The Common Security Checks 193 Modify Start URL Check Dialog Box, Settings Tab, Basic Defaults The Start URL list for profiles created with advanced defaults is the same, but contains no default entries. For profiles created with advanced defaults, you must choose one of these options to allow access to your protected web site: Disable Blocking. In the General tab, disable Blocking, and allow the Learning feature to generate an appropriate set of Start URLs for your protected web sites by observing traffic to that web site. If you choose this option, you must plan to review the list of URLs that Learning generates. See Configuring the Learning Feature on page 126 for information about the Learning feature and instructions on reviewing learned URLs. Manually Add Home Page(s). Add appropriate Start URLs manually in this dialog box. See the information below for detailed instructions on how to add Start URLs to the list manually. Disable the Start URL Check. In the General tab, uncheck all of the Check Actions. You remove a Start URL by clicking it once to highlight it, then clicking the Remove button. You enable a disabled Start URL by clicking the Enable button. You disable an active Start URL by clicking the Disable button.

208 194 Citrix Application Firewall Guide You add a new Start URL to the Start URL check by clicking the Add button to display the Add Start URL Check Relaxation dialog box, shown below. Add Start URL Check Relaxation Dialog Box As with many dialog boxes on the NetScaler appliance, if you already have a Start URL selected, the information from that URL appears in the Add dialog box, where you can edit it as the basis for your new Start URL. If you do not have a Start URL selected, the dialog box is displayed empty. The Add Start URL Check Relaxation dialog box above is shown with no information included because no existing relaxation was selected. This dialog box contains the following sections: Enabled check box. A relaxation can be in active use (enabled) or can be inactive (disabled). When you create a relaxation, it is enabled by default. You disable it by clearing the Enabled check box. Start URL. In the text area in the Start URL section, you enter a PCRE-format regular expression that defines the URL that you are adding to the relaxations list. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Regular Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following.

209 Chapter 10 The Common Security Checks 195 Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste a URL that contains any characters outside of the basic ASCII character set. If you want to include a URL that contains non- ASCII characters, you must enter those characters manually using the PCRE hexadecimal character encoding format. Below are some examples of regular expressions for Start URLs that contain non-ascii characters. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several examples of Start URL relaxations. - Allow users to access the home page at ^ - Allow users to access all static HTML (.htm and.html), serverparsed HTML (.htp and.shtml), PHP (.php), and Microsoft ASP (.asp) format web pages at ^ [0-9A-Za-z][0-9A-Za-z_.-]*[.](asp htp php s?html?)$ - Allow users to access the same files at which contains the n-tilde (ñ) special character. This special character must be represented as an encoded UTF-8 string containing C3 B1, the hexadecimal code assigned to that character in the UTF-8 charset: ^ [0-9A-Za-z][0-9A-Za-z_.-]*[.](asp htp php s?html?)$ - Allow users to access web pages with pathnames or filenames that contain non-ascii characters: ^ \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_-] \\x[0-9a-faf][0-9a-fa-f])*/)* ([0-9A-Za-z] \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_- ] \\x[0-9a-fa-f][0-9a-fa-f])*[.](asp htp php s?html?)$ In the expression above, each character class has been grouped with the string \\x[0-9a-fa-f][0-9a-fa-f], which will match all properly-constructed character encoding strings, but not allow stray backslash characters that are not associated with a UTF-8 character encoding string. The double backslash (\\) is an escaped backslash, which tells the Application Firewall to interpret it as a literal backslash. If you included only one backslash, the Application Firewall would instead interpret the following left square bracket ([)

210 196 Citrix Application Firewall Guide as a literal character rather than the opening of a character class, which would break the expression. Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported characters and how to encode them properly when configuring the Application Firewall. - Allow users to access all GIF (.gif), JPEG (.jpg and.jpeg), and PNG (.png) format graphics at ^ [0-9A-Za-z][0-9A-Za-z_.-]*[.](gif jpe?g png)$ - Allow users to access CGI (.cgi) and PERL (.pl) scripts in the CGI-BIN directory only at - Allow users to access downloadable Microsoft Office and other document files in the docsarchive directory only at ^ pl)$ ^ Za-z_-.]*[.](doc xls pdf ppt)$ Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they define exactly the URL you want to add as a relaxation, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect, such as allowing access to web content that you did not intend for users to access. Comments. In the text area in the Comments section, you type a comment that explains what this Start URL relaxation does, and why you added it. This section is optional; you can leave it blank if you wish. When you have finished filling out the Add Start URL Check Relaxation dialog box, you click the Create button, and when prompted confirm your choice by clicking the Yes button, to add your new relaxation to the list. You can then repeat the process as many times as you want to add additional relaxations. You modify an existing Start URL relaxation by clicking it once to highlight it, then clicking the Modify button to display the Modify Start URL Check Relaxation dialog box, shown below.

211 Chapter 10 The Common Security Checks 197 The Deny URL Check The Modify Start URL Check Relaxation Dialog Box As you can see, this dialog box looks identical to the Add Start URL Check Relaxation dialog box, except for the title and that, instead of being blank, it contains the information for the Start URL relaxation you chose. See the description above for more information about the different parts of this dialog box and how to configure each. When you have finished configuring the Start URL check, you click the Close button to close the Modify Start URL Check dialog box and return to the Configure Application Firewall Profile dialog box. The Deny URL check examines the URLs to which incoming requests are directed, and blocks connections to URLs that are commonly accessed by hackers and malicious code, or any other URLs you specify. The Deny URL check prevents attacks against various known security weaknesses that exist in different web server software or on many web sites. The Deny URL check takes priority over the Start URL check, and thus denies malicious connection attempts even when a Start URL relaxation would normally allow a request to proceed. The check contains a list of URLs that are common targets of hackers or malicious code, and that rarely if ever appear in legitimate requests. You can also add URLs or URL patterns to the list.

212 198 Citrix Application Firewall Guide You configure the Deny URL check in the Modify Deny URL Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you click the Deny URL entry, then click the Modify button. The figure below shows the Modify Deny URL Check dialog box for all profiles, regardless of whether they were created with basic or advanced defaults. Modify Deny URL Check Dialog Box, General Tab The General tab, displayed by default when you open the Modify Deny URL Check dialog box, contains the Check Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the Deny URL check. Enabled by default in profiles created with both basic and advanced defaults. You disable blocking for the Deny URL rule by clearing the Block check box, and re-enable blocking after disabling it by checking the Block check box.

213 Chapter 10 The Common Security Checks 199 Note: Enabling blocking will not in itself enable the Deny URL check. You must also enable each specific Deny URL rule you want the Application Firewall to enforce in the Settings tab of this dialog box. Learn. The learning feature is not available with the Deny URL check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the Deny URL check. Enabled by default in profiles created with both basic and advanced defaults. You disable logging for the Deny URL rule by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the Deny URL check. Enabled by default in profiles created with both basic and advanced defaults. You disable statistics for the Deny URL rule by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. You enable the default Deny URLs, and add additional Deny URLs, to the Deny URL list in the Modify Deny URL Check dialog box, Settings tab. You also delete, enable, and disable Deny URLs in this dialog box. The default Deny URL list is the same for all profiles, regardless of whether they were created with basic or advanced defaults. This list is shown in the figure below.

214 200 Citrix Application Firewall Guide Modify Deny URL Check Dialog Box, Settings Tab You remove a Deny URL by clicking it once to highlight it, then clicking the Remove button. You enable a disabled Deny URL by clicking the Enable button. You disable an active Deny URL by clicking the Disable button. You can hold down your Shift or Control key while choosing URLs, and then enable or disable several URLs at once by clicking the Enable or Disable button while multiple URLs are selected. By default, all of the Deny URLs included in the default installation are disabled until you enable them. You must explicitly enable one or more Deny URLs, or add one or more Deny URLs of your own, or the Deny URL check will have no effect. You may want to enable all of the default Deny URLs on the list. Doing so provides considerable protection for a web server and has a low risk of false positives. To do this quickly, you click the first URL in the list of default Deny URLs, hold down the Shift key, use the scroll bar to scroll to the bottom of the Deny URLs list, and click the last Deny URL. All Deny URLs in the list are highlighted. Then, you simply click the Enable button to enable them all, as shown below.

215 Chapter 10 The Common Security Checks 201 Modify Deny URL Check Dialog Box, Settings Tab, with all Default Deny URLs Enabled You add a new deny URL to the Deny URL list by clicking the Add button to display the Add Deny URL Check Relaxation dialog box, shown below. Add Deny URL Check Relaxation Dialog Box

216 202 Citrix Application Firewall Guide As with other Add dialog boxes in the configuration utility, the Add Deny URL dialog box is displayed with the information from the deny URL that is currently selected. You can use this information as the basis of your new deny URL, or you can delete it and create an entirely new deny URL. When you save your new deny URL, the configuration utility does not overwrite the selected deny URL. Instead, it creates a new deny URL entry. This dialog box contains the following sections: Enabled check box. A relaxation can be in active use (enabled) or can be inactive (disabled). When you create a relaxation, it is enabled by default. You disable it by clearing the Enabled check box. URL. In the text area in the URL section, you type a PCRE-format regular expression that defines the URL that you are adding to the Deny URL list. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste a deny URL that contains any characters outside of the basic ASCII character set. If you want to include a deny URL that contains non-ascii characters, you must enter those characters manually using the PCRE hexadecimal character encoding format. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several example Deny URL relaxations. - Do not allow users to access the image server at images.example.com directly: ^ - Do not allow users to access CGI (.cgi) or PERL (.pl) scripts directly: ^ [0-9A-Za-z][0-9A-Za-z_.-]*[.](cgi pl)$

217 Chapter 10 The Common Security Checks 203 Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they define exactly the URL you want to add as a relaxation, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect, such as blocking access to web content that you did not intend to block. - Deny users direct access to CGI (.cgi) or PERL (.pl) scripts at the host which contains the n- tilde (ñ) non-ascii special character. This special character must be represented as an encoded UTF-8 string containing C3 B1, the hexadecimal code assigned to that character in the UTF-8 charset: ^ [0-9A-Za-z][0-9A-Za-z_.-]*[.](cgi pl)$ - Deny users direct access to scripts at the host when the server contains pathnames or filenames that contain non-ascii characters: ^ \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_-] \\x[0-9a-faf][0-9a-fa-f])*/)* ([0-9A-Za-z] \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_- ] \\x[0-9a-fa-f][0-9a-fa-f])*[.](cgi pl)$ In the expression above, each character class has been grouped with the string \\x[0-9a-fa-f][0-9a-fa-f], which will match all properly-constructed character encoding strings, but not allow stray backslash characters that are not associated with a UTF-8 character encoding string. The double backslash (\\) is an escaped backslash, which tells the Application Firewall to interpret it as a literal backslash. If you included only one backslash, the Application Firewall would instead interpret the following left square bracket ([) as a literal character rather than the opening of a character class, which would break the expression. Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported characters and how to encode them properly when configuring the Application Firewall. Comments. In the text area in the Comments section, you type a comment that explains why you added this Deny URL to the configuration. This section is optional; you can leave it blank if you wish.

218 204 Citrix Application Firewall Guide When you have finished filling out the Add Deny URL dialog box, you click the Create button. A message box appears notifying you that the resource was successfully created. You click the Yes button to close the message box and return to the Add Deny URL Check Relaxation dialog box. Your new deny URL is then added to the Deny URL list. You can then repeat the process as many times as you want to add additional deny URLs. You modify an existing Deny URL relaxation by clicking it once to highlight it, then clicking the Modify button to display the Modify Deny URL Check Relaxation dialog box, shown below. Modify Deny URL Check Relaxation Dialog Box As you can see, this dialog box looks identical to the Add Deny URL dialog box, except that the leftmost button at the bottom is labeled Save instead of Create. Unlike with the previous dialog box, the configuration utility will overwrite the selected deny URL with any changes you make in this dialog box after you click the Save button. See the description above for more information about the different parts of this dialog box and how to configure each. When you have finished configuring the Deny URL check, you click the Close button to close the Modify Deny URL dialog box and return to the Configure Application Firewall Profile dialog box.

219 The Cookie Consistency Check Chapter 10 The Common Security Checks 205 The Cookie Consistency check examines cookies returned by users to see that they match cookies your web site set for that user. If a modified cookie is found, the cookie is stripped from the request before the request is forwarded to the web server. This check applies to requests only. The Cookie Consistency check prevents attackers from modifying cookies set by a protected web site and returning those modified cookies to the web site. An attacker would normally modify a cookie to log on to the web site under another user s credentials, and thereby gain access to sensitive private information, or to cause a buffer overflow. The Buffer Overflow check, discussed on page 214, protects against attempts to cause a buffer overflow by using a ridiculously overlong cookie. The Cookie Consistency check focuses on the first scenario. You configure the Cookie Consistency check in the Modify Cookie Consistency Check dialog box.you access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you can click the Cookie Consistency entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the Modify Cookie Consistency Check dialog box, General tab, as it appears in profiles created with basic defaults. The Cookie Consistency Check is not used in basic profiles, so all of the Check Actions are unchecked. As with any profile created with any set of defaults, however, you can enable this security check by checking the appropriate Check Action check boxes.

220 206 Citrix Application Firewall Guide Modify Cookie Consistency Check Dialog Box, General Tab, Basic Defaults The figure below shows the Modify Cookie Consistency Check dialog box, General tab, as it appears in profiles created with advanced defaults. In profiles created with advanced defaults, the Cookie Consistency check is used and all of the Check Actions are enabled.

221 Chapter 10 The Common Security Checks 207 Modify Cookie Consistency Check Dialog Box, General Tab, Advanced Defaults The General tab contains the Check Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the Cookie Consistency check. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable blocking for the Cookie Consistency check by checking the Block check box, and disable blocking by clearing the Block check box. If you created a profile with basic defaults, you probably will not want to enable the Cookie Consistency rule. In profiles created with basic defaults, the Cookie Consistency rule is turned off and all of its Check Action settings are disabled. Unless your protected web sites require users to log on and set cookies to maintain logon information, you probably do not need the protection that this rule provides. The Buffer Overflow check provides sufficient protection against the only other meaningful attack an attacker can launch by tampering with a cookie. If you created a profile with advanced defaults, there are many reasons why you might want to disable blocking for the Cookie Consistency check. The

222 208 Citrix Application Firewall Guide most common is to prevent problems when you first install the Application Firewall. No profile has any default cookie relaxations defined. If your web server sets user-modifiable cookies (such as those created by client-side Javascripts in web forms), unless you disable blocking the Application Firewall will strip those cookies from requests sent to your web server. You must either manually add these cookies to the Cookie Consistency list when you first configure the profile, or allow the learning feature to generate a list of learned cookie relaxations for you. If you prefer to let learning do the work, you turn off blocking until learning has seen enough traffic to generate the necessary list of exceptions, or relaxations, to the Cookie Consistency Check rules. Learn. Tells the Application Firewall to use its learning feature to observe traffic to and from your protected web sites, and generate a list of recommended cookie relaxations to add to the Cookie Consistency relaxations list. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable learning by checking the Learn check box, and disable it by unchecking the Learn check box. If you created a profile with basic defaults, you should not enable learning for the Cookie Consistency rule unless you plan to enable and use this check. If you want to use the Cookie Consistency check in this profile, you should enable learning, logging, and statistics, and then follow the Cookie Consistency check instructions for profiles created with Advanced Defaults. If you created a profile with advanced defaults, you have a choice. You can leave learning enabled, or disable it. If you prefer to let learning do the work, you turn off blocking until learning has seen enough traffic to generate the necessary list of cookie relaxations. You then review the learned relaxations and accept those that you want to allow. When learning has seen enough traffic to generate a good list, you re-enable blocking, and are done. To disable learning and still avoid false positives, you must manually add any user-modifiable cookies to the Cookie Consistency check relaxations list when you first configure the profile. Unless you are very familiar with your web sites, you will probably find it easier to let learning generate the list for you. Log. Tells the Application Firewall to log any connections that violate the Cookie Consistency check. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable logging for the Cookie Consistency rule by checking the Log check box, and disable logging by clearing the Log check box.

223 Chapter 10 The Common Security Checks 209 If you created a profile with basic defaults, you should not enable logging for the Cookie Consistency rule unless you plan to enable and use this check. If you want to use the Cookie Consistency check in this profile, you should enable learning, logging, and statistics, and then follow the Cookie Consistency check instructions for profiles created with Advanced Defaults. If you created a profile with advanced defaults, you normally will not want to disable logging for this or any check you are using to filter traffic. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the Cookie Consistency check. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable statistics for the Cookie Consistency rule by checking the Statistics check box, and disable statistics by clearing the Statistics check box. If you created a profile with basic defaults, you should not enable statistics for the Cookie Consistency rule unless you plan to enable and use this check. If you want to use the Cookie Consistency check in this profile, you should enable learning, logging, and statistics, and then follow the Cookie Consistency check instructions for profiles created with Advanced Defaults. If you created a profile with advanced defaults, you normally will not want to disable statistics for this or any check you are using to filter traffic. Statistics provide a useful means of measuring how often a particular security check is used when protecting your web sites, and how effective it is. You add, modify, remove, enable and disable Cookie Consistency Check relaxations in the Modify Cookie Consistency Check dialog box, Settings tab. The figure below shows this dialog box as it appears for all profiles, regardless of whether they were created with basic or advanced defaults.

224 210 Citrix Application Firewall Guide Modify Cookie Consistency Check Dialog Box, Settings Tab You remove a Cookie Consistency Check relaxation by clicking it once to highlight it, then clicking the Remove button. You enable a disabled Cookie Consistency Check relaxation by clicking the Enable button. You disable an active Cookie Consistency Check relaxation by clicking the Disable button. You add a relaxation to the Cookie Consistency check by clicking the Add button to display the Add Cookie Consistency Check Relaxation dialog box, shown below.

225 Chapter 10 The Common Security Checks 211 Add Cookie Consistency Check Relaxation Dialog Box This dialog box contains the following sections: Enabled check box. A relaxation can be in active use (enabled) or can be inactive (disabled). When you create a relaxation, it is enabled by default. You disable it by clearing the Enabled check box. Cookie Name. In the text area in the Cookie Name section, you enter either a literal string or a PCRE-format regular expression that defines the name of the cookie that you are adding to the relaxations list. If you use a regular expression, you also check the check box labeled, Is Field Name Regular Expression. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Regular Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste a cookie that contains any characters outside of the basic ASCII character set. If you want to include a cookie that contains non-ascii characters, you must enter those characters manually using the PCRE hexadecimal character encoding format. For examples of cookie regular expressions that allow non-ascii characters, see below.

226 212 Citrix Application Firewall Guide For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several example cookie relaxations. - Allow cookies that begin with the string logon_ and are followed with the user s logon name to be user-modifiable: ^logon_[0-9a-za-z]+$ If your web site preserves user logon information using a cookie similar to this, you can modify this regular expression to match the cookies your web site uses. For example, if your web site has a special logon for Turkish-speaking customers, you might have a cookie that begins with the string türkçe-logon_. The special characters in that string must be represented as encoded UTF-8 strings. ^t\xc3\xbcrk\xc3\xa7e-logon_[0-9a-za-z]+$ If you want to allow encoded characters in the remainder logon name as well as the first portion, you must group the character class at the end with the string \\x[0-9a-fa-f][0-9a-fa-f], as shown below: ^t\xc3\xbcrk\xc3\xa7e-logon_([0-9a-za-z] \\x[0-9a-faf][0-9a-fa-f])+$ Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported special characters and how to encode them properly when configuring the Application Firewall. - Allow cookies that contain the string sc-item_, followed by the ID of an item that the user has added to his shopping cart ([0-9A-Zaz]+), a second underscore (_), and finally the number of these items he wants ([1-9][0-9]?), to be user-modifiable: ^sc-item_[0-9a-za-z]+_[1-9][0-9]?$ The preceding regular expression does not restrict the length of the item ID, but carefully restricts the number of each item a user is allowed to order to ninety-nine or fewer.

227 Chapter 10 The Common Security Checks 213 Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they match exactly what you want them to match, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect. Comments. In the text area in the Comments section, you type a comment that explains what this cookie relaxation does, and why you added it. This section is optional; you can leave it blank if you wish. When you have finished filling out the Add Cookie Consistency Check Relaxation dialog box, you click the Create button, and when prompted confirm your choice by clicking the Yes button, to add your new relaxation to the list. You can then repeat the process as many times as you want to add additional relaxations. You modify an existing Cookie Consistency relaxation by clicking it once to highlight it, then clicking the Modify button to display the Modify Cookie Consistency Check Relaxation dialog box, shown below. The Modify Cookie Consistency Check Relaxation Dialog Box

228 214 Citrix Application Firewall Guide As you can see, this dialog box looks identical to the Add Cookie Consistency Check Relaxation dialog box, except for the title and that, instead of being blank, it contains the information for the cookie relaxation you chose. See the description above for more information about the different parts of this dialog box and how to configure each. When you have finished configuring the Cookie Consistency check, you click the Close button to close the Modify Cookie Consistency Check dialog box and return to the Configure Application Firewall Profile dialog box. The Buffer Overflow Check The Buffer Overflow check detects attempts to cause a buffer overflow on the web server. If the Application Firewall detects a URL, cookie or header longer than the specified maximum length in a request, it blocks that request because it might be an attempt to cause a buffer overflow. The Buffer Overflow check prevents attacks against insecure operating system or web server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle. Proper programming techniques prevent buffer overflows by checking incoming data and either rejecting or truncating overlong strings. Many programs, however, do not check all incoming data, and are therefore vulnerable to buffer overflows. This issue especially affects older versions of web server software and operating systems, many of which are still in use. You configure the Buffer Overflow Consistency check in the Modify Buffer Overflow Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you can click the Buffer Overflow entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that check. The figure below shows the Modify Buffer Overflow Check dialog box. The default settings for the Buffer Overflow check are the same regardless of whether the profile was created with basic or advanced defaults.

229 Chapter 10 The Common Security Checks 215 Modify Buffer Overflow Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the Buffer Overflow check. Enabled by default in all profiles. You disable blocking for the Buffer Overflow check by clearing the Block check box, and re-enable blocking by checking the Block check box. You should not disable blocking for the Buffer Overflow check except when testing the Application Firewall in a new setting or for troubleshooting. This check almost never causes false positives, and requires little or no time to configure and manage. Learn. The learning feature is not available with the Buffer Overflow check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the Buffer Overflow check. Enabled by default in all profiles. You disable logging for the Buffer Overflow rule by clearing the Log check box, and reenable logging by checking the Log check box. You normally will not want to disable logging for this or any check you are using to filter traffic. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the Buffer Overflow check. Enabled by default in all profiles. You disable statistics for the Buffer Overflow rule by clearing the Statistics check box, and re-enable statistics by checking the Statistics check box. You normally will not want to disable statistics for this or any check you are using to filter traffic. Statistics provide a useful means of measuring how often a particular security check is used when protecting your web sites, and how effective it is.

230 216 Citrix Application Firewall Guide You configure the Buffer Overflow check in the Modify Buffer Overflow Check dialog box, Settings tab, shown below. Modify Buffer Overflow Check Dialog Box, Settings Tab Unlike the previous checks, there are no relaxations for the Buffer Overflow check. Instead, there are three parameters you can configure. They are: Maximum URL Length. The maximum length the Application Firewall will allow for a requested URL. If a user tries to send a longer URL, the Application Firewall blocks the request. Set to 1024 by default. You can set this to any positive integer between one (1) and Maximum Cookie Length. The maximum length the Application Firewall will allow for a cookie in a request. If a user tries to return a longer cookie, the Application Firewall blocks the request. Set to 4096 by default. You can set this to any positive integer between one (1) and Maximum Header Length. The maximum length the Application Firewall will allow for HTTP headers. If a user request contains HTTP headers longer than this value, the Application Firewall blocks the request. Set to 4096 by default. You can set this to any positive integer between one (1) and When you have finished configuring the Buffer Overflow check, you click the OK button to save your changes, close the Modify Buffer Overflow Check dialog box, and return to the Configure Application Firewall Profile dialog box.

231 The Credit Card Check Chapter 10 The Common Security Checks 217 The Credit Card check provides special handling for credit card numbers. A web application does not usually send a credit card number in a response to a user request, even when the user supplies a credit card number in the request. The Application Firewall examines web server responses, including headers, for credit card numbers. If it finds a credit card number in the response, and the administrator has not configured it to allow credit card numbers to be sent, it responds in one of two ways: It blocks the response. It replaces all but the final group of digits in the credit card with x s. For example, a credit card number of would be rendered xxxx-xxxx-xxxx The Credit Card check prevents attackers from exploiting a security flaw in your web server software or on your web site to obtain credit card numbers of your customers. If your web sites do not have access to credit card information, you do not need to configure this check. If your web sites do have access to credit card information, such as via a shopping cart application, or your web sites have access to back-end database servers that contain customer credit card numbers, you should configure protection for each type of credit card that you accept. Note: A web site that does not access a back-end SQL database usually does not have access to sensitive private information, such as credit card numbers. You configure the Credit Card check in the Modify Credit Card Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you can click the Credit Card entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the Modify Credit Card Check dialog box as it appears for all profiles, regardless of whether they were created with basic or advanced defaults.

232 218 Citrix Application Firewall Guide Modify Credit Card Check Dialog Box, General Tab The General tab contains the Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the Credit Card check. Disabled by default. You enable blocking for the Credit Card rule by checking the Block check box, and disable blocking after enabling it by unchecking the Block check box. Note: Enabling blocking will not in itself enable the Credit Card check. You must also enable protection in the Settings tab of this dialog box for each specific type of credit card you want the Application Firewall to protect. Learn. Learning is disabled for the Credit Card check, and the box is greyed out. You cannot enable it. Log. Tells the Application Firewall to log any connections that violate the Credit Card check. Enabled by default in profiles created with both basic and advanced defaults. You disable logging for the Credit Card check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the Credit Card check. Enabled by default in profiles created with both basic and advanced defaults. You disable statistics for the

233 Chapter 10 The Common Security Checks 219 Credit Card check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. X-Out. Tells the Application Firewall to mask any credit card numbers it detects in a response with the letter X, as described earlier in this section. The X-out action is disabled by default in all types of profiles. You enable masking of credit card numbers by checking the X-out check box, and disable masking by clearing the X-out check box. Beneath the Check Actions section of the General tab is the Parameters section. It contains only one entry. Maximum credit cards allowed per page. Tells the Credit Card check to allow up to a certain number of credit card numbers per page in responses without masking the credit card numbers or blocking the response. The Maximum is set to zero (0) by default. Usually no web pages will contain unmasked credit card numbers, but occasionally a web page might legitimately contain a credit card number or even a list of credit card numbers. You configure the maximum number of credit card numbers allowed in a text box labeled, Maximum credit cards allowed per page. You can modify this to any value you want. You enable protection for specific credit cards in the Modify Credit Card Check dialog box, Settings tab, shown below. Modify Credit Card Check Dialog Box, Settings Tab

234 220 Citrix Application Firewall Guide There are six types of credit cards that can be protected using the Application Firewall Credit Card Check: Diner s Club, MasterCard, Discover, American Express, Visa, and JCB. You enable protection for a specific type of credit card by clicking the entry for that credit card once, to highlight it, then clicking the Protect button. The Modify Credit Card Check dialog box refreshes, and the Status column next to that credit card type in the dialog box now reads Protected. You disable protection for a credit card type in the same manner, but click the Unprotect button instead of the Protect button. Note: You can hold down your Shift or Ctrl key while choosing credit card types, and then enable or disable several credit card types at once by clicking the Protect or Unprotect button while multiple credit card types are selected. The figure below shows the Modify Credit Card Check dialog box with protection enabled for four of the six credit card types. Modify Credit Card Check Dialog Box, Settings Tab with Protection Enabled for Three Credit Cards When you have finished configuring the Credit Card check, you click the Close button to close the Modify Credit Card dialog box and return to the Configure Application Firewall Profile dialog box.

235 The Safe Object Check Chapter 10 The Common Security Checks 221 The Safe Object check provides user-configurable protection for sensitive business information, such as customer numbers, order numbers, and country- or region-specific telephone numbers or postal codes. A user-defined regular expression or custom plug-in tells the Application Firewall the format of this information, and defines the rules to be used to protect it. If the Application Firewall detects a string in a user request that matches a safe object definition, depending on how you configured that particular Safe Object rule, it: Blocks the request. X s out the protected information. Removes the protected information. You configure the Safe Object check in the Modify Safe Object Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you click the Safe Object entry, then click the Modify button to display the Modify Safe Object Check dialog box. The figure below shows the Modify Safe Object Check dialog box as it appears for all profiles, regardless of whether they were created with basic or advanced defaults. Note: Unlike all other checks, the Modify Safe Object Check dialog box does not have separate General and Settings tabs.

236 222 Citrix Application Firewall Guide Modify Safe Object Check Dialog Box You add, modify, delete, enable and disable Safe Object definitions in this dialog box. You add a new Safe Object relaxations to the Safe Object Check by clicking the Add button to display the Add Safe Object dialog box, shown below.

237 Chapter 10 The Common Security Checks 223 Add Safe Object Dialog Box As with other Add dialog boxes in the configuration utility, if you selected an existing safe object before clicking the Add button, the Add Safe Object dialog box is displayed with the information from the Safe Object definition that is currently selected. You can use this information as the basis of your new definition, or you can delete it and create an entirely new definition. When you save your new definition, the configuration utility does not overwrite the selected definition. Instead, it creates a new Safe Object definition. If no existing safe object was selected, the dialog box is displayed empty, as shown above. This dialog box contains the following sections: Enabled check box. A Safe Object definition can be in active use (enabled) or can be inactive (disabled). When you create a definition, it is disabled by default. You enable it by selecting the Enabled check box. Name. In the text area in the Field Name section, you type a name for your Safe Object definition. The name should start with a letter or number and can consist of from one to thirty-one letters, numbers, or the hyphen (-),

238 224 Citrix Application Firewall Guide period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. Actions. You check or uncheck the check boxes in this section to enable or disable that action. Note: The Actions section in the Safe Object Settings tab contains the same Check Actions that appear in the General tabs of other Application Firewall checks. They appear in the Add and Modify dialog boxes for this rule so that you can configure these checks separately for each Safe Object you define. - Block. Tells the Application Firewall to block responses that contain a string that matches a Safe Object definition. Disabled by default in all profiles. You enable blocking for the Safe Object check by selecting the Block check box, and disable blocking by clearing the Block check box. - X-Out. Tells the Application Firewall to mask any strings it detects in a response that match a Safe Object definition with the letter X. Disabled by default in all profiles. You enable the X-Out option for the Safe Object check by selecting the X-Out check box, and disable it by clearing the X-Out check box. - Log. Tells the Application Firewall to log any connections that contain a string that matches a Safe Object definition. Disabled by default in all profiles. You enable logging for the Safe Object rule by selecting the Log check box, and disable logging by clearing the Log check box. You normally will not want to disable logging for this or any check you are using to filter traffic. If anything unexpected happens, the logs are an important resource to troubleshoot. - Statistics. Tells the Application Firewall to generate statistics for responses that contain a string that matches a Safe Object definition. Disabled by default in all profiles. You enable statistics for the Safe Object rule by selecting the Statistics check box, and disable statistics by clearing the Statistics check box. You normally will not want to disable statistics for this or any check you are using to filter traffic. Statistics provide a useful means of measuring how often a particular security check is used when protecting your web sites, and how effective it is.

239 Chapter 10 The Common Security Checks Remove. Tells the Application Firewall to remove from a response any strings that match a safe object definition it detects. Disabled by default in all profiles. You enable the remove action for the Safe Object rule by selecting the Remove check box, and disable it by clearing the Remove check box. Regular Expression. You enter a PCRE-format regular expression that defines the type of string you want to protect using this Safe Object definition. This is the heart of the Safe Object check; in this field, you tell the Application Firewall exactly how to find the information that you want it to protect. You can type the regular expression directly into the text area, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste a text string that contains any characters outside of the basic ASCII character set. If you want to include non-ascii characters in your Safe Object expression, you must enter those characters manually using the PCRE hexadecimal character encoding format. See below for examples of expressions that contain non-ascii characters. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several example Safe Object definitions for types of information that you might want to prevent your web site(s) from displaying to users. - Look for strings that appear to be U.S. social security numbers, which consist of three numerals (the first of which must not be a zero), followed by a hyphen, followed by two more numerals, followed by a second hyphen, and ending with a string of four more numerals: [1-9][0-9]{2,2}-[0-9]{2,2}-[0-9]{4,4} Note: Do not use start anchors (^) at the beginning of Safe Object expressions, or end anchors ($) at the end of Safe Object expressions. These PCRE entities are not supported in Safe Object expressions, and if used, will cause your expression not to match what it was intended to match.

240 226 Citrix Application Firewall Guide - Look for strings that appear to be California driver s license IDs, which start with a letter, and are followed by a string of exactly seven numerals: [A-Za-z][0-9]{7,7} - Look for strings that appear to be Example Manufacturing customer IDs which consist of a string of five hexadecimal characters (all the numerals and the letters A through F), followed by a hyphen, followed by a three-letter code, followed by a second hyphen, and ending with a string of ten numerals: [0-9A-Fa-f]{5,5}-[A-Za-z]{3,3}-[0-9]{10,10} Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they define exactly the type of string you want to add as a Safe Object definition, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect, such as blocking access to web content that you did not intend to block. Maximum Match Length. Enter a positive integer that represents the maximum length of the string you want to match. For example, if you want to match U.S. social security numbers, you should enter eleven (11) in this field. That allows your regular expression to match a string with nine numerals and two hyphens. If you want to match California driver s license numbers, you should enter eight (8). If you want to match an Example Manufacturing, Inc. customer ID such as that shown above, you should enter twenty (20). Caution: If you do not enter a maximum match length in this field, the Application Firewall will use a default value of one (1) when filtering for strings using your Safe Object expressions. This will cause most Safe Object expressions to fail to match their target strings. Comments. In the text area in the Comments section, you type a comment that explains why you added this Safe Object definition to the configuration. This section is optional; you can leave it blank if you wish.

241 Chapter 10 The Common Security Checks 227 When you have finished filling out the Add Safe Object dialog box, you click the Create button. A message box appears notifying you that the resource was successfully created. You click the Yes button to close the message box and return to the Add Safe Object Check Relaxation dialog box. Your new definition appears in the list. You can then repeat the process as many times as you want to add additional Safe Object definitions. You modify an existing Safe Object definition by clicking it once to highlight it, then clicking the Modify button to display the Modify Safe Object dialog box, shown below. Modify Safe Object Dialog Box As you can see, this dialog box looks identical to the Add Safe Object dialog box, except that the leftmost button at the bottom is labeled Save instead of Create. Unlike with the previous dialog box, the configuration utility will overwrite the selected relaxation with any changes you make in this dialog box after you click the Save button. See the description above for more information about the different parts of this dialog box and how to configure each.

242 228 Citrix Application Firewall Guide You remove a Safe Object relaxation by clicking it once to highlight it, then clicking the Remove button. The configuration utility asks you to confirm that you want to remove the selected relaxation. You click the Yes button to close the dialog box and remove the relaxation. You can enable or disable Safe Object definitions in the main Modify Safe Object Check dialog box, in addition to the Add Safe Object and Modify Safe Object dialog boxes. You enable a Safe Object definition in this dialog box by clicking the entry for that definition, then clicking the Enable button. The Modify Safe Object Check dialog box refreshes, and the URL you chose is now enabled. You disable a Safe Object definition in the same manner, but click the Disable button instead of the Enable button. Note: You can hold down your Shift or Ctrl key while choosing Safe Object definitions, and then enable or disable several definitions at once by clicking the Enable or Disable button while multiple definitions are selected. When you have finished configuring the Safe Object check, you click the Close button to close the Modify Safe Object Check dialog box and return to the Configure Application Firewall Profile dialog box.

243 CHAPTER 11 The HTML Security Checks This chapter describes in detail the Application Firewall security checks that apply specifically to HTML profiles. It explains how each security check operates, what types of attacks it helps prevent, and how the configuration details affect how that security check filters a request or response. This information is intended for system administrators who need to understand a particular HTML security check in detail to configure it properly for their web sites. Note: You do not need to read this chapter unless you need to understand in detail how specific HTML security checks work, what all the options are for each, and how each option affects its operation. The Form Field Consistency Check The Form Field Consistency check examines the web forms returned by users of your web site, and verifies that the web form was not modified inappropriately by the client. This check applies only to HTML requests that contain a web form, with or without data. It does not apply to XML requests. The Form Field Consistency check prevents clients from making unauthorized changes to the structure of the web forms on your web site when they are filling out a web form and submitting data using that form. It also ensures that the data a user submits meets the HTML restrictions for length and type, and that data in hidden fields is not modified. This prevents an attacker from tampering with a web form and using the modified form to gain unauthorized access to web site, redirect the output of a contact form that uses an insecure script and thereby send unsolicited bulk , or exploit a vulnerability in your web server software to gain control of the web server or the underlying operating system. Web forms are a weak link on many web sites and attract a wide range of attacks. The Form Field Consistency check verifies all of the following: If a field is sent to the user, the check ensures that it is returned by the user. The check enforces HTML field lengths and types.

244 230 Citrix Application Firewall Guide If your web server does not send a field to the user, the check does not allow the user to add that field and return data in it. If a field is a read-only or hidden field, the check verifies that the data has not changed. If a field is a list box or radio button field, the check verifies that the data in the response corresponds to one or more of the values in that field. If a web form returned by a user violates one or more of the form field consistency checks, and you have not configured the Application Firewall to allow that web form to violate the Form Field Consistency checks in that manner, the request is blocked. Note: The Form Field Consistency check enforces HTML restrictions on data type and length, but does not otherwise validate the data in web forms. You can use the Field Formats check to set up rules that validate data returned in specific form fields on your web forms. You configure the Form Field Consistency check in the Modify Form Field Consistency Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you can click the Form Field Consistency entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows this dialog box as it appears for profiles created with basic defaults. The Form Field Consistency Check is not used in basic profiles, so all of the Check Actions are unchecked. As with any profile created with any set of defaults, however, you can enable this security check by checking the appropriate Check Action check boxes.

245 Chapter 11 The HTML Security Checks 231 Modify Form Field Consistency Check Dialog Box, General Tab, Basic Defaults The figure below shows this dialog box as it appears for profiles created with advanced defaults. In profiles created with advanced defaults, the Form Field Consistency check is used and all of the Check Actions are enabled.

246 232 Citrix Application Firewall Guide Modify Form Field Consistency Check Dialog Box, General Tab, Advanced Defaults The General tab, displayed by default when you open the Modify Form Field Consistency Check dialog box, contains the Check Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the Form Field Consistency check. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable blocking for the Form Field Consistency check by checking the Block check box, and disable blocking by clearing the Block check box. If you created a profile with basic defaults, you probably will not want to enable the Form Field Consistency rule. In profiles created with basic defaults, the Form Field Consistency rule is turned off and all of its Check Action settings are disabled. Configuring the Form Field Consistency check correctly requires that you use learning mode to generate the relaxations list for this check. If you want to use this check on your web site, you should enable learning, logging, and statistics, but leave blocking disabled. Then, follow the recommendations for profiles created with advanced defaults.

247 Chapter 11 The HTML Security Checks 233 If you created a profile with advanced defaults, there are many reasons why you might want to disable blocking for the Form Field Consistency check. The most common is to prevent false positives when you first install the Application Firewall. No profile has any default Form Field Consistency relaxations defined. If your web server uses web forms that are modified by the user s browser, unless you disable blocking the Application Firewall will block the user from using those web forms to send data to your web server. You must either manually add those web forms to the Form Field Consistency relaxations list when you first configure the profile, or allow the learning feature to generate a list of learned Form Field Consistency relaxations for you. If you prefer to let learning do the work, you turn off blocking until learning has seen enough traffic to generate the necessary list of relaxations. Learn. Tells the Application Firewall to use its learning feature to observe traffic to and from your protected web sites, and generate a list of recommended form field relaxations to add to the Form Field Consistency relaxations list. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable learning by checking the Learn check box, and disable it by unchecking the Learn check box. If you created a profile with basic defaults, you should not enable learning for the Form Field Consistency rule unless you plan to enable and use this check. If you want to use the Form Field Consistency check in this profile, you should enable learning, logging, and statistics, and then follow the Form Field Consistency check instructions for profiles created with advanced defaults. If you created a profile with advanced defaults, you have a choice. You can leave learning enabled, or disable it. If you prefer to let learning do the work, you turn off blocking until learning has seen enough traffic to generate the necessary list of Form Field Consistency relaxations. You then review the learned relaxations and accept those that you want to allow. When learning has seen enough traffic to generate a good list, you re-enable blocking, and are done. To disable learning and still avoid false positives, you must manually add any web forms modified on the user s browser to the Form Field Consistency check relaxations list when you first configure the profile. Unless you are very familiar with your web sites, you will probably find it easier to let learning generate the list for you. Log. Tells the Application Firewall to log any connections that violate the Form Field Consistency check. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced

248 234 Citrix Application Firewall Guide defaults. You enable logging for the Form Field Consistency rule by checking the Log check box, and disable logging by clearing the Log check box. If you created a profile with basic defaults, you should not enable logging for the Form Field Consistency rule unless you plan to enable and use this check. If you want to use the Form Field Consistency check in this profile, you should enable learning, logging, and statistics, and then follow the Form Field Consistency check instructions for profiles created with Advanced Defaults. If you created a profile with advanced defaults, you normally will not want to disable logging for this or any check you are using to filter traffic. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the Form Field Consistency check. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable statistics for the Form Field Consistency rule by checking the Statistics check box, and disable statistics by clearing the Statistics check box. If you created a profile with basic defaults, you should not enable statistics for the Form Field Consistency rule unless you plan to enable and use this check. If you want to use the Form Field Consistency check in this profile, you should enable learning, logging, and statistics, and then follow the Form Field Consistency check instructions for profiles created with advanced defaults. If you created a profile with advanced defaults, you normally will not want to disable statistics for this or any check you are using to filter traffic. Statistics provide a useful means of measuring how often a particular security check is used when protecting your web sites, and how effective it is. You add, modify, remove, enable and disable relaxations in the Modify Form Field Consistency Check dialog box, Settings tab. The figure below shows this dialog box as it appears for all profiles, regardless of whether they were created with basic or advanced defaults.

249 Chapter 11 The HTML Security Checks 235 Modify Form Field Consistency Check Dialog Box, Settings Tab You remove a Form Field Consistency Check relaxation by clicking it once to highlight it, then clicking the Remove button. You enable a disabled Form Field Consistency Check relaxation by clicking the Enable button. You disable an active Form Field Consistency Check relaxation by clicking the Disable button. You add a relaxation to the Form Field Consistency check by clicking the Add button to display the Add Form Field Consistency Check Relaxation dialog box, shown below.

250 236 Citrix Application Firewall Guide Add Form Field Consistency Check Relaxation Dialog Box This dialog box contains the following sections: Enabled check box. A relaxation can be in active use (enabled) or can be inactive (disabled). When you create a relaxation, it is enabled by default. You disable it by clearing the Enabled check box. Field Name. In the text area in the Field Name section, you enter either a literal string or a PCRE-format regular expression that defines the name of the form field that you are adding to the relaxations list. If you use a regular expression, you also check the check box labeled, Is Field Name Regular Expression. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. The regular expression you type must consist of ASCII characters only. Do not cut and paste a form field name that contains any characters outside of

251 Chapter 11 The HTML Security Checks 237 the basic ASCII character set. If you want to include a field name that contains non-ascii characters, you must enter those characters manually using the PCRE UTF-8 hexadecimal character encoding format. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Caution: If any web form on your protected web sites has a field named as_fid, you must disable form tagging. If you do not, the Application Firewall will generate a field consistency check error and block the web page that contains this web form. See Enable Form Tagging on page 123 for instructions. Below are several example Form Field name relaxations. - Choose form fields with the name UserType: ^UserType$ - Choose form fields with names beginning with UserType_ and followed by a string beginning with a letter or number and consisting of from one to twenty-one letters, numbers, or the apostrophe or hyphen symbol: ^UserType_[0-9A-Za-z][0-9A-Za-z'-]{0,20}$ You can modify this regular expression to match the form fields your web site uses. For example, if your web site has Turkish-speaking customers whose first names may contain special characters, you might have a form field that begins with the string Türkçe- UserType_ on their logon page. The special characters in that string must be represented as encoded UTF-8 strings. ^T\xC3\xBCrk\xC3\xA7e-UserType_[0-9A-Za-z]++$ If you want to allow encoded characters in the remainder of the field name as well as the first portion, you must group the character class at the end with the string \\x[0-9a-fa-f][0-9a-fa-f], as shown below: ^T\xC3\xBCrk\xC3\xA7e-UserType_([0-9A-Za-z] \\x[0-9a-faf][0-9a-fa-f])+$ Note: See Appendix A, PCRE Character Encoding Format, on page 383, for a complete description of supported special characters and how to encode them properly when configuring the Application Firewall.

252 238 Citrix Application Firewall Guide - Choose form field names that begin with a letter or number, consist of a combination of letters and/or numbers only, and that contain the string Num anywhere in the string: ^[0-9A-Za-z]*Num[0-9A-Za-z]*$ Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they match exactly what you want them to match, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect. Action URL. In the text area in the Action URL section, you enter a PCREformat regular expression that defines the URL of the web forms you want to exempt from this rule. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste an action URL that contains any characters outside of the basic ASCII character set. If you want to include an action URL that contains non-ascii characters, you must enter those characters manually using the PCRE hexadecimal character encoding format. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several example Form Field Action URL expressions. - Choose URLs beginning with search.pl?, and containing any string after the query except for a new query: ^ - Choose URLs beginning with which contains the n-tilde (ñ) non-ascii special character. This special character must be represented as an encoded UTF-8 string containing C3 B1, the hexadecimal code assigned to that character in the UTF-8 charset:

253 Chapter 11 The HTML Security Checks 239 ^ [0-9A-Za-z][0-9A-Za-z_-.]*[.](asp htp php s?html?)$ - Allow users to access web pages beginning with when the server contains pathnames or filenames that contain non-ascii characters: ^ \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_-] \\x[0-9a-faf][0-9a-fa-f])*/)* ([0-9A-Za-z] \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_- ] \\x[0-9a-fa-f][0-9a-fa-f])*[.](asp htp php s?html?)$ In the expression above, each character class has been grouped with the string \\x[0-9a-fa-f][0-9a-fa-f], which will match all properly-constructed character encoding strings, but not allow stray backslash characters that are not associated with a UTF-8 character encoding string. The double backslash (\\) is an escaped backslash, which tells the Application Firewall to interpret it as a literal backslash. If you included only one backslash, the Application Firewall would instead interpret the following left square bracket ([) as a literal character rather than the opening of a character class, which would break the expression. Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported characters and how to encode them properly when configuring the Application Firewall. - Choose all URLs that contain the string /search.cgi?: ^[^?<>]*/search[.]cgi\?[^?<>]*$ Comments. In the text area in the Comments section, you type a comment that explains what this relaxation does, and why you added it. This section is optional; you can leave it blank if you wish. When you have finished filling out the Add Form Field Consistency Check Relaxation dialog box, you click the Create button, and when prompted confirm your choice by clicking the Yes button, to add your new relaxation to the list. You can then repeat the process as many times as you want to add additional relaxations. You modify an existing Form Field Consistency relaxation by clicking it once to highlight it, then clicking the Modify button to display the Modify Form Field Consistency Check Relaxation dialog box, shown below.

254 240 Citrix Application Firewall Guide Modify Form Field Consistency Check Relaxation Dialog Box As you can see, this dialog box looks identical to the Add Form Field Consistency Check Relaxation dialog box, except for the title and that, instead of being blank, it contains the information for the cookie relaxation you chose. See the description above for more information about the different parts of this dialog box and how to configure each. When you have finished configuring the Form Field Consistency check, you click the Close button to close the Modify Form Field Consistency Check dialog box and return to the Configure Application Firewall Profile dialog box. The Field Formats Check The Field Formats check requires that you tell the Application Firewall about the type and length of data expected in each form field on each web form you want to protect. It then examines the data users return using web forms on your web site and verifies that the data meets the formatting restrictions you set for that form field. If any web form data does not meet your formatting restrictions, the Application Firewall blocks the user s request. This check applies to HTML requests only; it does not apply to XML requests.

255 Chapter 11 The HTML Security Checks 241 The Field Formats check prevents an attacker from returning inappropriate web form data to your web site, which in turn prevents certain types of attacks on your web site and back-end database servers. For example, if a particular field expects the user to enter a phone number, the Field Formats check examines the user s response to ensure that the data matches the format for a phone number. If a particular field expects a first name, the Field Formats check ensures that the data in that field is of a type and length appropriate for a first name. It does the same thing for each form field you configure it to protect. You can configure the Field Formats check manually, or by enabling learning and then approving the configuration rules that learning generates. Note: The Field Formats check provides a different type of protection than the Form Field Consistency check. The Form Field Consistency check verifies that the structure of the web forms returned by users is intact, that data format restrictions configured in the HTML are respected, and that data in hidden fields has not been modified. It can do this without any specific knowledge about your web forms other than what it derives from the web form itself. The Field Formats check verifies that the data in each form field matches the specific formatting restrictions you configured manually, or generated using the learning feature and approved. In other words, the Form Field Consistency check enforces general web form security, while the Field Formats check enforces the specific rules you set for your web forms. You configure the Field Formats check in the Modify Field Formats Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you can click the Form Field Consistency entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows this dialog box as it appears for profiles created with advanced defaults. In profiles created with basic defaults, the Learn check box is not checked.

256 242 Citrix Application Firewall Guide Modify Field Formats Check Dialog Box, General Tab The General tab, displayed by default when you open the Modify Field Formats Check dialog box, contains the Check Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the Field Formats check. Enabled by default in all profiles. You disable blocking for the Field Formats check by clearing the Block check box, and reenable blocking by checking the Block check box. If you created a profile with basic defaults, you probably will not want to configure the Field Formats rule. It requires significant effort to configure, and is useful primarily for web forms that do not already enforce the correct types and lengths of data in each field. If you want to use the Field Formats check, you should enable learning, and then follow the instructions for Field Format profiles created with advanced defaults. If you created a profile with advanced defaults, there are many reasons why you might want to disable blocking for the Field Formats check. The most common is to prevent false positives when you first configure this check, or when you manually assign field formats to the fields in new web forms on your web site.

257 Chapter 11 The HTML Security Checks 243 If you prefer to let learning generate a list of recommended field formats, you should also turn off blocking until learning has seen enough traffic to generate a list of recommended field formats and you have approved some or all of those field formats. You should then leave blocking turned off for a few days and observe the logs to ensure that the recommended field formats are working correctly with your forms before you re-enable blocking. Learn. Tells the Application Firewall to use its learning feature to observe traffic to and from your protected web sites, and generate a list of recommended field formats for your web forms. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable learning by checking the Learn check box, and disable it by unchecking the Learn check box. If you created a profile with basic defaults, you should not enable learning for the Field Formats check unless you plan to use this check. If you want to use the Field Formats check in this profile, you should enable learning, logging, and statistics, and then follow the Field Formats check instructions for profiles created with advanced defaults. If you created a profile with advanced defaults, you have a choice. If you want to configure and use the Field Formats check in this profile, you should leave learning enabled. If you do not want to use this check, you should disable learning. If you want to use the Field Formats check, you should let learning generate a list of recommended field formats. To do this, you turn off blocking until learning has seen enough traffic to generate a list of field formats. You then review the learned field formats and accept those that you want to use. You then observe the logs for a few days to ensure that your configurations do not cause legitimate form field data to be blocked. When you are certain that your configuration is working correctly, you re-enable blocking, and are done. Log. Tells the Application Firewall to log any connections that violate the Field Formats check. Enabled by default in all profiles. You disable logging for the Field Formats rule by clearing the Log check box, and enable logging by checking the Log check box. You should not enable logging for the Form Field Consistency rule unless you plan to enable and use this check. You normally will not want to disable logging for this or any check you are using to filter traffic. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the Field Formats check. Enabled by default in all profiles. You enable statistics for the Field Formats rule by checking the Statistics check box, and disable statistics by clearing the Statistics check box.

258 244 Citrix Application Firewall Guide You should not enable statistics for the Field Formats check unless you plan to enable and use this check. You normally will not want to disable statistics for this or any check you are using to filter traffic. Statistics provide a useful means of measuring how often a particular security check is used when protecting your web sites, and how effective it is. You assign field formats to form fields in the Field Formats check list, in the Modify Field Formats dialog box, Settings tab, shown below. Modify Field Formats Check Dialog Box, Settings Tab You remove a Field Format assignment by clicking it once to highlight it, then clicking the Remove button. You enable a disabled Field Format assignment by clicking the Enable button. You disable an active Field Format assignment by clicking the Disable button. You add a Field Format assignment to the Field Formats check by clicking the Add button to display the Add Field Format Check Relaxation dialog box, shown below.

259 Chapter 11 The HTML Security Checks 245 Add Field Format Dialog Box This dialog box contains the following sections: Enabled check box. A field format assignment can be in active use (enabled) or can be inactive (disabled). When you create a field format assignment, it is enabled by default. You disable it by unchecking the Enabled check box. Field Name. In the text area in the Field Name section, you enter either a literal string or a PCRE-format regular expression that defines the name of the cookie that you are adding to the relaxations list. If you use a regular expression, you also check the check box labeled, Is Field Name Regular Expression. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions

260 246 Citrix Application Firewall Guide Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste a field name that contains any characters outside of the basic ASCII character set. If you want to include a field name that contains non-ascii characters, you must enter those characters manually using the PCRE UTF-8 hexadecimal character encoding format. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several examples of Field Name relaxations. - Choose form fields with the name FirstName: ^FirstName$ - Choose form fields with names beginning with Name_ and followed by a string beginning with a letter or number and consisting of from one to twenty letters, numbers, or the apostrophe or hyphen symbol: ^Name_[0-9A-Za-z][0-9A-Za-z'-]{0,20}$ You can modify this regular expression to match the form fields your web site uses. For example, if your web site has Turkish-speaking customers whose first names may contain special characters, you might have a form field that begins with the string Türkçe- FirstName_ on their logon page. The special characters in that string must be represented as encoded UTF-8 strings. ^T\xC3\xBCrk\xC3\xA7e-FirstName_[0-9A-Za-z]++$ If you want to allow encoded characters in the remainder of the field name as well as the first portion, you must group the character class at the end with the string \\x[0-9a-fa-f][0-9a-fa-f], as shown below: ^T\xC3\xBCrk\xC3\xA7e-FirstName_([0-9A-Za-z] \\x[0-9a-faf][0-9a-fa-f])+$ Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported special characters and how to encode them properly when configuring the Application Firewall. - Choose form field names that begin with a letter or number, consist of a combination of letters and/or numbers only, and that contain the string Num anywhere in the string:

261 Chapter 11 The HTML Security Checks 247 ^[0-9A-Za-z]*Num[0-9A-Za-z]*$ Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they match exactly what you want them to match, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect. Action URL. In the text area in the Action URL section, you enter a PCREformat regular expression that defines the URL of the web forms that contain the form field to which you want to assign a particular field format. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Below are several example Field Format Action URL expressions. - Choose URLs beginning with search.pl?, and containing any string after the query except for a new query: ^ - Choose URLs beginning with which contains the n-tilde (ñ) non-ascii special character. This special character must be represented as an encoded UTF-8 string containing C3 B1, the hexadecimal code assigned to that character in the UTF-8 charset: ^ [0-9A-Za-z][0-9A-Za-z_-.]*[.](asp htp php s?html?)$ - Allow users to access web pages beginning with when the server contains pathnames or filenames that contain non-ascii characters: ^ \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_-] \\x[0-9a-faf][0-9a-fa-f])*/)* ([0-9A-Za-z] \\x[0-9a-fa-f][0-9a-fa-f])([0-9a-za-z_- ] \\x[0-9a-fa-f][0-9a-fa-f])*[.](asp htp php s?html?)$ In the expression above, each character class has been grouped with the string \\x[0-9a-fa-f][0-9a-fa-f], which will match all properly-constructed character encoding strings, but not allow stray

262 248 Citrix Application Firewall Guide backslash characters that are not associated with a UTF-8 character encoding string. The double backslash (\\) is an escaped backslash, which tells the Application Firewall to interpret it as a literal backslash. If you included only one backslash, the Application Firewall would instead interpret the following left square bracket ([) as a literal character rather than the opening of a character class, which would break the expression. Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported characters and how to encode them properly when configuring the Application Firewall. - Choose URLs that contain the string /search.cgi?: ^[^?<>]*/search[.]cgi\?[^?<>]*$ Format. In the Format section, you fill in the list box and two text boxes. - Type. Click the down arrow to the right of the Type list box, and choose a field type from the field types list. If you want to add a new field type definition to the list, click the Manage button to open the Manage Field Types dialog box. For more information on adding field types, see Chapter 7, Field Types, on page Minimum Length. If you want to require users to fill in this particular form field, type a positive integer that represents the minimum length in characters that data in this particular form field. The default value is zero (0), meaning that the field can be left blank. - Maximum length. If you want to limit the length of data returned in this field, type a positive integer that represents the maximum length in characters of data in this particular form field. The default value is Comments. In the text area in the Comments section, you type a comment that explains what this field format does, and why you added it. This section is optional; you can leave it blank if you wish. When you have finished filling out the Add Field Format Check Relaxation dialog box, you click the Create button, and when prompted confirm your choice by clicking the Yes button, to add your new relaxation to the list. You can then repeat the process as many times as you want to add additional relaxations. You modify an existing Field Format assignments by clicking it once to highlight it, then clicking the Modify button to display the Modify Field Format dialog box, shown below.

263 Chapter 11 The HTML Security Checks 249 Modify Field Format Dialog Box As you can see, this dialog box looks identical to the Add Field Format dialog box, except for the title and that, instead of being blank, it contains the information for the field format assignment you chose. See the description above for more information about the different parts of this dialog box and how to configure each. When you have finished configuring the Field Formats check, you click the Close button to close the Modify Field Formats dialog box and return to the Configure Application Firewall Profile dialog box.

264 250 Citrix Application Firewall Guide The HTML Cross-Site Scripting Check The HTML Cross-Site Scripting check provides special defenses against crosssite scripting attacks. The Application Firewall examines user requests for possible cross-site scripting attacks. If it finds a possible cross-site scripting attack, it either transforms the request to render the attack harmless, or blocks the request. The purpose of the HTML Cross-Site Scripting check is to prevent misuse of the scripts on your protected web sites to breach security on your web sites. It does this by blocking scripts that violate the same origin rule, which states that scripts should not access or modify content on any server but the server where they are located. Any script that violates the same origin rule is called a cross-site script, and the practice of using scripts to access or modify content on another server is called cross-site scripting. The reason cross-site scripting is a security issue is that a web server that allows cross-site scripting can be attacked using a script that is not on that web server, but on a different web server, such as one owned and controlled by the attacker. Unfortunately many companies have a large installed base of Javascript-enhanced web content that violates the same origin rule. To enable the HTML Cross-Site Scripting check on these web sites, the system administrators will have to generate the appropriate relaxations so that this check does not block legitimate activity on the web site. Caution: If you enable this feature, your NetScaler appliance is a single CPU unit, and your protected web sites accept file uploads or contain web forms that produce extremely large POST bodies when a user fills them out, you should ensure that your Application Firewall is configured appropriately. For detailed information, see Appendix C, Configuring for Large Files and Web Pages, on page 405. You configure the HTML Cross-Site Scripting check in the Modify HTML Cross-Site Scripting Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you can click the HTML Cross-Site Scripting entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the Modify HTML Cross-Site Scripting Check dialog box, General tab, as it appears for profiles created with advanced defaults. In profiles created with basic defaults, the Learn check box is not checked.

265 Chapter 11 The HTML Security Checks 251 Modify HTML Cross-Site Scripting Check Dialog Box, General Tab The General tab, displayed by default when you open the Modify HTML Cross- Site Scripting Check dialog box, contains the Check Action settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the HTML Cross-Site Scripting check. Enabled by default in profiles created with both basic and advanced defaults. You disable blocking for the HTML Cross-Site Scripting check by clearing the Block check box, and re-enable blocking after disabling it by checking the Block check box. Learn. Tells the Application Firewall to use its learning feature to observe traffic to and from your protected web sites, and generate a list of recommended cross-site scripting relaxations for your web forms. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable learning by checking the Learn check box, and disable it by unchecking the Learn check box. If you created a profile with basic defaults, you should not enable learning for the HTML Cross-Site Scripting check unless legitimate scripts on your protected web sites are blocked by this check. If that is the case, you should

266 252 Citrix Application Firewall Guide disable blocking, enable learning, and then follow the HTML Cross-Site Scripting check instructions for profiles created with advanced defaults. If you created a profile with advanced defaults, you have a choice. If your protected web sites do not use scripts, or if you are certain that none of your scripts violates the cross-site scripting rules, you can disable learning. The HTML Cross-Site Scripting check will block no legitimate traffic on web sites that do not use scripts, or that use scripts that do not violate cross-site scripting rules. If your protected web sites use active scripts and you are not certain that these scripts adhere to the cross-site scripting rules, you should leave learning enabled and let it generate a list of recommended cross-site scripting relaxations. To do this, you turn off blocking until learning has seen enough traffic to generate a list of relaxations. You then review the learned cross-site scripting relaxations, and accept those that you want to use. You then observe the logs for a few days to ensure that your configuration does not cause legitimate cross-site scripts to be blocked. When you are certain that your configuration is working correctly, you re-enable blocking, and are done. Log. Tells the Application Firewall to log any connections that violate the HTML Cross-Site Scripting check. Enabled by default in profiles created with both basic and advanced defaults. You disable logging for the HTML Cross-Site Scripting rule by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for violations of the HTML Cross-Site Scripting check. Enabled by default in profiles created with both basic and advanced defaults. You disable statistics for the HTML Cross-Site Scripting check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. Transform cross-site scripts. Tells the Application Firewall to modify any cross-site scripts it detects to render them harmless. Disabled by default in profiles created with both basic and advanced defaults. You enable this feature by checking the Transform check box, and disable it after enabling it by unchecking the Transform check box.

267 Chapter 11 The HTML Security Checks 253 If you enable this feature, the Application Firewall performs the following transformations: - Left angle bracket (<) to HTML character entity equivalent (<) - Right angle bracket (>) to HTML character entity equivalent (>). This ensures that browsers do not interpret unsafe html tags, such as <script>, and thereby execute malicious code. When scripts on your protected web site contain cross-site scripting features, but the web site does not rely upon those scripts to operate correctly, you can disable blocking and enable this feature to prevent blocking of legitimate web pages without reducing the protection that the Application Firewall provides to your protected web sites. Note: You normally enable either Transform Cross-Site Scripts or blocking, but not both. If you have blocking enabled, enabling transformation is redundant because the Application Firewall is already blocking access to those web pages that contain cross-site scripts. Check complete URLs for cross-site scripting. Tells the Application Firewall to check the entire URL, instead of just the query portion of the URL, for violations of the HTML Cross-Site Scripting check. Disabled by default in profiles created with both basic and advanced defaults. You enable this feature by checking the Check Complete URLs check box, and disable it after enabling it by unchecking the Check Complete URLs check box. You add, modify, delete, enable and disable relaxations to the HTML Cross-Site Scripting check in the Modify HTML Cross-Site Scripting Check dialog box, Settings tab, shown below.

268 254 Citrix Application Firewall Guide Modify HTML Cross-Site Scripting Check Dialog Box, Settings Tab You remove an HTML cross-site scripting relaxation by clicking it once to highlight it, then clicking the Remove button. You enable a disabled HTML crosssite scripting relaxation by clicking the Enable button. You disable an active HTML cross-site scripting relaxation by clicking the Disable button. You add a new cross-site scripting relaxations to the HTML Cross-Site Scripting Check by clicking the Add button to display the Add HTML Cross-Site Scripting Check Relaxation dialog box, shown below.

269 Chapter 11 The HTML Security Checks 255 Add HTML Cross-Site Scripting Check Relaxation Dialog Box As with other Add dialog boxes in the configuration utility, if you selected an existing HTML Cross-Site Scripting check relaxation before clicking the Add button, the Add HTML Cross-Site Scripting dialog box is displayed with the information from that HTML cross-site scripting relaxation. You can use this information as the basis of your new relaxation, or you can delete it and create an entirely new relaxation. When you save your new relaxation, the configuration utility does not overwrite the selected relaxation. Instead, it creates a new crosssite scripting relaxation. If you did not first select an existing relaxation, the dialog box is displayed empty, as shown above. This dialog box contains the following sections: Enabled check box. A relaxation can be in active use (enabled) or can be inactive (disabled). When you create a relaxation, it is enabled by default. You disable it by clearing the Enabled check box. Field Name. In the text area in the Field Name section, you enter either a literal field name or a PCRE-format regular expression that defines the field names to which your relaxation applies. If you type a PCRE-format regular

270 256 Citrix Application Firewall Guide expression, you must also check the check box labeled, Is Field Name Regular Expression. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Below are several example field name expressions. - Check all fields beginning with the string logon_ and followed by a string of upper- and lower-case letters or numbers that is at least two characters long and no more than fifteen characters long: ^logon_[0-9a-za-z]{2,15}$ - Choose form fields with names beginning with Name_ and followed by a string beginning with a letter or number and consisting of from one to twenty letters, numbers, or the apostrophe or hyphen symbol: ^Name_[0-9A-Za-z][0-9A-Za-z'-]{0,20}$ You can modify this regular expression to match the form fields your web site uses. For example, if your web site has Turkish-speaking customers whose first names may contain special characters, you might have a form field that begins with the string Türkçe-Name_ on their logon page. The special characters in that string must be represented as encoded UTF-8 strings. ^T\xC3\xBCrk\xC3\xA7e-Name_[0-9A-Za-z]+$ If you want to allow encoded characters in the remainder of the field name as well as the first portion, you must group the character class at the end with the string \\x[0-9a-fa-f][0-9a-fa-f], as shown below: ^T\xC3\xBCrk\xC3\xA7e-Name_([0-9A-Za-z] \\x[0-9a-fa-f][0-9a-fa-f])+$ Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported special characters and how to encode them properly when configuring the Application Firewall. - Check all fields beginning with the string sessionid- and followed by a ten-digit number: ^sessionid-[0-9]{10,10}$

271 Chapter 11 The HTML Security Checks 257 Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they define exactly the URL you want to add as a relaxation, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect, such as blocking access to web content that you did not intend to block. URL. In the text area in the URL section, you enter either a literal URL or a PCRE-format regular expression that defines the URLs to which your relaxation applies. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste a URL that contains any characters outside of the basic ASCII character set. If you want to include a URL that contains non- ASCII characters, you must enter those characters manually using the PCRE hexadecimal character encoding format. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several example URL expressions. - Check all URLs beginning with the string query_ and followed by a string of upper- and lower-case letters or numbers that is at least two characters long and no more than forty characters long, and ending with the string.js: ^query_[0-9a-za-z]{2,40}[.]js$ - Check all URLs containing the string prodinfo in the path: ^https?://[0-9a-za-z._-]*/[^<>?]*\?prodinfo[^<>?]*$ - Check all URLs containing the string prodinfo in the path, on servers with hostnames, pathnames or filenames that contain non- ASCII characters: ^https?://(([0-9a-za-z] \\x[0-9a-fa-f][0-9a-fa-f])(([0-9a-za-z_-] \\x[0-9a-fa-f][0-9a-fa-f]+[.])+[a-z]{2,6}/ [^<>?]*\?prodinfo[^<>?]*$

272 258 Citrix Application Firewall Guide In the expression above, each character class has been grouped with the string \\x[0-9a-fa-f][0-9a-fa-f], which will match all properly-constructed character encoding strings, but not allow stray backslash characters that are not associated with a UTF-8 character encoding string. The double backslash (\\) is an escaped backslash, which tells the Application Firewall to interpret it as a literal backslash. If you included only one backslash, the Application Firewall would instead interpret the following left square bracket ([) as a literal character rather than the opening of a character class, which would break the expression. Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported characters and how to encode them properly when configuring the Application Firewall. Comments. In the text area in the Comments section, you type a comment that explains why you added this relaxation to the configuration. This section is optional; you can leave it blank if you wish. When you have finished filling out the Add HTML Cross-Site Scripting Check Relaxation dialog box, you click the Create button. A message box appears notifying you that the resource was successfully created. You click the Yes button to close the message box and return to the Add HTML Cross-Site Scripting Check Relaxation dialog box. Your new relaxation appears in the list. You can then repeat the process as many times as you want to add additional relaxations. You modify an existing cross-site scripting relaxation by clicking it once to highlight it, then clicking the Modify button to display the Modify HTML Cross- Site Scripting Check Relaxation dialog box, shown below.

273 Chapter 11 The HTML Security Checks 259 Modify HTML Cross-Site Scripting Check Relaxation Dialog Box As you can see, this dialog box looks identical to the Add HTML Cross-Site Scripting Check Relaxation dialog box, except that the leftmost button at the bottom is labeled Save instead of Create. Unlike with the previous dialog box, the configuration utility will overwrite the selected relaxation with any changes you make in this dialog box after you click the Save button. See the description above for more information about the different parts of this dialog box and how to configure each. When you have finished configuring the cross-site scripting check, you click the Close button to close the Modify HTML Cross-Site Scripting Check dialog box and return to the Configure Application Firewall Profile dialog box. The HTML SQL Injection Check The HTML SQL injection check provides special defenses against injection of unauthorized SQL code that might break security. This check applies to HTML profiles only; it is not used with XML profiles.

274 260 Citrix Application Firewall Guide Many web applications have web forms that communicate with relational database servers using SQL. Often the scripts that pass web form information to the database do not validate the information provided by the user before passing it on to the database, allowing malicious code or a hacker to send SQL commands to the web server via the insecure web form. If the Application Firewall detects unauthorized SQL code in a user request, it either transforms the request to render the SQL code inactive, or blocks the request. Caution: If you enable this feature, your NetScaler appliance is a single CPU unit, and your protected web sites accept file uploads or contain web forms that produce extremely large POST bodies when a user fills them out, you should ensure that your Application Firewall is configured appropriately. For detailed information, see Appendix C, Configuring for Large Files and Web Pages, on page 405. You configure the SQL Injection check in the Modify SQL Injection Check dialog box. You access this dialog box by choosing a profile in the Profiles page, clicking the Open button to display the Configure Application Firewall Profile dialog box. You then click the Checks tab to see a list of all the Application Firewall security checks. In that tab, you can click the SQL Injection entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The following figure shows the Modify HTML SQL Injection Check dialog box as it appears for profiles created with advanced defaults. In profiles created with basic defaults, the Learn check box is not checked.

275 Chapter 11 The HTML Security Checks 261 Modify HTML SQL Injection Check Dialog Box, General Tab The General tab, displayed by default when you open the Modify SQL Injection Check dialog box, contains the Actions settings, which control how the check functions. These settings are: Block. Tells the Application Firewall to block connections that contain injected SQL code. Enabled by default in profiles created with both basic and advanced defaults. You disable blocking for the HTML SQL Injection check by clearing the Block check box, and re-enable blocking after disabling it by checking the Block check box. Learn. Tells the Application Firewall to use its learning engine to observe traffic to and from your protected web sites, and generate a list of recommended SQL injection relaxations. Disabled by default in profiles created with basic defaults, and enabled by default in profiles created with advanced defaults. You enable learning by checking the Learn check box, and disable it by unchecking the Learn check box. If you created a profile with basic defaults, you should not enable learning for the HTML SQL Injection check unless legitimate web form traffic on your protected web sites is blocked by this check. If that is the case, you

276 262 Citrix Application Firewall Guide should disable blocking, enable learning, and then follow the HTML SQL Injection check instructions for profiles created with advanced defaults. If you created a profile with advanced defaults, you have three choices. If your protected web sites do not contain web forms, or if you are certain that none of your web forms violates the HTML SQL Injection check rules, you can disable learning. The SQL Injection check will block no legitimate traffic on web sites that do not use web forms, or that use web forms that do not violate the HTML SQL Injection check rules. If your protected web sites use web forms and you are not certain that these web forms do not violate the HTML SQL injection rules, you should leave learning enabled and let it generate a list of recommended SQL injection relaxations. To do this, you turn off blocking until learning has seen enough traffic to generate a list of relaxations. You then review the learned SQL injection relaxations, and accept those that you want to use. You then observe the logs for a few days to ensure that your configuration does not cause legitimate web form traffic to be blocked. When you are certain that your configuration is working correctly, you re-enable blocking, and are done. Log. Tells the Application Firewall to log any connections that violate the HTML SQL Injection check. Enabled by default in profiles created with both basic and advanced defaults. You disable logging for the HTML SQL Injection check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for violations of the HTML SQL Injection check. Enabled by default in profiles created with both basic and advanced defaults. You disable statistics for the HTML SQL Injection check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. Transform SQL special characters. Tells the Application Firewall to change any SQL special characters it detects into harmless equivalents. SQL special characters tell an SQL server that the following text is an SQL command, or SQL keyword. Normally, unless the appropriate SQL special characters are present, an SQL database ignores any SQL keywords. Disabled by default in profiles created with both basic and advanced defaults. You enable this feature by checking the Transform check box, and disable it after enabling it by unchecking the Transform check box.

277 Chapter 11 The HTML Security Checks 263 If you enable the Transform feature, the Application Firewall performs the following transformations: - Single straight quote (') to double straight quote (") - Backslash (\) to double backslash (\\). - Semicolon (;) is dropped completely. When web forms on your protected web site may legitimately contain SQL special characters or SQL keywords, but the web form does not rely upon them to operate correctly, you can disable blocking and enable this feature to prevent blocking of legitimate web form data without reducing the protection that the Application Firewall provides to your protected web sites. Note: You normally enable either this feature or blocking, but not both. If you have blocking enabled, enabling transformation is redundant because the Application Firewall is already blocking access to those web pages that contain injected SQL code. Beneath the Actions area is the Parameters area, which contains additional configuration items. Restrict checks to fields containing SQL special characters. Tells the Application Firewall to check only form data that contains SQL special characters for violations of the HTML SQL Injection check rules. Since most SQL databases ignore any SQL commands that are not accompanied by the appropriate SQL special characters, this usually reduces server load without compromising security. Disabled by default in profiles created with basic defaults, and enabled in profiles created with advanced defaults. You enable this feature by checking the Check Complete URLs check box, and disable it after enabling it by unchecking the Check Complete URLs check box. SQL Comments Handling. Tells the Application Firewall how to handle SQL comments in the web pages it checks. By default, the Application Firewall treats all SQL comments as it does any other content, and checks the entire request for SQL special characters and keywords. Since SQL servers ignore any text they recognize as part of a comment, you can help prevent false positives by configuring the Application Firewall to recognize SQL comments and skip them when checking a request for violations of the SQL injection check. You can also thwart attackers who may send requests containing comments and observe your web server s response to profile your SQL server s behavior and identify which SQL software it uses. Unlike the other options on the General tab, the SQL Comments Handling option consists, not of a check box, but of a radio button array. To modify

278 264 Citrix Application Firewall Guide the SQL Comments Handling settings, you click the radio button beside the option you want. - ANSI. Tells the Application Firewall to recognize SQL ANSI comments, which are normally used by Unix-based SQL databases, and skip those comments when filtering requests for violations of the SQL injection check. - Nested. Tells the Application Firewall to recognize nested SQL comments, which are normally used by Microsoft SQL Server, and skip those comments when filtering requests for violations of the SQL injection check. - ANSI/Nested. Tells the Application Firewall to recognize comments that adhere to both the ANSI and nested SQL comment standards, and skip those comments when filtering requests for violations of the SQL injection check. Comments that match only the ANSI standard, or only the nested standard, will not be skipped. Note: You should normally choose either the Nested or the ANSI/ Nested option only if your back-end database runs on Microsoft SQL Server. Most other types of SQL server software do not recognize nested comments. For that reason, no requests containing nested comments should be directed at other types of SQL servers. If nested comments do appear in a request directed at another type of SQL server, they may indicate an attempt to breach security on that server. - Check all Comments. Tells the Application Firewall to check the entire request for violations of the SQL injection check, without skipping anything. You add, modify, remove, enable and disable relaxations to the HTML SQL Injection check in the Modify HTML SQL Injection Check dialog box, Settings tab, shown below.

279 Chapter 11 The HTML Security Checks 265 Modify HTML SQL Injection Check Dialog Box, Settings Tab You add a new SQL injection relaxation to the HTML SQL Injection check by clicking the Add button to display the Add SQL Injection Check Relaxation dialog box, shown below.

280 266 Citrix Application Firewall Guide Add HTML SQL Injection Check Relaxation Dialog Box As with other Add dialog boxes in the configuration utility, if you first select an existing HTML SQL Injection Check relaxation, the Add HTML SQL Injection relaxation dialog box is displayed with the information from that HTML SQL injection relaxation. You can use this information as the basis of your new relaxation, or you can delete it and create an entirely new relaxation. When you save your new relaxation, the configuration utility does not overwrite the selected relaxation. Instead, it creates a new SQL injection relaxation. If you do not select an existing relaxation, the dialog box is displayed empty, as shown above. This dialog box contains the following sections: Enabled check box. A relaxation can be in active use (enabled) or can be inactive (disabled). When you create a relaxation, it is enabled by default. You disable it by clearing the Enabled check box. Field Name. In the text area in the Field Name section, you enter either a literal field name or a PCRE-format regular expression that defines the field names to which your relaxation applies. If you type a PCRE-format regular

281 Chapter 11 The HTML Security Checks 267 expression, you must also check the check box labeled, Is Field Name Regular Expression. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Below are several example field name expressions. - Check all fields beginning with the string logon_ and followed by a string of upper- and lower-case letters or numbers that is at least two characters long and no more than fifteen characters long: ^logon_[0-9a-za-z]{2,15}$ - Choose form fields with names beginning with logon_ and followed by a string beginning with a letter or number and consisting of from one to twenty letters, numbers, or the apostrophe or hyphen symbol: ^logon_[0-9a-za-z][0-9a-za-z'-]{0,20}$ You can modify this regular expression to match the form fields your web site uses. For example, if your web site has Turkish-speaking customers whose first names may contain special characters, you might have a form field that begins with the string türkçe-logon_ on their logon page. The special characters in that string must be represented as encoded UTF-8 strings. ^t\xc3\xbcrk\xc3\xa7e-logon_[0-9a-za-z]+$ If you want to allow encoded characters in the remainder of the field name as well as the first portion, you must group the character class at the end with the string \\x[0-9a-fa-f][0-9a-fa-f], as shown below: ^t\xc3\xbcrk\xc3\xa7e-logon_([0-9a-za-z] \\x[0-9a-faf][0-9a-fa-f])+$ Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported special characters and how to encode them properly when configuring the Application Firewall. - Check all fields beginning with the string sessionid- and followed by a ten-digit number: ^sessionid-[0-9]{10,10}$

282 268 Citrix Application Firewall Guide Caution: Regular expressions are powerful. Especially if you are not thoroughly familiar with PCRE-format regular expressions, double-check any regular expressions you write to ensure that they define exactly the URL you want to add as a relaxation, and nothing else. Careless use of wildcards, and especially of the dot-asterisk (.*) metacharacter/wildcard combination, can have results you did not want or expect, such as blocking access to web content that you did not intend to block. URL. In the text area in the URL section, you type either a literal URL or a PCRE-format regular expression that defines the URLs to which your relaxation applies. You can type the regular expression, use the Regex Tokens menu to enter regular expression elements and symbols directly into the text box, or use the Expressions Editor to construct the expression. For information and instructions on using the Regex Tokens menu and the Regular Expressions Editor, see Configuring the Profile Settings at the Configuration Utility on page 121 and following. Note: The regular expression you type must consist of ASCII characters only. Do not cut and paste a URL that contains any characters outside of the basic ASCII character set. If you want to include a URL that contains non- ASCII characters, you must enter those characters manually using the PCRE hexadecimal character encoding format. For more information, see Appendix A, PCRE Character Encoding Format, on page 383. Below are several example URL expressions. - Check all URLs beginning with the string query_ and followed by a string of upper- and lower-case letters or numbers that is at least two characters long and no more than forty characters long, and ending with the string.js: ^query_[0-9a-za-z]{2,40}[.]js$ - Check all URLs beginning with the same string as above, on servers with hostnames, pathnames or filenames that contain non-ascii characters: ^query_([0-9a-za-z] \\x[0-9a-fa-f][0-9a-faf]){2,40}[.]js$ In the expression above, each character class has been grouped with the string \\x[0-9a-fa-f][0-9a-fa-f], which will match all properly-constructed character encoding strings, but not allow stray backslash characters that are not associated with a UTF-8 character

283 Chapter 11 The HTML Security Checks 269 encoding string. The double backslash (\\) is an escaped backslash, which tells the Application Firewall to interpret it as a literal backslash. If you included only one backslash, the Application Firewall would instead interpret the following left square bracket ([) as a literal character rather than the opening of a character class, which would break the expression. Note: See Appendix A, PCRE Character Encoding Format, on page 383 for a complete description of supported characters and how to encode them properly when configuring the Application Firewall. Comments. In the text area in the Comments section, you type a comment that explains why you added this relaxation to the configuration. This section is optional; you can leave it blank if you wish. When you have finished filling out the Add HTML SQL Injection Check Relaxation dialog box, you click the Create button. A message box appears notifying you that the resource was successfully created. You click the Yes button to close the message box and return to the Add HTML SQL Injection Check Relaxation dialog box. Your new relaxation is appears in the list. You can then repeat the process as many times as you want to add additional relaxations. You modify an existing SQL injection relaxation by clicking it once to highlight it, then clicking the Modify button to display the Modify HTML SQL Injection Check Relaxation dialog box, shown below.

284 270 Citrix Application Firewall Guide Modify HTML SQL Injection Check Relaxation Dialog Box As you can see, this dialog box looks identical to the Add HTML SQL Injection Check Relaxation dialog box, except that the leftmost button at the bottom is labeled Save instead of Create. Unlike with the previous dialog box, the configuration utility will overwrite the selected relaxation with any changes you make in this dialog box after you click the Save button. See the description above for more information about the different parts of this dialog box and how to configure each. When you have finished configuring the SQL injection check, you click the Close button to close the Modify HTML SQL Injection Check dialog box and return to the Configure Application Firewall Profile dialog box.

285 CHAPTER 12 The XML Security Checks This chapter describes in detail the Application Firewall security checks specific to XML profiles. It explains how each security check operates, what types of attacks it helps prevent, and how the configuration details affect how that security check filters a request or response. This information is intended for system administrators who need to understand a particular security check in detail to configure it properly for their web sites. Note: You do not need to read this chapter unless you need to understand in detail how specific XML security checks work, what all the options are for each, and how each option affects its operation. The XML Format Check The XML Format check examines the XML format of incoming requests, and blocks those requests that are not well formed. The purpose of the XML Format check is to prevent a malicious user from using a poorly-formed XML request to breach security on your server. You configure the XML Format check in the Modify XML Format Check dialog box. You access this dialog box by choosing an XML profile or a Web 2.0 profile in the Profiles page, then clicking the Open button to display the Configure XML Application Firewall Profile dialog box for that profile. Next, you click the Checks tab to see a list of all the Application Firewall security checks that apply to the profile you chose. On that tab, you can click the XML Format entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the default Check Action settings for the XML Format check.

286 272 Citrix Application Firewall Guide Modify XML Format Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the XML Format check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the XML Format check. Enabled by default. You disable blocking for the XML Format check by clearing the Block check box, and re-enable blocking after disabling it by selecting the Block check box. You should not disable blocking for the XML Format check except when troubleshooting this specific check. Unlike every other security check in the Application Firewall, this security check has dependencies: if the XML Format check fails, then no other XML security checks are performed. Legitimate user requests are unlikely to be blocked by this check, and it is likely to catch and block attacks before the more intensive checks must be run. If you want to be absolutely certain that you are not blocking any legitimate user requests whatsoever, you can disable this check at first, and then review the logs for this profile closely for a short period of time. The logs will indicate when the Application Firewall would have blocked a request for violating the XML Format check. You can then verify whether the request was valid or appears not to have been valid. Learn. The learning feature is not available with the XML Format check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the XML Format check. Enabled by default. You disable logging for the XML Format check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box.

287 Chapter 12 The XML Security Checks 273 You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the XML Format check. Enabled by default. You disable statistics for the XML Format check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. The XML Format check has no Settings tab. The Check Actions are the only options you can configure for this check. The XML Denial of Service Check The XML Denial of Service (XML DoS) check examines incoming XML requests to determine whether they match the characteristics of a denial-ofservice (DoS) attack, and blocks those requests that do. The purpose of the XML DoS check is to prevent an attacker from using XML requests to launch a denialof-service attack on your server or web service. You configure the XML DoS check in the Modify XML DoS Check dialog box. You access this dialog box by choosing an XML profile or a Web 2.0 profile in the Profiles page, then clicking the Open button to display the Configure Application Firewall Profile dialog box for that profile. Next, you click the Checks tab to see a list of all the Application Firewall security checks that apply to the profile you chose. In that tab, you can click the XML DoS entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the default Check Action settings for the XML DoS check.

288 274 Citrix Application Firewall Guide Modify XML DoS Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the XML DoS check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the XML DoS check. Enabled by default. You disable blocking for the XML DoS check by clearing the Block check box, and re-enable blocking after disabling it by selecting the Block check box. You probably will not want to disable blocking for the XML DoS check. At the default settings, which enable only a few of the XML DoS rules, it is unlikely to block any legitimate requests. If a particular rule causes blocking of legitimate requests, you should disable that rule instead. See the remainder of this section for more information on enabling and disabling specific XML DoS check rules. Learn. The learning feature is not available with the XML DoS check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the XML DoS check. Enabled by default. You disable logging for the XML DoS check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the XML DoS check. Enabled by default. You disable sta-

289 Chapter 12 The XML Security Checks 275 tistics for the XML DoS check by clearing the Statistics check box, and reenable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. You enable and disable XML DoS rules in the Modify XML DoS Check dialog box, Settings tab. The figure below shows this dialog box as it appears in a new XML or Web 2.0 profile, before you have modified any default settings. Modify XML DoS Check Dialog Box, Settings Tab You enable a disabled rule by clicking it once to highlight it, then clicking the Enable button. You disable an enabled rule by clicking it once to highlight it, then clicking the Disable button. You modify the value of a rule by clicking it once to highlight it, then clicking the Modify button to display the Modify XDoS check dialog box for that XML DoS check. The figure below shows this dialog box for the Maximum Element Depth check.

290 276 Citrix Application Firewall Guide Modify XDoS Check Dialog Box: Maximum Element Depth The Modify XDoS Check dialog box contains an Enabled check box, which you check to enable that rule and uncheck to disable it. If that rule has a value that the user can modify, the dialog also contains a Value* text box. To modify the rule value, simply enter a new value in the Value* text box. You then click the Save button to save your changes, or the Close button to close the dialog box without making modifications. The following table provides a list of the XML DoS rules and a description of each. The XML DoS Rules Rule Maximum Element Depth Maximum Element Name Length Maximum # Elements Maximum # Element Children Maximum # Attributes Description Restricts the maximum number of nested levels in each individual element to 256. If this rule is enabled, and the Application Firewall detects an XML request with an element that has more than the maximum number of allowed levels, it blocks the request. The user can modify the maximum number of levels to any value between one (1) and 65,535. Restricts the maximum length of each element name to 128 characters. This includes the name within the expanded namespace, which includes the XML path and element name in the following format: { The user can modify the maximum name length to any value between one (1) character and 65,535. Restricts the maximum number of any one type of element per XML document to 65,535. The user can modify the maximum number of elements to any value between one (1) and 65,535. Restricts the maximum number of children (including other elements, character information, and comments) each individual element is allowed to have to 65,535. The user can modify the maximum number of element children to any value between one (1) and 65,535. Restricts the maximum number of attributes each individual element is allowed to have to 256. The user can modify the maximum number of attributes to any value between one (1) and 256.

291 Chapter 12 The XML Security Checks 277 The XML DoS Rules Rule Maximum Attribute Name Length Maximum CDATA Section Length Maximum File Size Minimum File Size Block Processing Instructions Block DTD Block External Entities Description Restricts the maximum length of each attribute name to 128 characters. The user can modify the maximum attribute name length to any value between one (1) and 2,048. Restricts the length of the CDATA section for each element to 65,535. The user can modify the maximum CDATA section length to any value between one (1) and 65,535. Restricts the size of each file to 20 MB. The user can modify the maximum file size to any value. Requires that each file be at least 9 bytes in length. The user can modify the minimum file size to any positive integer representing a number of bytes. Blocks any special processing instructions included in the request. This rule has no user-modifiable values. Blocks any DTD included with the request. This rule has no usermodifiable values. Blocks all external entities references by the request. This rule has no usermodifiable values. This completes the section on the XML DoS check. The XML Cross-Site Scripting Check The XML Cross-Site Scripting check examines incoming requests for possible cross-site scripts errors, and blocks those requests that contain such errors. The purpose of the XML Cross-Site Scripting check is to prevent misuse of the scripts in your protected XML web services to breach security. It does this by blocking scripts that violate the same origin rule, which states that scripts should not access or modify content on any server but the server where they are located. Any script that violates the same origin rule is called a cross-site script, and the practice of using scripts to access or modify content on another server is called cross-site scripting. The reason cross-site scripting is a security issue is that a web service that allows cross-site scripting can be attacked using a script that is not on the same server as that web service, but on a different server, such as one owned and controlled by the attacker. You configure the XML Cross-Site Scripting check in the Modify XML Cross- Site Scripting Check dialog box. You access this dialog box by choosing an XML profile or a Web 2.0 profile in the Profiles page, then clicking the Open button to display the Configure Application Firewall Profile dialog box for that profile. Next, you click the Checks tab to see a list of all the Application Firewall security checks that apply to the profile you chose. In that tab, you can click the XML Cross-Site Scripting entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule.

292 278 Citrix Application Firewall Guide The figure below shows the default Check Action settings for the XML Cross- Site Scripting check. Modify XML Cross-Site Scripting Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the XML Cross-Site Scripting check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the XML Cross-Site Scripting check. Enabled by default. You disable blocking for the XML Cross-Site Scripting check by clearing the Block check box, and re-enable blocking after disabling it by selecting the Block check box. You will not want to disable blocking for the XML Cross-Site Scripting check on your production servers. Cross-site scripts are risky within an XML context. While you are testing a new Application Firewall configuration, however, you can disable this check and then monitor your logs to determine whether any XML requests containing cross-site scripts are legitimately sent to your protected web service. If you do spot any such requests, you may want to consider modifying the web service to remove this vulnerability rather than disabling this important security check for your web service. Learn. The learning feature is not available with the XML Cross-Site Scripting check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the XML Cross-Site Scripting check. Enabled by default. You disable logging for the XML Cross-Site Scripting check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot.

293 Chapter 12 The XML Security Checks 279 Statistics. Tells the Application Firewall to generate statistics for connections that violate the XML Cross-Site Scripting check. Enabled by default. You disable statistics for the XML Cross-Site Scripting check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. The XML Cross-Site Scripting check has no Settings tab. The Check Actions are the only options you can configure for this check. The XML SQL Injection Check The XML SQL Injection check examines incoming requests for inappropriate SQL special characters and keywords that might indicate an attempt to inject SQL code, and blocks those requests. The purpose of the XML SQL Injection check is to prevent an attacker from using your XML web service to send SQL commands to your back-end SQLbased database servers and either obtaining information that they were not entitled to obtain, or gaining control of the server. Many web services communicate with relational database servers using SQL. Often the scripts that pass web form information to the database do not validate the information provided by users before passing it on to the database, allowing malicious code or a hacker to send SQL commands to the database server. If the Application Firewall detects unauthorized SQL code in a user request, it blocks the request. You configure the XML SQL Injection check in the Modify XML SQL Injection Check dialog box. You access this dialog box by choosing an XML profile or a Web 2.0 profile in the Profiles page, then clicking the Open button to display the Configure Application Firewall Profile dialog box for that profile. Next, you click the Checks tab to see a list of all the Application Firewall security checks that apply to the profile you chose. In that tab, you can click the XML SQL Injection entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the default Check Action settings for the XML SQL Injection check.

294 280 Citrix Application Firewall Guide Modify XML SQL Injection Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the XML SQL Injection check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the XML SQL Injection check. Enabled by default. You disable blocking for the XML SQL Injection check by clearing the Block check box, and reenable blocking after disabling it by selecting the Block check box. You will not want to disable blocking for the XML SQL Injection check in your production environment unless your web service has no access to any back-end SQL-based database server. While you are testing a new Application Firewall configuration, however, you can disable this check and then monitor your logs to determine whether any XML requests containing SQL special characters or keywords are legitimately sent to your protected web service. If you do spot any such requests, and your protected web service can access a back-end SQL-based database server, you may want to consider either removing access to the database server or modifying the web service to remove this vulnerability. Learn. The learning feature is not available with the XML SQL Injection check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the XML SQL Injection check. Enabled by default. You disable logging for the XML SQL Injection check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box.

295 Chapter 12 The XML Security Checks 281 You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the XML SQL Injection check. Enabled by default. You disable statistics for the XML SQL Injection check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. Beneath the Actions area is the Parameters area, which contains additional configuration items. Restrict checks to fields containing SQL special characters. Tells the Application Firewall to check only XML that contains SQL special characters for violations of the XML SQL Injection check rules. Since most SQL databases ignore any SQL commands that are not accompanied by the appropriate SQL special characters, this usually reduces server load without compromising security. You enable this feature by checking this check box, and disable it after enabling it by unchecking this check box. SQL Comments Handling. Tells the Application Firewall how to handle SQL comments in the web pages it checks. By default, the Application Firewall treats all SQL comments as it does any other content, and checks the entire request for SQL special characters and keywords. Since SQL servers ignore any text they recognize as part of a comment, you can help prevent false positives by configuring the Application Firewall to recognize SQL comments and skip them when checking a request for violations of the XML SQL Injection check. You can also thwart attackers who may send requests containing comments and observe your web server s response to profile your SQL server s behavior and identify which SQL software it uses. Unlike the other options on the General tab, the SQL Comments Handling option consists, not of a check box, but of a radio button array. To modify the SQL Comments Handling settings, you click the radio button beside the option you want. - ANSI. Tells the Application Firewall to recognize SQL ANSI comments, which are normally used by Unix-based SQL databases, and skip those comments when filtering requests for violations of the XML SQL Injection check.

296 282 Citrix Application Firewall Guide - Nested. Tells the Application Firewall to recognize nested SQL comments, which are normally used by Microsoft SQL Server, and skip those comments when filtering requests for violations of the XML SQL Injection check. - ANSI/Nested. Tells the Application Firewall to recognize comments that adhere to both the ANSI and nested SQL comment standards, and skip those comments when filtering requests for violations of the XML SQL Injection check. Comments that match only the ANSI standard, or only the nested standard, will not be skipped. Note: You should normally choose either the Nested or the ANSI/ Nested option only if your back-end database runs on Microsoft SQL Server. Most other types of SQL server software do not recognize nested comments. For that reason, no requests containing nested comments should be directed at other types of SQL servers. If nested comments do appear in a request directed at another type of SQL server, they may indicate an attempt to breach security on that server. - Check all Comments. Tells the Application Firewall to check the entire request for violations of the XML SQL injection check, without skipping anything. The XML SQL Injection check has no Settings tab. The Check Actions and Parameters are the only options you can configure for this check. The XML Attachment Check The XML Attachment check examines incoming requests for malicious attachments, and block those requests that contain attachments that might breach web services security. The purpose of the XML Attachment check is to prevent an attacker from using an XML attachment to breach security on your server. You configure the XML Attachment check in the Modify XML Attachment Check dialog box. You access this dialog box by choosing an XML profile or a Web 2.0 profile in the Profiles page, then clicking the Open button to display the Configure Application Firewall Profile dialog box for that profile. Next, you click the Checks tab to see a list of all the Application Firewall security checks that apply to the profile you chose. In that tab, you can click the XML Attachment entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the default Check Action settings for the XML Attachment check.

297 Chapter 12 The XML Security Checks 283 Modify XML Attachment Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the XML Attachment check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the XML Attachment check. Enabled by default. You disable blocking for the XML Attachment check by clearing the Block check box, and re-enable blocking after disabling it by selecting the Block check box. You probably will not want to disable blocking for the XML Attachment check in your production environment. An attack can be launched on your protected web service using an XML attachment. To determine whether attachments that violate this check are legitimately sent to your protected web service, you can disable this check in a test environment and direct characteristic requests to the web service. You then observe the logs to determine whether the Application Firewall would have blocked any requests because of this rule. Learn. The learning feature is not available with the XML Attachment check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the XML Attachment check. Enabled by default. You disable logging for the XML Attachment check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the XML Attachment check. Enabled by default. You disable statistics for the XML Attachment check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box.

298 284 Citrix Application Firewall Guide You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. The XML Attachment check has no Settings tab. The Check Actions are the only options you can configure for this check. The Web Services Interoperability Check The Web Services Interoperability (WS-I) check examines both requests and responses for adherence to the WS-I standard, and blocks those requests and responses that do not adhere to this standard. The purpose of the WS-I check is to block requests that might not interact with other XML appropriately. An attacker can use inconsistencies in interoperability to launch an attack on your web service. You configure the WS-I check in the Modify WS-I Check dialog box. You access this dialog box by choosing an XML profile or a Web 2.0 profile in the Profiles page, then clicking the Open button to display the Configure Application Firewall Profile dialog box for that profile. Next, you click the Checks tab to see a list of all the Application Firewall security checks that apply to the profile you chose. In that tab, you can click the WS-I entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the default Check Action settings for the WS-I check.

299 Chapter 12 The XML Security Checks 285 Modify WS-I Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the WS-I check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the WS-I check. Enabled by default. You disable blocking for the WS-I check by clearing the Block check box, and re-enable blocking after disabling it by selecting the Block check box. You probably will not want to disable blocking for the WS-I check. Learn. The learning feature is not available with the WS-I check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the WS-I check. Enabled by default. You disable logging for the WS-I check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot.

300 286 Citrix Application Firewall Guide Statistics. Tells the Application Firewall to generate statistics for connections that violate the WS-I check. Enabled by default. You disable statistics for the WS-I check by clearing the Statistics check box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. You configure the WS-I Check rules in the Modify WS-I Check dialog box, Settings tab. The figure below shows this dialog box as it appears in a new XML or Web 2.0 profile. Modify WS-I Check Dialog Box, Settings Tab You enable a disabled rule by clicking it once to highlight it, then clicking the Enable button. You disable an enabled rule by clicking it once to highlight it, then clicking the Disable button. You can view detailed information about the purpose and function of a specific rule by clicking it once to highlight it, then clicking the Details button to display that information. The figure below shows the information box for the first WS-I check.

301 Chapter 12 The XML Security Checks 287 WS-I Details Message Box for BP1201 Check This completes the section on the WS-I check. The XML Message Validation Check The XML Message Validation check examines requests that contain XML messages to ensure that they are valid. If a request contains an invalid XML message, the Application Firewall blocks the request. The purpose of the XML Validation check is to prevent an attacker from using specially-constructed invalid XML messages to breach security on your web service. You configure the XML Validation check in the Modify XML Validation Check dialog box. You access this dialog box by choosing an XML profile or a Web 2.0 profile in the Profiles page, then clicking the Open button to display the Configure Application Firewall Profile dialog box for that profile. Next, you click the Checks tab to see a list of all the Application Firewall security checks that apply to the profile you chose. In that tab, you can click the XML Validation Check entry, or any other entry, then click the Modify button to display the Modify Check dialog box for that rule. The figure below shows the default Check Action settings for the XML Validation check.

302 288 Citrix Application Firewall Guide Modify XML Message Validation Check Dialog Box, General Tab The General tab contains the Check Action settings, which control how the XML Validation check functions. These settings are: Block. Tells the Application Firewall to block connections that violate the XML Validation check. Enabled by default. You disable blocking for the XML Validation check by clearing the Block check box, and re-enable blocking after disabling it by selecting the Block check box. You probably will not want to disable blocking for the XML Validation check. Learn. The learning feature is not available with the XML Validation check, so the Learn check box is greyed out. Log. Tells the Application Firewall to log any connections that violate the XML Validation check. Enabled by default. You disable logging for the XML Validation check by clearing the Log check box, and re-enable logging after disabling it by checking the Log check box. You normally will not want to disable logging for this or any check. If anything unexpected happens, the logs are an important resource to troubleshoot. Statistics. Tells the Application Firewall to generate statistics for connections that violate the XML Validation check. Enabled by default. You disable statistics for the XML Validation check by clearing the Statistics check

303 Chapter 12 The XML Security Checks 289 box, and re-enable statistics after disabling it by checking the Statistics check box. You normally will not want to disable statistics. They can help you monitor the types of attacks that a particular check is seeing, and determine how effective that check is on your protected web sites. You configure the XML Message Validation Check rules in the Modify XML Message Validation Check dialog box, Settings tab. The options in the Settings tab change depending on which of the three validation type you choose. To choose a particular validation method, click the radio button beside that choice. The XML Message Validation types are: SOAP Envelope. Tells the Application Firewall to validate only the SOAP envelope of XML messages. This is the default setting. The figure below shows this dialog box as it appears in a new XML or Web 2.0 profile, with the default selection of Validate SOAP Envelope Only. Modify XML Message Validation Check Dialog Box, Settings Tab, Validate SOAP Envelope Only If you choose SOAP Envelope validation, you do not need to do any further configuration to implement Request validation. By default, the Application Firewall does not attempt to validate responses. If you want to validate responses from your protected web service or Web 2.0 site, you check the Validate Response check box.

304 290 Citrix Application Firewall Guide WSDL. Tells the Application Firewall to validate XML messages using an XML SOAP WSDL. If you choose this type of validation, you must upload the WSDL you will use for validation. See Chapter 8, Imports, on page 177 for information on uploading WSDL files. The figure below shows this dialog box as it appears when you choose Validate With a WSDL. Modify XML Message Validation Check Dialog Box, Settings Tab, Validate With a WSDL If you choose WSDL validation, in the WSDL Object drop-down list you must choose a WSDL. If you want to validate against a WSDL that has not already been imported to the Application Firewall, you can click the Import button to open the Manage WSDL Imports dialog box and import your WSDL. See Importing Configuration Elements on page 177 for more information on this dialog box and importing. If you want the Application Firewall to enforce the WSDL strictly, and not allow any additional XML headers not defined in the WSDL, you must uncheck the check box labeled, Allow additional headers not defined in the WSDL.

305 Chapter 12 The XML Security Checks 291 Caution: If you uncheck the Allow Additional Headers check box, and your WSDL does not define all XML headers that your protected XML web service or Web 2.0 application expects or that a client sends, you may block legitimate access to your protected service. By default, the Application Firewall does not attempt to validate responses. If you want to validate responses from your protected web service or Web 2.0 site, you check the Validate Response check box. XML Schema. Tells the Application Firewall to validate XML messages using an XML schema. If you choose this type of validation, you must upload the XML schema you will use for validation. See Chapter 8, Imports, on page 177 for information on uploading XML schema files. The figure below shows this dialog box as it appears when you choose Validate With an XML Schema. Modify XML Message Validation Check Dialog Box, Settings Tab, Validate With an XML Schema If you choose XML Schema validation, in the XML Schema Object dropdown list you must choose an XML schema. If you want to validate against an XML schema that has not already been imported to the Application Firewall, you can click the Import button to open the Manage XML Schema Imports dialog box and import your XML schema. See Importing

306 292 Citrix Application Firewall Guide Configuration Elements on page 177 for more information on this dialog box and importing. By default, the Application Firewall does not attempt to validate responses. If you want to validate responses from your protected web service or Web 2.0 site, you must check the Validate Response check box. When you do, the check box below it labeled, Reuse the XML Schema specified in request validation, and the XML Schema Object drop-down list beneath that, are activated. - You can check the Reuse XML Schema check box to use the schema you specified for request validation to do response validation as well. If you check this check box, the XML Schema Object drop-down list is greyed out. - You can use the XML Schema Object drop-down list to upload a different XML schema for response validation. You then click the OK button to save your changes, or the Close button to close the dialog box without saving changes. This completes the section on the XML Message Validation check.

307 CHAPTER 13 The PCI DSS Report About PCI DSS 1.2 This chapter describes the PCI DSS report, tells you where to display and print the report, and how to use the information it provides to secure your NetScaler appliance. The Payment Card Industry (PCI) Data Security Standard (DSS), version 1.2, consists of twelve security criteria that most credit card companies require businesses who accept online payments via credit and debit cards to meet. These criteria are designed to prevent identity theft, hacking, and other types of fraud. If an internet service provider or online merchant does not meet the PCI DSS criteria, that ISP or merchant risks loosing authorization to accept credit card payments via their web site. ISPs and online merchants prove that they are in compliance with PCI DSS via an audit conducted by a PCI DSS Qualified Security Assessor (QSA) Company. The PCI DSS report is designed to assist them both before and during the audit. Before the audit, it shows which Application Firewall settings are relevant to PCI DSS, how they should be configured, and (most important) whether your current Application Firewall configuration meets the standard. During the audit, the report can be used to demonstrate compliance with relevant PCI DSS criteria. An Overview of the PCI DSS Report The PCI DSS report consists of a list of those PCI DSS criteria that are relevant to your Application Firewall configuration. Under each criterion, it lists your current configuration options, indicates whether your current configuration complies with the PCI DSS criterion, and explains how to configure the Application Firewall so that your protected web site(s) will be in compliance with that criterion. The PCI DSS report is located under the System Reports menu tree. If you click the PCI DSS Report menu item, the opening screen of the PCI DSS report is displayed, as shown below.

308 294 Citrix Application Firewall Guide The PCI DSS Report: Opening Screen If you scroll down a page, the Executive Summary section of the report appears, as shown below. The PCI DSS Report: Executive Summary

309 Chapter 13 The PCI DSS Report 295 The report is automatically generated when you open it. Only the top portion of the report is displayed when you open it. To see the rest of the page, you use the scroll bar to the right to scroll up and down the page, and the Application Firewall Profiles hyperlink at the top of the page to view the information for each profile. You can also download the report as a PDF file by clicking the Download Entire Report hyperlink. The main report consists of the following sections: Description. Provides a description of the PCI DSS Compliance Summary report. Firewall License and Feature Status. Tells you whether the Application Firewall is licensed and enabled on your NetScaler appliance. Executive Summary. A table that lists the PCI DSS criteria, and tells you which of those criteria are relevant to the Application Firewall. Detailed PCI DSS Criteria Information. For each of the PCI DSS criteria that is relevant to your Application Firewall configuration, the PCI DSS report provides a section that contains information on whether your configuration is currently in compliance, and if it is not, how to bring it into compliance.

310 296 Citrix Application Firewall Guide Data for individual profiles is included in the profile reports, which you access through the Application Firewall Profiles summary screen. To access that screen, you click the Application Firewall Profiles hyperlink at the top of the main report. The figure below shows this screen for a simple configuration with only six profiles, three of which is inactive, and three of which are globally bound and active. The PCI DSS Report: Application Firewall Profiles Summary The Profiles Summary page consists of the following: Application Firewall Policies. A table that lists your current Application Firewall policies, showing the policy name, the content of the policy, the action (or profile) it is associated with, and global binding information. Application Firewall Profiles. A table that lists your current Application Firewall profiles, and indicates which policy each profile is associated with. If a profile is not associated with a policy, the table displays INACTIVE in that location. You download all report pages for all policies by clicking the Download All Profiles hyperlink at the top of the Profiles Summary page. You display the report page for each individual profile by clicking the hyperlink for that profile in the Application Firewall Profiles table at the bottom of this screen. The Profile page for individual profiles consists of the following: Credit Card Protection Status. Shows each type of credit card the Application Firewall can protect, and explains whether protection is enabled and

311 Chapter 13 The PCI DSS Report 297 how credit card protection is configured. For more information about the different Credit Card check settings and what the effect of each is, see The Cookie Consistency Check, on page 205. Start URL Check Actions. Shows each action enabled for the Start URL check. Start URL actions include Block, Learn, Log, Statistics, and URL Closure, any of which can be enabled independently of the others. For more information about these actions and what the effect of each is, see the The Start URL Check, on page 187. Start URL Check. Shows information about each Start URL you have configured. Cookie Consistency Check Actions. Shows each action enabled for the Cookie Consistency check. Cookie Consistency actions include Block, Learn, Log, and Statistics, any of which can be enabled independently of the others. For more information about these actions and what the effect of each is, see the The Cookie Consistency Check, on page 205. Cookie Consistency Check. Shows information about each Cookie Consistency Check relaxation you have configured. Field Consistency Check Actions. Shows each action enabled for the Form Field Consistency check. Form Field Consistency check actions include Block, Learn, Log, and Statistics, any of which can be enabled independently of the others. For more information about these actions and what the effect of each is, see the The Form Field Consistency Check, on page 229. Field Consistency Check. Shows information about each Form Field Consistency Check relaxation you have configured. Buffer Overflow Check Actions. Shows each action enabled for the Buffer Overflow check. Buffer Overflow check actions include Block, Log, and Statistics, any of which can be enabled independently of the others. For more information about these actions and what the effect of each is, see the The Buffer Overflow Check, on page 214. Buffer Overflow Check. Shows the current setting for Maximum Cookie Length, Maximum URL Length, and Maximum Header Length. Field Formats Check Actions. Shows each action enabled for the Field Formats check. Field Formats check actions include Block, Learn, Log, and Statistics, any of which can be enabled independently of the others. For more information about these actions and what the effect of each is, see the The Field Formats Check, on page 240. Field Formats Check. Shows information about each Field Formats Check relaxation you have configured.

312 298 Citrix Application Firewall Guide HTML Cross-Site Scripting Check Actions. Shows each action enabled for the HTML Cross-Site Scripting check. HTML Cross-Site Scripting check actions include Block, Learn, Log, Statistics, and Transform Cross-Site Scripts, any of which can be enabled independently of the others. For more information about these actions and what the effect of each is, see the The HTML Cross-Site Scripting Check, on page 250. HTML Cross-Site Scripting Check. Shows information about each HTML Cross-Site Scripting Check relaxation you have configured. HTML SQL Injection Check Actions. Shows each action enabled for the HTML SQL Injection check. HTML SQL Injection check actions include Block, Learn, Log, Statistics, and Transform SQL Special Characters, any of which can be enabled independently of the others. In addition, this section contains information about your settings for the HTML SQL Injection Check parameters, Restrict Checks to Fields Containing SQL Special Characters and SQL Comments Handling. For more information about these actions and what the effect of each is, see the The HTML SQL Injection Check, on page 259. HTML SQL Injection Check. Shows information about each HTML SQL Injection Check relaxation you have configured. Safe Objects Check. Shows each Safe Object expression you have defined on your Application Firewall. For more information on the Safe Object check, see The Safe Object Check, on page 221. Deny URL Check Actions. Shows each action enabled for the Deny URL check. Deny URL check actions include Block, Log, and Statistics, any of which can be enabled independently of the others. For more information about these actions and what the effect of each is, see The Deny URL Check, on page 197. Deny URL Check. Lists each default Deny URL you have enabled on your Application Firewall, and each user Deny URL you have configured. You can download a PDF file containing the PCI DSS report page for the current profile by clicking the Download Current Profile hyperlink at the top of the page. You can return to the Profiles Summary page by clicking the Application Firewall Profiles hyperlink. Finally, you can go directly to the main page by clicking the Home hyperlink. You can refresh the PCI DSS report at any time by clicking the Refresh button in the upper right-hand corner of the browser. You should refresh it if you make changes to your NetScaler appliance configuration, and in particular changes to the Application Firewall settings.

313 An Overview of the PCI DSS Standard Chapter 13 The PCI DSS Report 299 The twelve PCI DSS criteria are listed below, along with the information that the PCI DSS report provides for each. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. This requirement is not applicable to web sites protected by the Citrix Application Firewall. Since the NetScaler appliance contains an Application Firewall, you do not need to install a separate firewall configuration to protect your cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. This requirement affects two configuration items on the Application Firewall: have you changed the default password for the nsroot account, and do you use encryption to protect all administrative access to the NetScaler appliance? If you have not changed the nsroot password, you must do so to meet this requirement. If you require users to access the configuration utility using an HTTPS rather than HTTP connection, and access the NetScaler command line via SSH, you do not need to do anything to meet that part of the requirement. Normally the Application Firewall is configured to require this type of access. Protect Cardholder Data Requirement 3: Protect stored cardholder data. The following configuration items are relevant to this requirement: To ensure that the NetScaler appliance does not store magnetic stripe data, credit card validation codes, or PINs after a credit card is authorized, you must configure the Confidential Fields Logging feature for each form field in each web form that accepts this data. You will need to do this in each profile that protects a web site with a web form that accepts magnetic stripe data, credit card validation codes, or PINs. For more information on configuring this feature, see Chapter 6, Confidential Fields, on page 155. If any credit card you accept for payment is not protected, you must enable protection for it. The Application Firewall masks the display of any credit card numbers you protect using the Credit Card check. The PCI DSS report contains a Credit Card status table that lists each profile you have created, and tells you which credit card types are protected on which profile.

314 300 Citrix Application Firewall Guide Note: PCI DSS allows you to display only the first six and final four digits of a PAN on screen. For information about the Credit Card check and instructions on configuring it, see The Cookie Consistency Check, on page 205 and following. Are Primary Account Numbers (PANs) stored in unreadable format? To ensure that the NetScaler appliance does not store unencrypted Primary Account Numbers (PANs) in its logs, you must configure the Confidential Fields Logging feature for each form field in each web form that accepts this data. You will need to do this in each profile that protects a web site with a web form that accepts PANs. For more information on configuring this feature, see Chapter 6, Confidential Fields, on page 155. Requirement 4: Encrypt transmission of cardholder data across open, public networks. This requirement is not applicable to the Citrix Application Firewall, but to the web servers that handle this data. You must ensure that any web server that transmits cardholder data across an open network uses an appropriate type of encryption to protect that data. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. This requirement is not applicable to the Citrix Application Firewall, which uses a proprietary operating system and is not susceptible to infection by any known type of virus. You must ensure that any other server on your network that accepts, transmits, or stores cardholder data and is susceptible to virus infection uses appropriate anti-virus software and updates it frequently. Requirement 6: Develop and maintain secure systems and applications. The Application Firewall blocks both known and unknown attacks against the web applications it protects. The PCI DSS report contains a list of each policy and each profile you have configured, with relevant information about each one. For each profile, it explains which security checks are enabled and how they are configured. You must review this configuration and determine whether it appropriately protects all servers on your network that accept, transmit, and store customer data.

315 Chapter 13 The PCI DSS Report 301 Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. This requirement is not applicable to the Citrix Application Firewall, but to the web servers and back-end database servers that handle this data. You must ensure that any database server that stores cardholder data has appropriate access control restrictions and measures in place, and that you enforce compliance with those measures. Requirement 8: Assign a unique ID to each person with computer access. To ensure compliance with this standard, you must create separate user names and passwords for each individual that accesses the NetScaler appliance. The NetScaler appliance cannot determine whether you have done this or not because it cannot tell whether more than one person is using the same user name and password to log on. Requirement 9: Restrict physical access to cardholder data. This requirement is not applicable to the Citrix Application Firewall, but to the access controls on your server room and to any non-electronic copies of this data. The department responsible for maintaining your offices and physical plant must ensure that only authorized people can enter the server room or gain access to files that contain non-electronic copies of this information. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. The NetScaler appliance takes care of most of this. It logs all activity by root or administrative accounts automatically. It automatically maintains audit trails for all sensitive types of activity. It logs all logon attempts (valid and invalid) and all activity by any user identification or authentication mechanism automatically. it logs all activity involving creation or deletion of system-level objects automatically. To ensure that all system clocks and times are synchronized properly, you must configure an NTP server and then configure the NetScaler appliance to set the time on its system clock from this NTP server. This guarantees that the logs generated by the NetScaler appliance have proper timestamps. Requirement 11: Regularly test security systems and processes. This requirement is not applicable to the Citrix Application Firewall, but to your network. Your IT department must regularly run security audits on your network and servers to ensure that they are working correctly, and fix any security vulnerabilities as they are found.

316 302 Citrix Application Firewall Guide Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security. This requirement is not applicable to the Citrix Application Firewall, but to your company. The appropriate office must write and maintain a policy that describes how your company ensures that sensitive customer information, including cardholder data, will be protected. For more information on the PCI DSS standard, see Appendix B, PCI DSS Standard, on page 387.

317 CHAPTER 14 Use Cases This chapter contains two use cases that explain how to configure your Citrix Application Firewall to protect specific types of web servers and specific kinds of web content. Shopping Cart application. If part of your web site communicates with a back-end SQL-based database, such as a shopping cart application usually does, see Protecting a Shopping Cart Application on page 304 for information on how to configure the Application Firewall to protect the application and the SQL database. Product Information query. If your web sites contain Javascripts or other scripts that obtain information from or save information to any web server but their own, such as a product information library accessed through a javascript-enhanced web form, see Protecting a Product Information Query Page on page 325 for information on how to configure the Application Firewall to protect your web sites while allowing your scripts to continue functioning as they were designed to function. Note: You do not need to read this chapter if the default configuration you performed in Chapter 3, Simple Configuration, on page 67 meets your needs. This chapter introduces Example Manufacturing, Inc., a company with a number of web sites that it uses to provide information about the company, sell its many products, manage customer support for its products, and provide internal services to its employees. It has web sites with all sorts of content, some of them with access to sensitive private information. It uses the Citrix NetScaler appliance to protect its web sites.

318 304 Citrix Application Firewall Guide Protecting a Shopping Cart Application Example Manufacturing hosts a shopping cart application at shopping.example.com. This application has web forms that collect orders and customer information, and that store that information in an SQL database. The shopping cart application is old code, and has security issues. Rather than transition to a new system, Example has installed a Citrix NetScaler Application Switch, Enterprise Edition with the Citrix NetScaler Application Firewall feature to protect their web site. The system administrator at Example has already performed the installation and initial configuration of the NetScaler appliance. He has also enabled the Application Firewall, created the first profile and first policy, and globally bound the policy. He now wants to create a more specific profile to protect the shopping cart application, with appropriate relaxations and settings for the SQL Injection check, and an associated policy that can detect connections to the shopping cart and apply the correct security checks when filtering those connections. The subsections below describe how he can do this using either the configuration utility or the NetScaler command line. Creating and Configuring the Shopping Cart Profile To protect the shopping cart application, the system administrator must first create a profile that tells the Application Firewall how to protect it. The shopping cart application has been in use for many years. It was built using web forms and PERL CGI scripts, and uses cookies to maintain user state. It does not use any Javascript in its web forms. The system administrator wants to protect the shopping cart against two types of attacks to which it is particularly vulnerable: Cookie tampering. The system administrator knows that the shopping cart application performs no checks on the cookies that users return to the application. An attacker could modify a cookie and gain access to the shopping cart application under another user s credentials. Once logged on as that user, the attacker could obtain sensitive private information about the legitimate user or place orders using the legitimate user s account. SQL injection. The system administrator knows that the shopping cart application performs no checks on the data returned in the form fields of its web forms, but passes that information on directly to the SQL database. This leaves the SQL database vulnerable to injected SQL code an attacker can place SQL commands in the form fields of the shopping cart form and send them directly to the database. The attacker could use this type of attack

319 Chapter 14 Use Cases 305 to obtain sensitive private information from the database or modify information in the database. The system administrator will create the new profile using Advanced defaults instead of Basic defaults. He will therefore need to perform configuration on a number of other checks to prevent the Application Firewall from blocking legitimate traffic (false positives). This section contains two procedures to protect this shopping cart application one to create this profile using the configuration utility, and one to create it using the NetScaler command line. To create a profile to protect the shopping cart using the configuration utility 1. Log on to the configuration utility using either the Java client or the Web Start client. For instructions on doing this, see To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry to display the choices in that category, and click Profiles to display the Profiles page, shown below. The Application Firewall Profiles Page 3. Add a profile as described in Chapter 3, Simple Configuration, To create and configure a profile using the configuration utility on page 69, but this time click the Advanced radio button to choose Advanced defaults.

320 306 Citrix Application Firewall Guide The system administrator names the new profile Shopping Cart so that he and others will know which type of web content it is intended to protect, as shown below. The Create Application Firewall Profile Dialog Box with Advanced Defaults After he adds the profile, the profile s name appears in the profiles list in data area of the Profiles page. 4. In the profiles list, click the name of the new profile once, to highlight it. The figure below shows the Shopping Cart profile selected. After you select a profile, the Open and Remove buttons at the bottom of the data area are activated.

321 Chapter 14 Use Cases 307 The Application Firewall Profiles Page, with Profile Selected 5. Click the Open button to display the Configure Application Firewall Profile dialog box for that profile, shown below The Configure Application Firewall Profile Dialog Box, General Tab

322 308 Citrix Application Firewall Guide 6. Click the Checks tab to display it, as shown below. The Configure Application Firewall Profile Dialog Box, Checks Tab In the Checks tab you configure the checks that the Application Firewall uses to protect your web sites. In this case, the system administrator wants to configure the Start URL check; the SQL Injection check, which protects back-end SQL-based databases; and the Cookie Consistency check, which prevents cookie tampering. He also will configure the Credit Card check, to prevent the shopping cart from sending credit card numbers to users, and several other checks to prevent false positives. 7. Configure the Start URL check. A. In the Security Checks list, if it is not already highlighted, click Start URL once to highlight it. B. Click the Modify button to display the Modify Start URL Check dialog box, shown below.

323 Chapter 14 Use Cases 309 The Modify Start URL Check Dialog Box, General Tab C. In the Check Actions area, clear the Block check box, as shown below.

324 310 Citrix Application Firewall Guide The Modify Start URL Check Dialog Box, General Tab, with Blocking Disabled Since the Learning check box is selected, learning mode is enabled for this rule. The system administrator does not want to risk blocking legitimate requests sent to the shopping cart application until learning has generated an appropriate list of Start URLs for the Start URL rule. After the learning feature has generated a list of Start URLs and he has reviewed and applied them, he can re-enable blocking for this check. D. Click the OK button to save your changes. The Start URL Check dialog box closes, and a message box appears, notifying you that your changes have been successfully saved. E. Click the OK button to close the message box and return to the Configure Application Firewall Profile dialog box. As shown below, the Block column for the Start URL entry now reads No, showing that blocking is disabled for the Start URL rule.

325 Chapter 14 Use Cases 311 The Configure Application Firewall Profile Dialog Box, Checks Tab, with Start URL Blocking Disabled 8. Configure the Cookie Consistency check by following the same procedure described in step 7. The figure below shows the Modify Cookie Consistency Check dialog box, which is nearly identical to the Modify Start URL Check dialog box, except that there is no Enforce URL closure check box.

326 312 Citrix Application Firewall Guide The Modify Cookie Consistency Check Dialog Box, General Tab, with Blocking Disabled With the Cookie Consistency rule, the system administrator wants to disable blocking at first, to prevent legitimate cookies from being blocked. After the learning feature has generated a list of cookie relaxations and he has reviewed and applied them, he can re-enable blocking for this check. 9. Configure the Form Field Consistency check by following the same procedure described in step 8. The Modify Form Field Consistency Check dialog box is identical to the Modify Start URL Check dialog box except for the title and description text. With the Form Field Consistency rule, the system administrator wants to disable blocking at first to prevent legitimate form field data from being blocked. After the learning feature has generated a list of form field relaxations and he has reviewed and applied them, he can re-enable blocking for this check. 10. Configure the HTML SQL Injection check. A. In the Security Checks list, click HTML SQL Injection once to highlight it.

327 Chapter 14 Use Cases 313 B. Click the Modify button to display the Modify HTML SQL Injection Check dialog box, shown below. The Modify HTML SQL Injection Check Dialog Box, General Tab C. In the Check Actions area, uncheck the Block check box. Since the Learning check box is checked, learning mode is enabled for this rule. The system administrator does not want to risk blocking legitimate requests to the shopping cart application until learning has generated an appropriate list of relaxations to the HTML SQL Injection check. D. Check the check box labeled, Transform SQL special characters. This tells the Application Firewall to modify any SQL special characters it detects into harmless character strings that will have no effect on the SQL database. Because the system administrator just disabled blocking for the HTML SQL Injection check, he wants to be sure that any attempts to inject SQL code into the shopping cart application are rendered harmless.

328 314 Citrix Application Firewall Guide Note: now. You should ignore the choices in the Parameters area for E. Click the OK button to save your changes, and when prompted, click the OK button to confirm your choices. The HTML SQL Injection Check dialog box closes, and you return to the Configure Application Firewall Profile dialog box. 11. Configure the Credit Card check. A. In the Security Checks list, click Credit Card once to highlight it. B. Click the Modify button to display the Modify Credit Card Check dialog box, shown below. The Modify Credit Card Check Dialog Box, General Tab C. In the Check Actions area, check the Log, Statistics, and X-Out check boxes, as shown below.

329 Chapter 14 Use Cases 315 The Modify Credit Card Check Dialog Box, General Tab With Logging, Statistics, and X- Out Enabled By checking the X-Out check box, the system administrator ensures that any credit card numbers that the shopping cart application displays on any of its pages are masked out and cannot be read by the user. This recreates the standard behavior of modern secure ordering site web pages. Note: now. You should ignore the choices in the Parameters area for D. Click the Settings tab to display it, as shown below.

330 316 Citrix Application Firewall Guide The Modify Credit Card Check Dialog Box, Settings Tab This tab lists six types of credit cards whose numbers the Application Firewall can detect and either mask or block. E. Hold down the Ctrl key, and click the name of each credit card you want to protect once, to highlight it. Since Example, Inc. accepts only Visa, MasterCard, American Express, and Discover, and therefore stores only those card numbers in its database, the system administrator highlights just those credit cards. F. Click the Protect button to enable protection for the selected types of credit card numbers. The display refreshes, and the Status column to the right of each credit card you chose changes from Unprotected to Protected, as shown below.

331 Chapter 14 Use Cases 317 Modify Credit Card Check Dialog Box, Settings Tab, with Protected Credit Cards G. Click the OK button to save your changes, and when prompted, click the OK button to confirm your choices. The Credit Card Check dialog box closes, and you return to the Configure Application Firewall Profile dialog box. 12. Click the OK button to close the Configure Application Firewall Profile dialog box and return to the Profiles page. To create a profile to protect the shopping cart using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page Enter the following command to create the profile. > add appfw profile "Shopping Cart" -defaults advanced The system administrator creates a profile named Shopping Cart, to make clear to himself and anyone else who might configure the Application Firewall what type of web content this profile is designed to protect. He uses the -defaults advanced parameter to tell the Application Firewall to create this profile with advanced defaults. Advanced defaults provide protection that is more closely tailored to the web site or web content that they protect, but they also require more input from the system administrator responsible for the appliance. For more information about defaults, see Chapter 4, Profiles, on page 85.

332 318 Citrix Application Firewall Guide 3. Enter the following command to configure the Start URL check properly for the Shopping Cart profile. > set appfw profile "Shopping Cart" -starturlaction LEARN LOG STATS -starturlclosure ON Note: For readability, this command and others are formatted with each parameter on a separate line, and aligned under one another. When you enter the command at the NetScaler command line, you should type it all on a single line, with parameters separated by a single space. The system administrator wants to disable blocking for the Start URL check. That allows the learning feature to generate a list of start URLs while not blocking legitimate connections to the shopping cart application that might violate this check. The -starturlaction LEARN LOG STATS parameter turns off blocking while leaving learning, logging, and statistics enabled. By enabling URL closure, the system administrator tells the Application Firewall that users should be allowed to access any web content on the shopping cart application by clicking a hyperlink on a web page within that application. This prevents blocking of legitimate requests, and significantly reduces the number of Start URLs that learning must generate for the shopping cart application. The -starturlclosure ON parameter enables URL closure. 4. Enter the following command to configure the Cookie Consistency and Form Field Consistency checks properly for the Shopping Cart profile. > set appfw profile "Shopping Cart" -cookieconsistencyaction LEARN LOG STATS -fieldconsistencyaction LEARN LOG STATS The system administrator wants to disable blocking for the Cookie Consistency and Form Field Consistency checks. That allows the learning feature to generate a list of exceptions to these checks while not blocking legitimate connections to the shopping cart application that might violate the checks. The -cookieconsistencyaction LEARN LOG STATS parameter turns off blocking for the Cookie Consistency check, and the - fieldconsistencyaction LEARN LOG STATS parameter turns off blocking for the Form Field Consistency check, while leaving learning, logging and statistics enabled. 5. Enter the following command to configure the SQL Injection check properly for the Shopping Cart profile. > set appfw profile "Shopping Cart" -SQLInjectionAction LEARN LOG STATS -SQLInjectionTransformSpecialChars ON

333 Chapter 14 Use Cases 319 The system administrator wants to disable blocking for the SQL injection check. That allows the learning feature to generate a list of exceptions to this check while not blocking legitimate connections to the shopping cart application that might violate the check. The -SQLInjectionAction LEARN LOG STATS parameter turns off blocking for the SQL Injection check, but leaves learning, logging, and statistics enabled. To protect the SQL database while learning is working, he also wants the Application Firewall to transform any SQL special characters it detects into a string that will have no effect on the SQL database. The -SQLInjectionTransformSpecialChars ON parameter enables transformation of SQL special characters. 6. Enter the following command to configure the Credit Card check properly for the Shopping Cart profile. > set appfw profile SQL -creditcardaction LOG STATS -creditcardxout ON -creditcard VISA MasterCard Amex The system administrator wants to disable blocking for the Credit Card check because order confirmation pages from the shopping cart application show the user s credit card number. He wants to prevent that from happening without blocking the order confirmation pages. The -creditcardaction LOG STATS parameter turns off blocking for the Credit Card check, but leaves logging and statistics enabled. The system administrator prevents the credit card numbers from appearing on the order confirmation pages by enabling the X-Out feature instead of blocking. When X-Out is enabled, the Application Firewall masks the digits of any credit card numbers it detects with the letter x. The -creditcardxout ON parameter turns on the X-Out feature. Finally the system administrator adds protection for the specific types of credit card that the shopping cart application handles. The -creditcard Visa MasterCard Amex parameter enables protection for those credit cards. 7. Enter the following command to save your configuration. > save ns config 8. Enter the following command to confirm that your profile was correctly created. > show appfw profile "Shopping Cart" Before he continues, the system administrator views and checks the profile settings to ensure that they are correct. If the name is not correct, he removes the profile, as shown below, and recreates it.

334 320 Citrix Application Firewall Guide > rm appfw profile SQL If any of the settings is not correct, he repeats the set appfw profile command with the appropriate settings to fix the problem. The system administrator has successfully created a profile to protect the shopping cart application and its SQL database. He must now create a policy to determine when to apply that profile. Creating and Configuring a Shopping Cart Policy To protect the shopping cart application, the system administrator must now create a policy that tells the Application Firewall how to determine which requests are to, and which responses come from, the shopping card application. Fortunately, the shopping cart application is hosted at a subdomain, shopping.example.com, so creating the policy will be easy. This section contains two procedures one to create the Shopping Cart policy using the configuration utility, and one to create it using the NetScaler command line. To create a policy to protect the shopping cart using the configuration utility 1. In the Menu tree, expand the Application Firewall entry to display the choices in that category, and click Policies to display the Policies page. 2. In the lower left-hand corner of the data area, click the Add button to display the Create Application Firewall Policy dialog box, shown below. The Create Application Firewall Policy Dialog Box

335 Chapter 14 Use Cases 321 If you have not yet created a policy, or if you did not first select a policy in the data area of the Policies page, the Create Application Firewall Policy dialog box is blank. If you selected an existing policy, the Create Application Firewall Policy dialog box displays the information from that policy, including all expressions, so that you can modify it to create a new policy. You can use this to your advantage to minimize typing when you are creating a series of similar policies. 3. In the Policy Name* text box, type a name for your new policy. Since the system administrator is creating a policy to protect a shopping cart, he names it, Shopping Cart. 4. Click the down arrow to the right of the Action list box, and click name of the profile you want to associate with this policy. The system administrator picks the Shopping Cart profile. 5. Click the Add button to display the Add Expression dialog box, shown below, and construct an expression that describes the type of web connections you want this policy to match. The Add Expression Dialog Box The system administrator wants to create an expression that detects all requests to the shopping cart application. Fortunately, that application is hosted at its own subdomain, so he only needs to create an expression that detects requests sent to that subdomain. Note: Like the Create Application Firewall Policy dialog box, the Expression Editor displays the information from the last expression you created, so that you can modify it to create a new expression. A. If the Flow Type is not already set to REQ, click the down arrow beside the list box and set it to REQ. B. If the Protocol is not already set to HTTP, click the down arrow beside the list box and set it to HTTP.

336 322 Citrix Application Firewall Guide C. If the Qualifier is not already set to Header, click the down arrow beside the list box and set it to Header. D. Click the down arrow beside the list box and set the Operator to CONTAINS, as shown below. The Add Expression Dialog Box, HEADER CONTAINS Operator E. In the Value* text box, type the hostname of the host where this application is located. The system administrator types shopping.example.com. F. Type Host in the Header* text box, as shown below. The Add Expression Dialog Box, HEADER CONTAINS Operator with Text and Header Name G. Click the OK button to add the expression to the Expression list. H. Click the Close button to close the Expression Editor and return to the Create Application Firewall Policy dialog box. 6. Click the Create button to create the policy. The system administrator creates the Shopping Cart policy, and it appears in the Profiles page list in the data area. 7. Click the Close button to close the Create Application Firewall Policy dialog box and return to the Profiles page.

337 Chapter 14 Use Cases 323 The system administrator s new policy, Shopping Cart, now appears in the Profiles page, as shown below. The Application Firewall Policies Page, with Policies Defined 8. Globally bind the Shopping Cart policy following the procedure in Chapter 3, Simple Configuration, To globally bind a policy using the configuration utility on page 80. The system administrator globally binds the Shopping Cart policy, assigning it a priority of 1 to ensure that any connections to the shopping cart application are processed using the Shopping Cart policy and profile. When he is finished, the Policies page column labeled, Globally bound?, shows a check mark and yes, indicating that the Shopping Cart policy is globally bound, as shown below.

338 324 Citrix Application Firewall Guide The Application Firewall Policies Page, with Policies Globally Bound To create a policy to protect the shopping cart using the NetScaler command line 1. At the NetScaler command line, enter the following command to create the new policy. > add appfw policy <name> <rule> <profile> The system administrator makes the following substitutions: For <name>, the system administrator substitutes Shopping Cart, to indicate that this policy detects SQL content. Note: Names that contain embedded spaces must be enclosed in double quotes. For <rule>, the system administrator substitutes the following PCRE-compatible regular expression: "REQ.HTTP.HEADER URL CONTAINS shopping.example.com" Note: All rules must be enclosed in double quotes. This regular expression tells the Application Firewall to check all HTTP requests to see whether they include the host shopping.example.com.

339 Chapter 14 Use Cases 325 These requests, and only these requests, are sent to the shopping cart and should be checked using the SQL profile. For <profile>, the system administrator substitutes Shopping Cart, to indicate that this policy is associated with the Shopping Cart profile. The actual command that the system administrator types is as follows: > add appfw policy "Shopping Cart" "REQ.HTTP.HEADER URL CONTAINS shopping.example.com" "Shopping Cart" Note: Although the preceding rule wraps onto two lines, you should type it on a single line in the NetScaler command line. 2. Enter the following command to save your configuration. > save ns config 3. Enter the following command to confirm that your policy was correctly created. > show appfw policy <name> For <name>, the system administrator substitutes Shopping Cart. The policy is correct, so the system administrator proceeds to bind it globally. 4. Follow the procedure in Chapter 3, Simple Configuration, in the procedure To globally bind a policy using the NetScaler command line on page 82 to globally bind the new policy. The system administrator globally binds the new policy, assigning it a priority of 1 to ensure that any connections to the shopping cart application are processed using the Shopping Cart policy and profile rather than another, less specific policy. The system administrator has successfully created a policy to protect the shopping cart application s SQL database, and globally bound that policy with the appropriate priority. The Application Firewall is now filtering connections to the shopping cart application using the new policy and profile. Protecting a Product Information Query Page Example Manufacturing hosts a large amount of information about its products and solutions on its corporate web site, The web site uses Javascript in web forms that allow users to access brochures, technical specifications, and white papers about a variety of products and on a variety of subjects. These white papers are provided only to customers or prospective customers who request them and provide their names and addresses.

340 326 Citrix Application Firewall Guide The web forms do not have access to the main customer database, but write the names and addresses of customers that request white papers to an auxiliary file on the shopping.example.com server for later processing. The Javascripts on these web forms violate the same origin rule, which normally does not allow scripts to access or modify content on any server but their own. (This security vulnerability is called cross-site scripting.) An attacker could therefore potentially use a Javascript on the Example Manufacturing web site to obtain a copy of the white paper requests file or other content on the web server that should not be available to users. Example Manufacturing wants to protect its web site without rewriting all of its web forms and scripts. The system administrator therefore needs to create a more specific profile to protect these Javascript-enhanced forms, with appropriate relaxations and settings for the Cross-Site Scripting check, and an associated policy that can detect connections to the web forms and apply the correct profile when filtering those connections. Creating and Configuring a Product Query Profile To protect the Javascript-enhanced forms on the example.com web site, the system administrator must first create a profile that tells the Application Firewall how to protect this type of content. He specifically wants to protect these web forms from cross-site scripting attacks while allowing them to function as they were designed to function. The system administrator will create this profile using Advanced defaults instead of Basic defaults. He will therefore need to perform configuration on a number of other checks to prevent the Application Firewall from blocking legitimate traffic. The procedures below describe how he can do this using either the configuration utility or the NetScaler command line. To create a profile to protect product query pages using the configuration utility 1. Log on to the configuration utility using either the Java client or the Web Start client. For instructions on doing this, see To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry to display the choices in that category, and click Profiles to display the Profiles page. 3. Add a profile as described in Chapter 3, Simple Configuration, To create and configure a profile using the configuration utility on page 69, but click the Advanced radio button to choose Advanced defaults.

341 Chapter 14 Use Cases 327 The system administrator names the new profile Product Query so that he and others will know which type of web content it is intended to protect, as shown below. The Create Application Firewall Profile Dialog Box After he adds the profile, the profile s name appears in the profiles list in data area of the Profiles page. 4. In the profiles list, click the name of your new profile once, to highlight it. 5. Click the Open button to display the Configure Application Firewall Profile dialog box. 6. Click the Checks tab to display it. In the Checks tab you configure the checks that the Application Firewall uses to protect your web sites. The system administrator needs to configure several checks for this profile. 7. Configure the Start URL check. A. In the Security Checks list, click Start URL once to highlight it. B. Click the Modify button to display the Modify Start URL Check dialog box.

342 328 Citrix Application Firewall Guide C. Uncheck the Block, Learn, Log, Statistics and Enforce URL Closure check boxes, as shown below. Modify Start URL Dialog Box, General Tab, Disabled The system administrator wants to disable the Start URL check entirely because this profile will be applied only to specific, known URLs that the system administrator will list explicitly in the Scripts policy. Requests to any other URLs will be processed using another profile. D. Click the OK button to save your changes. The Modify Start URL Check dialog box closes, and a message box appears, notifying you that your changes have been successfully saved. E. Click the OK button to close the message box and return to the Configure Application Firewall Profile dialog box. 8. Configure the Cookie Consistency check. A. In the Security Checks list, click Cookie Consistency once to highlight it.

343 Chapter 14 Use Cases 329 B. Click the Modify button to display the Modify Cookie Consistency Check dialog box. C. Uncheck the Block check box, as shown below. Modify Cookie Consistency Check Dialog Box, with Blocking Disabled With the Cookie Consistency rule, the system administrator wants to disable blocking at first, to prevent legitimate cookies from being blocked. After the learning feature has generated a list of cookie relaxations and he has reviewed and applied them, he can re-enable blocking for this check. D. Click the OK button to save your changes. The Cookie Consistency Check dialog box closes, and a message box appears, notifying you that your changes have been successfully saved. E. Click the OK button to close the message box and return to the Configure Application Firewall Profile dialog box. 9. Configure the Form Field Consistency check by following the same procedure described in step 8.

344 330 Citrix Application Firewall Guide With the Form Field Consistency rule, the system administrator wants to disable blocking at first to prevent legitimate form field data from being blocked. After the learning feature has generated a list of form field relaxations and he has reviewed and applied them, he can re-enable blocking for this check. 10. Configure the Cross-Site Scripting check. A. In the Security Checks list, click Cross-Site Scripting once to highlight it. B. Click the Modify button to display the Modify Cross-Site Scripting Check dialog box, shown below. The Modify Cross-Site Scripting Check Dialog Box, General Tab C. In the Check Actions area, uncheck the Block check box. Since the Learning check box is checked, learning mode is enabled for this rule. The system administrator does not want to risk blocking legitimate requests until learning has generated an appropriate list of relaxations to the Cross-Site Scripting rule.

345 Chapter 14 Use Cases 331 Since no URLs except those explicitly listed in the Javascript Profile will be checked using this profile, no Javascripts except those that the system administrator has checked and approved will be checked using this profile. Note: The Cross-Site Scripting check has an additional setting that can be used to protect against cross-site scripting errors. If the system administrator had checked the check box labeled, Transform crosssite scripts,, that would have told the Application Firewall to render any unsafe scripts harmless, and then allow the connection to proceed. This would break the specific URLs that the system administrator wants to protect, however, because it would modify the Javascripts that the web pages at these URLs contain, rendering them non-functional. D. Click the OK button to save your changes, and when prompted, click the OK button to confirm your choices. The Cross-Site Scripting Check dialog box closes, and you return to the Configure Application Firewall Profile dialog box. 11. Click the Settings tab to display it, as shown below. The Configure Application Firewall Profile Dialog Box, Settings Tab

346 332 Citrix Application Firewall Guide 12. In the text box, modify the Error Page to the appropriate URL. The default value of forward slash (/) tells the Application Firewall to redirect blocked requests to the web site home page. For other pages on the example.com web site, this is the correct behavior, but the web site uses a special error page, for blocked requests to this particular URL. After ensuring that the special error page exists and is displayed in the web browser when opened directly, the system administrator modifies the Error Page as follows to redirect these requests to the appropriate URL: /requesterror.html This setting will redirect all blocked requests to the web pages in question to Click the OK button to save your changes. The Configure Application Firewall Profile dialog box closes, and you return to the Profiles page. To create a profile to protect product query pages using the NetScaler command line 1. Run the SSH client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page Enter the following command to create the profile. > add appfw profile "Product Query" -defaults advanced The system administrator creates a profile named Product Query, to make clear to himself and anyone else who might configure the Application Firewall what type of web content this profile is designed to protect. He uses the -defaults advanced parameter to tell the Application Firewall to create this profile with advanced defaults. Advanced defaults provide protection that is more closely tailored to the web site or web content that they protect, but they also require more input from the system administrator responsible for the appliance. For more information about defaults, see Chapter 4, Profiles, on page Enter the following command to configure the Start URL check properly for the Scripts profile. > set appfw profile "Product Query" -starturlaction NONE -starturlclosure OFF

347 Chapter 14 Use Cases 333 Note: For readability, this command and others are formatted with each parameter on a separate line, and aligned under one another. When you enter the command at the NetScaler command line, you should type it all on a single line, with parameters separated by a single space. The system administrator wants to disable the Start URL check because the Scripts profile will be applied only to specific, known URLs. Requests to any other URLs will be processed using a different profile. It is therefore easiest not to use the Start URL rule with this request. The - starturlaction NONE parameter disables the Start URL rule. The - starturlclosure OFF parameter turns off URL closure. 4. Enter the following command to configure the Cookie Consistency and Form Field Consistency checks properly for the Scripts profile. > set appfw profile "Product Query" -cookieconsistencyaction LEARN LOG STATS -fieldconsistencyaction LEARN LOG STATS The system administrator wants to disable blocking for the Cookie Consistency and Form Field Consistency checks. That allows the learning feature to generate a list of exceptions to these checks while not blocking legitimate connections that might violate the checks. The -cookieconsistencyaction LEARN LOG STATS parameter turns off blocking for the Cookie Consistency check, and the -fieldconsistencyaction LEARN LOG STATS parameter turns off blocking for the Form Field Consistency check, without disabling learning, logging, or statistics. 5. Enter the following command to configure the Cross-Site Scripting check properly for the Scripts profile. > set appfw profile "Product Query" -crosssitescriptingaction LEARN LOG STATS The system administrator wants to disable blocking for the Cross-Site Scripting check. That allows the learning feature to generate a list of exceptions to this check while not blocking legitimate connections that might violate the check. The -crosssitescriptingaction LEARN LOG STATS parameter turns off blocking for the Cross-Site Scripting check without disabling learning, logging, or statistics. Only specific and explicitly listed URLs will be checked using this profile. Since blocking is on for the Start URL check in the generic profile that is used to filter any other URLs containing Javascript, no scripted web form content except for the URLs that the system administrator specifically includes in the Scripts policy will be exempted from the Cross-Site Scripting check. This allows the system administrator to check and approve

348 334 Citrix Application Firewall Guide any Javascripts that violate the same origin rule before users can access the web pages on which those scripts appear. Note: The Cross-Site Scripting check has an additional parameter that can be used to protect against cross-site scripting errors the -crosssitescriptingtransformunsafehtml ON parameter. This parameter tells the Application Firewall to render any unsafe scripts harmless, and then allow the connection to proceed. This parameter, however, would break the specific URLs that the system administrator wants to protect because it would modify the scripts that the URLs contain, rendering them non-functional. 6. Enter the following command to set the Error Page. > set appfw profile "Product Query" -errorurl "/requesterror\.html" The default Error Page value of forward slash (/) tells the Application Firewall to redirect blocked requests to the web site home page. For other pages on the example.com web site, this is the correct behavior, but the web site uses a special error page for blocked requests to this particular URL, so the system administrator sets it explicitly here. 7. Enter the following command to save your configuration. > save ns config 8. Enter the following command to confirm that your profile was correctly created. > show appfw profile "Product Query" Before he continues, the system administrator views and checks the profile settings to ensure that they are correct. If the name is not correct, he removes the profile, as shown below, and recreates it. > rm appfw profile "Product Query" If any of the settings is not correct, he repeats the set appfw profile command with the appropriate settings to fix the problem. The system administrator has successfully created a profile to protect the Javascript-enhanced forms on the Example web site. He must now create a policy to determine when to apply that profile.

349 Chapter 14 Use Cases 335 Creating and Configuring a Product Query Policy To protect the product query web forms on the example.com web site, the system administrator must now create a policy that tells the Application Firewall how to determine which requests are sent to these web forms. Unlike the shopping cart application, these web forms are not all located in a specific subdomain or named using a specific naming convention, so the system administrator decides to list the relevant URLs explicitly in the policy to guarantee that this policy and profile will be applied only to those URLs. This section contains two procedures one to create the Javascript policy using the configuration utility, and one to create it using the NetScaler command line. To create a policy to protect product query pages using the configuration utility 1. In the Menu tree, expand the Application Firewall entry to display the choices in that category, an. 2. In the lower left-hand corner of the data area, click the Add button to display the Create Application Firewall Policy dialog box. If you have not yet created a policy, or if you did not first select a policy in the data area of the Policies page, the Create Application Firewall Policy dialog box is blank. If you selected an existing policy, the Create Application Firewall Policy dialog box displays the information from that policy, including all expressions, so that you can modify it to create a new policy. You can use this to your advantage to minimize typing when you are creating a series of similar policies. 3. In the Policy Name text box, type a name for your new policy. Since the system administrator is creating a policy to protect product query search URLs, he names it, Product Query. 4. Click the down arrow to the right of the Action list box, and click name of the profile you want to associate with this policy. The system administrator picks the Product Query profile. 5. Click the Add button to display the Add Expression dialog box, and construct an expression that describes the type of web connections you want this policy to match. The system administrator wants to create an expression that detects requests to the product query web pages. Unfortunately those web pages are not hosted on a separate subdomain, nor do they follow a predictable naming convention. The system administrator wants to be sure that any cross-site scripts except those on the specified, approved web pages are blocked. So he decides to list each URL containing a product query web form separately in the policy.

350 336 Citrix Application Firewall Guide This means that the Product Query policy will detect only the approved URLs, and will therefore apply the Product Query profile with its associated relaxations only to approved URLs. Note: Like the Create Application Firewall Policy dialog box, the Add Expression dialog box displays the information from the last expression you created, so that you can modify it to create a new expression. A. If the Flow Type is not already set to REQ, click the down arrow beside the list box and set it to REQ. B. If the Protocol is not already set to HTTP, click the down arrow beside the list box and set it to HTTP. C. If the Qualifier is not already set to Header, click the down arrow beside the list box and set it to Header. D. Click the down arrow beside the list box and set the Operator to ==. The == symbol requires an exact bitwise match. E. Type URL in the Header* text box. F. In the Value* text box, type the URL you want to protect. The system administrator types the following URL. G. Repeat step F to add additional URLs to the list. The system administrator adds the following URLs, one after the other: All of these URLs write user information to a file on the shopping.example.com server, although all are hosted on the server. All therefore violate the Cross-Site Scripting check, and need an explicit relaxation of that check to prevent their being blocked. H. Click the OK button to add the expression to the Expression list. I. Click the Close button to close the Add Expression dialog box and return to the Create Application Firewall Policy dialog box. The Create Application Firewall dialog box now contains four expressions. 6. Click the Create button to create the policy.

351 Chapter 14 Use Cases 337 The system administrator creates the Product Query policy. 7. Click the Close button to close the Create Application Firewall Policy dialog box and return to the Policies page. 8. Globally bind the Product Query policy following the procedure in Chapter 3, Simple Configuration, To globally bind a policy using the configuration utility on page 80. The system administrator globally binds the Product Query policy, assigning it a priority of 2 to ensure that any connections to the specified URLs are processed using the Product Query policy and profile. To create a policy to protect product query pages using the NetScaler command line 1. At the NetScaler command line, enter the following command to create the new policy. > add appfw policy <name> <rule> <profile> The system administrator makes the following substitutions: For <name>, the system administrator substitutes "Product Query", to show which URLs this policy should be applied to. For <rule>, the system administrator substitutes the following four PCRE-compatible regular expressions, separated by the OR ( ) operator: "^ "^ "^ "^ Note: All rules must be enclosed in double quotes. These regular expressions tell the Application Firewall to check all HTTP requests to see whether the URL contents are exactly the same as any of the strings in the regular expression. For <profile>, the system administrator substitutes Product Query, to indicate that this policy is associated with the Product Query profile. The system administrator wants to create an expression that detects requests to the product query web pages. Unfortunately those web pages are not hosted on a separate subdomain, nor do they follow a predictable naming convention. The system administrator wants to be sure that any cross-site scripts except those on the specified, approved web pages are blocked. So he decides to

352 338 Citrix Application Firewall Guide list each URL containing an approved product query web form separately in the policy. This means that the Scripts policy will detect only the approved URLs, and will therefore apply the Scripts profile with its associated relaxations only to the approved URLs. The actual command that the system administrator types is as follows: > add appfw policy "Product Query" "REQ.HTTP.HEADER URL == ^ REQ.HTTP.HEADER URL == ^ quoterequest\.jhtml$ REQ.HTTP.HEADER URL == ^ www\.example\.com/solutions/whitepaper\.jhtml$ REQ.HTTP.HEADER URL == ^ docreq\.jhtml" "Product Query" Note: Although the preceding command wraps onto multiple lines, you should type it on a single line in the NetScaler command line. 2. Enter the following command to save your configuration. > save ns config 3. Enter the following command to confirm that your policy was correctly created. > show appfw policy "Product Query" The policy is correct, so the system administrator proceeds to bind it globally. 4. Follow the procedure in Chapter 3, Simple Configuration, in the procedure To globally bind a policy using the NetScaler command line on page 82 to globally bind the new policy. The system administrator globally binds the new policy, assigning it a priority of 2 to ensure that any connections to web pages containing the specified product query web forms are processed using the Product Query policy and profile. The system administrator has successfully created a policy to protect the product query web forms on the company web site, and globally bound that policy with the appropriate priority. The Application Firewall is now filtering connections to these URLs using the new policy and profile.

353 Managing Learning Chapter 14 Use Cases 339 The example.com system administrator responsible for managing their Citrix NetScaler appliance just created two specific Application Firewall profiles with advanced defaults to protect special content on the Example web sites. Unlike profiles created with basic defaults, profiles created with advanced defaults use the learning feature. This feature creates an appropriate set of security check relaxations for protected web sites (or learned relaxations), but someone must review those relaxations and approve them before the Application Firewall can use them. This subsection describes how the system administrator can review and implement learned relaxations. To review learned relaxations using the configuration utility 1. Log on to the configuration utility using either the Applet client or the Web Start client. For instructions on doing this, see To log on to the configuration utility on page In the Menu tree, expand the Application Firewall entry to display the choices in that category, and click Profiles to display the Profiles page. 3. In the profiles list, click the name of the profile you want to review for new learned rules once, to highlight it. The system administrator clicks the SQL profile. 4. Click the Open button to display the Configure Application Firewall Profile dialog box. 5. Click the Learning tab to display it, as shown below.

354 340 Citrix Application Firewall Guide The Configure Application Firewall Profile Dialog Box, Learning Tab In the Security Checks list at the top of the tab, the Start URL check is highlighted by default. 6. Click the Manage Rules button to open the Manage Start URL Learned Rules dialog box, shown below.

355 Chapter 14 Use Cases 341 The Manage Start URL Learned Rules Dialog Box, Simple Tab The Simple tab is displayed by default. It shows a list of literal URLs that the learning feature has observed users accessing directly. 7. Click the Generalized tab to display it, as shown below.

356 342 Citrix Application Firewall Guide The Manage Start URL Learned Rules Dialog Box, Generalized Tab The Generalized tab shows a list of PCRE-format regular expressions for the same URLs. Normally you need fewer regular expressions than literal URLs to provide appropriate list of relaxations for the Start URL rule. The system administrator wants to create as non-restrictive a set of Start URL relaxations as is consistent with proper web site security, and prefers a few regular expressions to many literal start URLs, so he uses the Generalized tab to review start URL learned rules. He is happy with the default settings for the # expressions (number of regular expressions), and leaves that field unchanged. If he were to modify it, he would click the Generalize button afterward to regenerate the list of Start URL relaxations. 8. Click the first regular expression on the list once, to highlight it. 9. Review the regular expression, and choose how to dispose of it. You can accept it with edits by clicking the Edit & Deploy button. If you do, the Edit Regular Expression dialog box appears with that regular expression loaded in it. You edit the regular expression, then click the OK button to save your changes and deploy the modified learned rule.

357 Chapter 14 Use Cases 343 You should choose this option when a rule is almost correct, but you want to modify it to allow for a few additional URLs or to cover a slightly smaller number of URLs. You can accept it as is by clicking the Deploy button. If you do, the learned rule is deployed exactly as it was created by the learning feature. You should choose this option when a rule is exactly as you want it. The system administrator approves of the regular expression as it was generated by learning, so he clicks the Deploy button. 10. Repeat step 9 for each learned rule on the list. 11. Click the Close button to close the Manage Start URL Learned Rules dialog box, and return to the Configure Application Firewall Profile dialog box. 12. Click the entry for each remaining security check that you are using in this profile, and repeat step 7 through step 9 to review learned relaxations for that check. The system administrator reviews learned relaxations for the Cookie, Form Field, and SQL Injection relaxations. 13. Click the Close button to close the Configure Application Firewall Profile dialog box and return to the Profiles page. 14. Click the entry for each remaining profile that has learning enabled, and repeat step 4 through step 13 to review the learned relaxations for this profile. The system administrator clicks the Javascript profile, and reviews recommendations for the Start URL, Cookie, Form Field, and Cross-Site Scripting checks. The system administrator reviews learned relaxations once a day for the next two weeks. At the end of that period, or at whichever point he is confident that the Application Firewall is properly configured not to block legitimate activity for a particular security check, he re-enables blocking for that security check. After he has re-enabled blocking for all security checks, the example.com system administrator has successfully configured the Application Firewall to protect the example.com web sites.

358 344 Citrix Application Firewall Guide

359 GLOSSARY 15 Glossary This chapter contains a glossary of terms used in the Citrix Application Firewall documentation. These terms apply to the Application Firewall itself, to the Citrix NetScaler Application Delivery product line, and to other related subjects. A Access Gateway. An appliance built on the Citrix NetScaler Application Accelerator platform that provides secure access to private networks, such as company LANs, using SSL VPN and IPSEC. Alarm. An SNMP notification sent to a designated person or server in response to certain system and firewall events. Note: In previous versions of the Application Firewall, the term alert notification was used for an alarm. They mean almost the same thing. Alert. A system or firewall event that the Application Firewall or underlying NetScaler OS is configured to take notice of and log. You can configure the Application Firewall to generate an alert when a request or response violates a security check. Application Accelerator. An appliance that provides secure remote access and application protection for a small to medium-sized business. The entry-level appliance in the Citrix NetScaler Application Delivery product line. NetScaler appliance. An appliance that provides secure remote access and application protection for larger businesses. The mid-level and enterprise level appliances in the Citrix NetScaler Application Delivery product line. B Binding. An assigned relationship between a policy and a profile. A policy must be bound to a profile to put that policy into effect. A profile must be bound to at least one policy to put that profile in to effect.

360 346 Citrix Application Firewall Guide Bot. A program installed illicitly on a server after security on the server is breached by a hacker or malware. Most bots grant an outside user substantial or complete control over the server. Servers that are running a bot are usually used by spammers to provide support for direct sending of spam , hosting of spammed web site content, proxy support to mask the actual origin of spam or actual location of a spammed web site, and DNS support for other compromised servers. Frequently the only way to secure a server after bot infestation is to reformat its hard disk and reinstall the operating system from original media. Even then, if the hacker or malware that installed the bot gained access through a security vulnerability in the operating system or web server software, the server is vulnerable to reinfection unless the security problem is fixed. Botmaster. The individual that controls a server that has had its security breached and is running a bot. This individual may or may not be the hacker or malware author responsible for breaching the server s security and installing the bot in the first place. Breach. An event that occurs when the Application Firewall detects a Stop Word, fails to find a Go Word, or detects a violation of the SAFE Access, SAFE Commerce, SAFE Content, SAFE Identity, or SAFE Object rules. Breach attempt. An event that occurs when the Application Firewall detects and stops a Start URL violation, Cookie Consistency Check violation, Form Field violation, Operation Access violation, violation of the Buffer Overflow Detection rules, Input Validation violation, or violation of the SAFE SQL or SAFE XSS rules. Buffer overflow. A software security vulnerability in which a memory location used to store data fills up, and causes the web server to behave unpredictably. Buffer overflows are behind a number of known security issues with web server software. Buffer Overflow check. A filter that checks for and blocks requests that contain inappropriately long URLs, cookies, or other data that might be an attempt to cause a buffer overflow. The Application Firewall blocks these requests. C CGI. Common Gateway Interface. A protocol for interfacing scripts and programs with a web server. CGI scripts are a common source of security problems with web sites. Check. A filter that examines web server requests or responses for particular types of behavior that might signal an attack on web site security, and takes appropriate action. Child pornography. Pornography that uses or depicts children in unambiguous sexual situations. Local laws define exactly what constitutes child pornography in a particular jurisdiction. It is illegal in all jurisdictions. Because child pornographers are aggressively pursued by international law enforcement agencies, web sites and other Internet-based distribution of child pornography makes heavy use of compromised web servers. CLI. Command line interface. The character-based interface to the Application Accelerator or NetScaler appliance. The NetScaler operating system is built on the FreeBSD platform, and the CLI is built upon the FreeBSD Unix bash shell. Compromised web server. A web server whose security has been breached, usually by a hacker or malware. Most compromised web servers run a bot and are controlled by a botmaster. Compromised web servers may leak confidential private data to unauthorized persons, contain unauthorized content, provide unauthorized Internet services, or any combination of these things. Configuration utility. The web-based graphical user interface (GUI) used to configure the Application Accelerator and NetScaler appliance. Control interface. The ethernet port used to access the Configuration Utility and configure the Application Firewall. Control IP. The IP address of the Application Firewall control interface, used by system administrators to access the Application Firewall via SSH to perform configuration or management tasks.

361 Glossary Cookie. A piece of data a web server sends to a web browser, to be stored in RAM memory or on the local computer s hard disk, and sent back to the web server with every request to that web application. Web servers use cookies to track user sessions, identify users who have previously visited the site, store user information for registered users, and for many other purposes. A hacker can sometimes modify a cookie and breach security on the web server. Cookie Consistency check. The Application Firewall filter that checks incoming cookies to ensure that users have not modified them. CP web site. A web site that hosts child pornography. Most CP web sites are hosted on compromised web servers. Credit Card check. A filter that checks web server responses to ensure that credit card numbers are not sent to users unless they should be. You define which types of credit card information the Application Firewall should check for, and tell the Application Firewall whether to x-out any credit card numbers it finds, delete them from the response, or block the response outright. Cross-site scripting. A script that bypasses the same origin policy, a security measure that prohibits a script on one web site from obtaining properties from or setting properties for any content on a different web site. Since the scripts on your web site can access data and modify content on your web site, it is unsafe to allow a non-local script to receive information from or modify the content on your web site. Cross-Site Scripting check. A filter that checks scripts for cross-site scripting vulnerabilities, and either renders them harmless or blocks the response. D DDOS. Distributed Denial of Service. Using many different computers, usually compromised servers, to send a coordinated flood of connection requests to a server in order to overwhelm its capacity and deny other users access to it. One type of DOS attack. Deep linking. Accessing a web site by going directly to a URL that is normally accessible only through a few layers of navigation. By default, the Application Firewall prevents users from deep linking, requiring that user connections be to designated start URLs or via normal navigation of the web site. Deny URL. A URL on your web site that no user should ever access directly. For example, most CGI scripts should never be accessed directly, but only by a web page on your web site. Attempts to access CGI scripts and certain other content directly may represent an attempt to breach security on your web site. Deny URL check. A filter that checks to see if a URL is on the list of URLs that users should never access directly. You list these URLs when configuring your Application Firewall. The Application Firewall then checks incoming requests, and blocks any request that attempts to access a resource on its list of deny URLs. Dialog box. A small, standalone window in the configuration utility that asks the user a question or prompts the user to fill in certain information. Most configuration tasks in the configuration utility are performed via dialog boxes of various types. DOS. Denial of Service. Opening a large number of connections to any server on a network to try to overwhelm the server s capacity, causing it to stop accepting connections and denying other users access to it. E Error page. The web page to which the Application Firewall redirects a user when the Application Firewall blocks illegal or suspicious activity. By default, this is the domain home page.

362 348 Citrix Application Firewall Guide F False positive. Blocking of a legitimate request or response. False positives are rare with profiles created with Basic defaults. If you create more specialized profiles using Advanced defaults, you must configure those profiles carefully. It is highly advisable to disable blocking for those profiles until you have configured them manually and allowed learning mode to generate an appropriate set of relaxations for the profile. Field Formats check. A filter that allows you to assign a data type and minimum and maximum lengths to the fields in the web forms on your web site. The Application Firewall then ensures that all data returned in any of these web forms matches the data type and length you assigned to that field in that web form. Field types. A list of descriptions of the types of data permitted in a field in a web form, used by the Field Formats check. The Application Firewall ships with a standard list of field types which are sufficient for most Application Firewall configurations. You can also add other data types to the list, and you can set a default data type. Filter. A set of rules that the Application Firewall uses to check user requests and web server responses to ensure that everything is as it should be. FIPS. Federal Information Processing Standards. A federally-mandated standard for hardware protection of SSL certificates and keys. The Citrix Access Gateway, Citrix NetScaler Application Accelerator and Citrix NetScaler appliance all support FIPS management of SSL certificates and keys. Flow type. The direction of a connection. Incoming connections, or requests, have an REQ flow type; outgoing connections, or responses, have an RES flow type. Note: All regular expressions used in Application Firewall policies must have an REQ flow type. Regular expressions used in other NetScaler operating system policies can have either flow type. Forceful browsing. Attempting to access URLs directly, without first accessing a normal start URL on the web site and navigating to web pages by clicking a hyperlink on another page on the web site. Forceful browsing can be innocent; some users prefer to bookmark and access favorite web pages directly. Repeated attempts to access nonexistent content or content that should not be accessed directly, however, is usually a sign of an attack on a web site s security. The Application Firewall blocks forceful browsing attempts using its Start URL and Deny URL checks. Form Field Consistency check. A filter that checks to ensure that the data a user returns when completing a web form in an HTML-based web site is valid for each field of that web form. A hacker or malicious program can sometimes breach web server security by submitting inappropriate data in a web form. The Application Firewall checks for such attempts, and when it detects a request containing a web form that has inappropriate data, it blocks the request. H HA. High availability. Two Citrix NetScaler Application Accelerators or NetScaler appliancees configured to operate as a unit, with one appliance actively accepting and processing traffic while the other monitors it. if the first appliance quits accepting and processing traffic, the second appliance takes over for it and begins accepting and processing traffic, preventing an outage. The NetScaler HA feature uses VRRP to provide high availability and fault tolerance.

363 Glossary Hacker. In the Citrix NetScaler documentation, an individual who makes direct, personal attempts to gain access to a server or network resource illicitly, without the permission of the owner of that server or network resource. This is as opposed to the author of a virus or trojan program (a malware author), who does not normally target a specific server or resource. In the past, a hacker often attempted to break into a server or resource for the sheer joy of meeting the challenge and succeeding. Today s hackers are more often motivated by a desire to take control of the resource and use it to make money for themselves. Hidden field. A field in an HTML form that is hidden from the user. Normally hidden fields are used to retain data across multiple requests on a web site, and thus emulate state when using HTTP, a stateless protocol. A hacker or malicious program can modify the data in a hidden field to breach security on your web server. HTML profile. An Application Firewall profile that applies to HTML-based web content. The majority of web content is HTML-based, and is protected by this type of profile. HTTP. HyperText Transfer Protocol. The protocol used to send packets between a user s browser and a web server. HTTP data. The part of an HTTP request that contains the information that the user typed into a web form, or the part of an HTTP response that contains the web content the user requested. HTTP headers. The part of an HTTP connection that contains information about the web server or user s browser that is intended to assist the web server or browser in handling the connection. In other words, the HTTP headers are the metadata portion of the HTTP request or response. In a response, the HTTP headers contain information that is not normally displayed in the user s web browser. HTTP request. An HTTP connection from a user to your web server, requesting content from your web server. HTTP response. An HTTP connection from your web server to a user, sending information to the user. HTTP traffic. Any HTTP connection, either from a user to your web server or from your web server to a user. HTTPS. HyperText Transfer Protocol Secure. A protocol for sending HTTP packets securely between a user s browser and a web server, so that intercepted packets are encrypted and cannot be read. (Also called the SSL protocol.) I Identity theft. The process of obtaining enough private information about a user to allow a criminal to pretend to be that user. Normally a criminal engages in identity theft so that he can purchase goods or services using that user s credit cards and in that user s name. An identity thief often sells this information to other criminals, as well. See phishing on page 352 for more information on a common method many criminals use to engage in identity theft. Integrity checking. The process of verifying through a checksum or other cryptographic algorithm that a packet on a network has not been modified while being transmitted between the source and the destination. IPSEC. IP security. A protocol for negotiating encryption and authentication at the IP level. IPSEC allows you to ensure that all packets between two hosts, regardless of packet type or protocol used to transmit, are encrypted. L LAN. Local area network. The network inside your company s firewall or router, where your company s web servers, mail servers, and other protected resources are located.

364 350 Citrix Application Firewall Guide LAN interface. The ethernet port on the Application Firewall, Application Accelerator or NetScaler appliance that connects to your protected web servers. LAN IP. The IP on the Application Firewall that connects to your protected web servers. Layer 1, Layer 2, Layer 3, Layer 4, Layer 5, Layer 6, and Layer 7. See Network layers. Learning feature. The Application Firewall repetitive activity filter, used to spot typical user behavior when accessing protected web sites, and recommend appropriate settings for the request inspection and input validation filters. Learning mode. See learning. License. The contractual agreement between your company and Citrix that specifies which features you will use on your Citrix Application Firewall, Application Accelerator, or NetScaler appliance. License key file. A file provided by Citrix that you must upload to your Citrix Application Firewall, Application Accelerator, or NetScaler appliance to enable it and all licensed features. Log. One of a collection of text files maintained by your Citrix Application Firewall, Application Accelerator, or NetScaler appliance that consists of information about various activities and events that occur on it. Log files usually contain a single line of text per logged event or activity. All appliances in the Citrix NetScaler Application Delivery product line keep several kinds of logs. M Malware. A virus, trojan, or other malicious software intended to breach security on a server or network appliance. Once security is breached, the malware may steal sensitive private information from the computer, grant control of the computer to a botmaster, or both. Malware author. The author of a malware program, who may or may not also be the recipient of private information obtained by the program or controller of computers whose security was breached by the program. MIP. Mapped IP. An IP assigned to your Citrix NetScaler Application Accelerator or NetScaler appliance that it can use to refer to the servers it protects. MIPs are used for many functions in the NetScaler operating system. You must create one MIP when configuring the NetScaler operating system for the first time, and normally will create a number of them in the course of configuring various features of the NetScaler operating system. N Negative security model. A security model that relies on detecting known attacks and specific types of suspicious behavior likely to breach security on a protected server or network. NetScaler operating system. NetScaler operating system. The FreeBSD-based operating system that runs on all appliances in the Citrix NetScaler Application Delivery product line. Network layers. Categories that define the protocols and types of traffic that a network device handles. For example, a layer 3 device handles IP traffic sent using either the TCP/IP or the UDP protocol. A layer 2 device handles MAC address traffic. The standalone Citrix Application Firewall, the Citrix Access Gateway, and the Citrix NetScaler Application Accelerator and NetScaler appliance are all layer 3 devices. Node. A single server, appliance or device within a network. Node property. An attribute of a node, such as its IP address, hostname or domain. NSIP. NetScaler IP. The management IP assigned to your Citrix NetScaler Application Accelerator or NetScaler appliance. You use this IP to connect to the appliance when configuring or managing it.

365 Glossary NTP. Network time protocol. The protocol used to update server clocks across a network. O Operation. In web services, a single exchange of information in which a user passes one set of information to a web service, and in return receives another set of information from the web service. Operations are defined in the WSDL file for the web service, and the Application Firewall can be configured to allow or deny access to each operation in a web service s WSDL. Operation part. a single structured bit of information that forms part of a web services operation. The Application Firewall enforces proper length and format of data a user sends to the protected web service. Operator. The portion of a NetScaler operating system policy regular expression that specifies exactly what part of the qualifier a regular expression should examine, and what type of information it should look for. Some qualifiers are freestanding (such as EXISTS and NOTEXISTS). Some (such as ==,!=, CONTAINS, NOTCONTAINS, and CONTENTS) require a string (called the value) for comparison. P Packet. A packet is the basic unit of data routed between an origin and a destination on a TCP/IP or other packetswitching network. A packet contains part of a larger message and the destination address. On TCP/IP networks, packets are often called datagrams. Packet switching. A process for transmitting a message from one server to another on a network by dividing the message into smaller units, or packets, before sending them. Each packet is then transmitted individually, and can follow any available route to its destination rather than the same route any previous or following packets may have followed. If the destination receives a corrupt packet, it detects the corruption using integrity checking protocols and signals the origin to retransmit just that packet rather than the entire message. The destination also signals the origin to retransmit any packets it was expecting and did not receive. Once all packets forming a message arrive at the destination and pass integrity checking, they are recompiled into the original message. Pharming. Using DNS forgeries or spoofing to redirect requests from a legitimate bank, financial institution, or ecommerce web site to a pharming web site, a web site controlled by the criminal that did the forgery. Pharming web sites normally look identical to the legitimate company s web site. Under the mistaken impression that they are accessing the real bank or ecommerce web site, users then log on normally and provide any private information that the pharming web site requests, sending that information to the pharmer. The information obtained by a pharming web site normally includes logons and passwords, and may also include credit card numbers and expiration dates, social security numbers, and other sensitive private information. In many cases, a pharming attack will attempt to obtain enough information to steal the user s identity. See identity theft on page 349 for more information. Because the criminal (or pharmer) modified the Internet s DNS system to redirect users to the pharming web site, the user s browser will display the correct URL in the navigation window. DNS is the Internet s address system; it is what tells a web browser that a request to a particular host (such as should go to one server instead of another. It is therefore extremely difficult for users to detect pharming attacks. Pharming is closely related to phishing, a similar type of attack that uses or instant messages instead of DNS forgeries to redirect customers to a web site that collects the same sorts of sensitive private information. See phishing on page 352 for more information.

366 352 Citrix Application Firewall Guide Phishing. Using or instant messages to deceive users into providing sensitive private information such as logons and passwords to an online banking or ecommerce web site, or credit card numbers and expiration dates under the belief that the information is being given to their bank or another institution that has the right to the information. A phishing attempt normally involves two elements: the phish itself and the phishing web site. The phish is a message, usually an or instant message (IM), that pretends to be from a legitimate bank, financial institution, or business, and that directs users to provide their private information either via a web site link or (much less commonly) by replying to the message itself. The phishing web site mimics the web site of a legitimate bank, financial institution or ecommerce company, but is owned by the criminal (or phisher) that sent the phish. The web page often looks exactly like the logon page for the legitimate site, and like the legitimate site requests the user s logon and password. After the user logs on, the phish web site may prompt him or her to provide credit card numbers and expiration dates, a social security number, and any other private information the phisher wants to have. The phish web site then sends this information to the phisher, who can use it to log on to and empty the user s bank account or charge goods and services to the user s credit card. In many cases, a phishing attack will attempt to obtain enough information to steal the user s identity. See identity theft on page 349 for more information. Phishing is closely related to pharming, a similar type of attack that uses DNS forgeries instead of or instant messages to redirect customers to a web site that collects the same sorts of sensitive private information. See pharming on page 351 for more information. Policy. A set of parameters created by the system administrator when configuring the Application Firewall that defines a specific type of web content or particular part of a web site. The Application Firewall uses policies to determine which profile to use when filtering a particular request or response. Port. 1. When referring to hardware, an interface on a server that connects to another server or network device. There are a number of port types, the most common including: - The RJ45 port, normally used to connect one of the server s ethernet interfaces to the network. These ports are normally included on all computers, workstations and servers alike. The servers in the Citrix NetScaler Application Delivery product line have between four and nine RJ45 ports that connect to ethernet interfaces of various capacities and transmission speeds. - The RS-232C (serial) port, normally used to connect a laptop computer or other workstation to the server when configuring the server. All of the servers in the Citrix NetScaler Application Delivery product line have one RS-232C port. - The USB (universal serial bus) port, normally used to connect auxiliary devices such as scanners, printers, external hard disk drives or other storage devices, cameras, and similar equipment to the server. These ports are included on almost all workstation or laptop computers, but less commonly on servers. None of the servers in the Citrix NetScaler Application Delivery product line has a USB port. - The Centronics parallel port and its enhanced cousins, normally used to connect the computer to a printer or scanner. These ports are frequently included on workstations, but less commonly on laptop computers and rarely on servers because this type of port has largely been replaced by the USB port. None of the servers in the Citrix NetScaler Application Delivery product line has a parallel port. - The RJ11 port, normally used to connect the computer to an external modem, or to connect an internal modem directly to a telephone jack. These ports are normally included on workstation or laptop computers, not on servers. None of the servers in the Citrix NetScaler Application Delivery product line has an RJ11 port. 2. When referring to software, a number representing a virtual input location where a server program listens for connections. For example, a web server usually listens for HTTP connections on port 80, and for HTTPS connections on port 443. An SMTP server usually listens for connections on port 25. Other server programs listen on other port numbers.

367 Glossary Positive security model. A security model that relies, not upon detecting attempts to violate security, but upon recognizing valid or legitimate behavior and blocking everything else. The Application Firewall uses a positive security model to protect web content. Profile. 1. A collection of security settings that a system administrator creates when configuring the Application Firewall, and that the Application Firewall uses thereafter to protect a specific type of web content. A profile tells the Application Firewall which checks to perform and how to respond when a request or response violates a particular check. 2. The list that your Application Firewall maintains of typical requests to your web site and responses from that web site. A web site s profile consists of the list of exceptions to (or relaxations of) the normal filtering rules that you enter manually, and the recommendations generated by learning mode that you accept and implement. Protocol. 1. A specific type of communication between a server and client or two servers on the Internet. HTTP is the protocol used by web sites for non-encrypted communications, and HTTPS is the protocol used for encrypted communications. 2. The portion of a NetScaler operating system policy regular expression that determines the protocol to which the regular expression applies. Q Qualifier. The portion of a NetScaler operating system policy regular expression that determines the feature of the protocol to which the regular expression applies. R Regular expression. A protocol, or language, for matching patterns of characters, numbers, and symbols. The Application Firewall supports PCRE (PERL compatible regular expressions) to specify URLs, cookies, and form fields when manually entering relaxations, or when learning generates recommendations for these filters. Request. A connection from a user to a web server. Requests are inbound connections to your web servers. Response. A connection from a web server to a user in response to a request sent by that user. Responses are outbound connections from your web servers. Rule. A single pattern or standard used by the Application Firewall to determine whether to block traffic or not. See also check and filter. S Safe Object check. A filter that allows users to define a particular type of information in web server responses that the Application Firewall is to protect, such as social security numbers, driver s license numbers, or customer IDs. You can define the information to be protected precisely using a PCRE regular expression, and can tell the Application Firewall what to do when it detects a violation of a safe object rule: block the response, remove the blocked information from the response, or x-out the blocked information in the response.

368 354 Citrix Application Firewall Guide Same origin policy. A web scripting security policy that prohibits a script on one web site from obtaining properties from or setting properties for any content from a different web site. In other words, it requires that the script and any content it interacts with have the same origin. The web server determines the origin of a script and another piece of web content by checking the domain name, protocol and port for each. The script and the other piece of web content have the same origin if and only if the protocol, host, and port are all identical. Security model. The underlying reasoning used to protect the security of a server or any other computer or network appliance. Session. A single set of connections between a web site and a specific user, including both requests from the user to the web site and responses by the web site to the user. Session profile. The list an Application Firewall maintains of an individual user s requests to a protected web site and responses from that web site to that user during a single session. It uses the session profile in a number of tests to determine whether a request or response is valid. Session timeout. Period of inactivity after which the Application Firewall stops tracking a user s session. The user must then establish a new session with your web site by accessing a start URL before continuing his or her activity. SMTP. Simple Mail Transport Protocol. The protocol commonly used to send to other users on TCP/IP networks. SMTP server. A server that supports the SMTP protocol, and that the Application Firewall can use to send alert notifications. SNMP. Simple Network Management Protocol. A protocol to allow system administrators to view and change certain network properties from a remote location. SOAP. Simple Object Access Protocol. An XML-based syntax for exchanging messages. Using SOAP, web services on different platforms and using normally-incompatible technologies can exchange information. Spoofing. Any of several techniques that cause a packet to appear to have originated at one IP when in fact it originated at another IP. Spoofing is most commonly used in DDOS attacks and pharming attacks. SQL. Structured Query Language. A standard language for requesting information from a database. Many databases in wide use on web sites support SQL. SQL injection. Submission of unauthorized SQL commands to a back-end SQL server using a web form on your web site. SQL injection is usually an attempt to break your web site s security and obtain sensitive private information. SQL Injection check. A filter that checks web form data for injected SQL special characters and keywords. If the Application Firewall detects SQL code in a web form submitted to your web site, it either renders the SQL code harmless by transforming any special characters, or blocks the response. SSH. Secure shell. A program that allows a user to establish an encrypted, secure connection to a server through port 22. An SSH session can be used to establish an interactive shell on the Application Firewall, allowing an administrator to perform administrative tasks. SSL. Secure sockets layer. A protocol for sending HTTP packets securely between a user s browser and a web server. (Also called the HTTPS protocol.) SSL VPN. Secure sockets layer virtual private network. A virtual private network that operates through an SSL web link on port 443. Start URL. A URL that users normally access directly, without navigating to it by clicking a hyperlink on another web page on your web site. For example, your web site s home page is a start URL. You should also consider any subsidiary home page, such as a customer support web page or my account web page, a start URL and configure your Application Firewall accordingly. Start URL check. A filter that lists your web site s start URLs, the URLs that users can access to start a session on your web site. If you enable the URL closure option for your web site, then you must list only those web pages that users will access directly as start URLs. If you do not enable the URL closure option, you must add the URLs of all web pages on your web site that users will access to the Start URL list. State. Whether a globally bound policy is enabled and in use, or disabled and not in use.

369 Glossary T Threshold. The absolute number of times a behavior occurs on your web site, and the percentage of total web site connections that exhibit this behavior, before the learning feature learns a particular pattern or rule. You set the thresholds for each rule that applies to each profile you create, so you can configure different thresholds for different rules. U UDDI. URL. Universal Description, Discovery, and Integration. An XML-based address book, or registry, that allows businesses throughout the world to create a listing for themselves so that customers and partners can locate them, and XML-based ecommerce web services can exchange structured information with them. In other words, an XML-based global address book for the Internet. Uniform Resource Locator. A standard address for an HTML page or other resource on the Web. URLs are formatted like this: protocol://hostname[:port]/path[/resource.filename] A web URL normally uses the HTTP or HTTPS protocol, as shown here: URL closure. A setting in the Start URL filter that tells the Application Firewall to allow users to access any resource on your web site by clicking a hyperlink on any web page on the web site. If you enable URL closure, then you only have to list your web site s home page and any other pages users will access directly in the Start URL list. If you do not enable URL closure, you must list all URLs on your web site that users will access in the Start URL list. User. 1. An account on the Application Accelerator or NetScaler appliance server that allows a system administrator to log on and configure the appliance. 2. Anyone who connects to your web site. V Value. VRRP. The portion of a NetScaler operating system policy regular expression that the operator uses to test a request to determine whether it matches the policy or not. Virtual Router Redundancy Protocol. A protocol for managing a backup server that causes the backup server to automatically take over for any designated master server that fails. W WAN. Wide area network. The network outside your company s firewall or router, from which users access your company s resources. WAN interface. The ethernet port that connects your Application Firewall to the network from which users access your web sites. WAN IP. The IP address at which the Application Firewall receives incoming HTTP and HTTPS requests from users.

370 356 Citrix Application Firewall Guide Web server. 1. The hardware platform that runs web server software and hosts web content. Note: A single such web server frequently hosts a number of web sites, and may also run multiple copies (or instances) of the web server software. 2. The software package that runs on a server and answers HTTP requests and responses. The most common web server software packages are the open source Apache HTTP Server package and commercial Microsoft Internet Information Server (IIS), but there are many others in use as well. 3. A single instance of the web server software that runs in server memory answers HTTP or HTTPS requests for a specific IP/port combination. Web service. Web-based content that employs one or more of three technologies SOAP, WSDL and UDDI to offer structured content to users via the web. Web Services Definition Language. See WSDL. Web services profile. An Application Firewall profile that protects a web service. Web site. A collection of content hosted on a single web server and accessed via a single hostname. For example, all content accessed through is part of the web site at Web site defacement. Vandalism of a web site through illicit modification of the web site s content and appearance, that is, online graffiti. Wizard. A set of tasks presented in a dialog box that shows each task to the user on a separate screen and prompts the user to perform that task before proceeding to the next screen and next task. Wizards are used throughout the configuration utility. WSDL. Web Services Definition Language. An XML-based language for defining web services and explaining how to access them. WSDL file. A file containing a description of a particular web service and explaining how it is accessed. X XML. Extensible markup language. A text markup language that supports interchange of structured data, a subset of SGML. The Application Firewall protects a subset of XML-based web content called web services.

371 Index A Access Gateway alerts v definition 345 FIPS support 348 IPSEC 345 LAN 345 SSL VPN 345 Action URL setting Cross-Site Scripting check 257 Field Formats check 247 action. See also profile. action. See profile. adaptive learning Cookie Consistency check 312, 318, 329, 333 Cross-Site Scripting check 330, 333 Form Field Consistency check 312, 318, 330, 333 learned relaxations 339 preventing false positives 348 profile 353 regular expression 353 reviewing learned relaxations 339 reviewing Start URL learned relaxations 340 SQL Injection check 313 Start URL check 310 use case adaptive learning. See also learned relaxations. Add... button Cookie Consistency check 210 Field Formats check 244 HTML Cross-Site Scripting check 254 HTML SQL Injection check 265 policies Safe Object check 222 Start URL check 194 advanced defaults about 317, 326, 332 avoiding false positives 348 Cookie Consistency check Block setting 207 Cookie Consistency check Learn setting 208 creating a profile 326 Field Formats check 242 Form Field Consistency check Block setting 233 Form Field Consistency check Learn settings 233 HTML Cross-Site Scripting check 252 HTML SQL Injection check Block setting 261 HTML SQL Injection check Learn setting 262 protecting SQL database 305 alarm definition 345 alarm. See also alert. alert definition 345 alert notification. See alarm. alerts Knowledge Center v alert. See also alarm. American Express Credit Card check 220 Application Accelerator definition 345 FIPS support 348 application delivery Application Accelerator 345

372 358 Citrix Application Firewall Guide Application Firewall about 1 2 blocking hackers 2 configuration utility 12 configuring security checks 308 engine settings 183 filtering 6, 8 filtering flowchart 7 hacker 1 hardware platforms installation 8, 17 installing layer 2 network bridge 6 layer 3 network device 6 network 9 network layers 9 network location 8 overview 3, 6 7 platform 8 policies 72 79, policy flow type 348 positive security model 5 use cases user 355 application firewall enabling 67 updating licenses 67 Application Switch definition 345 FIPS support 348 attack against SQL database 304 buffer overflow 3 check 5 compromised web server 3 cookie security 3 cookie tampering 304 cross-site scripting 4 5, 326 filtering 6 filtering flowchart 7 forceful browsing 187 hacker 2 identity theft 2 known web attacks 5 malware author 2 SQL injection 4 5, 304 types 2 types of 3 unknown web attacks 5 web form security 4 B basic defaults Cookie Consistency check Block setting 207 Cookie Consistency check Learn setting 208 Field Formats check 242 Form Field Consistency check Block setting 232 Form Field Consistency check Learn setting 233 HTML Cross-Site Scripting check Learning setting 251 HTML SQL Injection check Block setting 261 HTML SQL Injection check Learn setting 261 rarity of false positives 348 binding CLI 82, 152 configuration utility 80, 150 definition 345 globally binding policies 79, 149 binding. See also global binding. Block setting Buffer Overflow check 215 Cookie Consistency check Credit Card check 218 Field Formats check Form Field Consistency check HTML Cross-Site Scripting check 251 HTML SQL Injection check 261 Start URL check 190 WS-I check 285 XML Attachment check 283 XML Cross-Site Scripting check 278 XML DoSt check 274 XML Format check 272 XML SQL Injection check 280 XML Validation check 288 blocking Cookie Consistency check 312, 318, 329, 333 Credit Card check 319 Cross-Site Scripting check 330, 333 Form Field Consistency check 312, 318, 330, 333 preventing false positives 348 SQL Injection check 313, 319 Start URL check , 318 blog. See Web 2.0 profile. bot compromised web server 346 definition 346 botmaster compromised web server 346 definition 346 botmaster. See also bot, hacker, malware.

373 Index 359 bot. See also hacker, malware, botmaster. breach definition 346 breach attempt definition 346 buffer overflow about 3 Buffer Overflow check 3 definition 346 forceful browsing 4 Buffer Overflow check about Block setting 215 definition 346 Learn setting not available 215 Log setting 215 Modify Buffer Overflow Check Dialog Box, General Tab 215 Modify Rule... button 214 Statistics setting 215 buffer overflow check about 103 CLI parameter and values 118 buffer overflow max cookie length CLI parameter and values 118 buffer overflow max header length CLI parameter and values 118 buffer overflow max URL length CLI parameter and values 118 checks about profiles configuring 308 checksum. See integrity checking. check. See also filter, rule. child pornography compromised web server 3, 346 CP web site 347 definition 346 child pornography. See also CP web site. Citrix NetScaler See hardware, Citrix NetScaler See hardware, Citrix NetScaler See hardware, Citrix NetScaler See hardware, Citrix NetScaler MPX See hardware, CLI about adding a confidential field 160 adding confidential fields?? 162 adding field types 170 associating policy and profile 325 bash 10 client IP header 185 configuring Cookie Consistency check 318, 333 configuring Credit Card check 319 configuring Cross-Site Scripting check 333 configuring Form Field Consistency check 318, C canonicalize HTML response CLI parameter and values 125 Centronics. See port. CGI definition 346 deny URL 347 protecting SQL databases 304 check about 5 definition 346 known web attacks 5 profile 353 unknown web attacks 5 Check complete URLs for cross-site scripting about 253 check relaxations names as literal strings 111 names as regular expressions 111 regex editor 112

374 360 Citrix Application Firewall Guide 333 configuring security checks , 124 configuring SQL Injection check 318 configuring Start URL check 318 creating a policy 78 79, creating a profile 68, 90 91, 317 definition 346 deleting a policy 149 disabling Start URL check 332 error page 334 example of add appfw policy command 338 modifying a field type 174 modifying a policy 149 modifying confidential fields?? 166 NSIP 78, 146, 160, 164, 170, 174 regular expression 324 save ns config 102 saving policy configuration 325 saving profile 334 scripted content policy scripted content profile security check parameters and values 116 set appfw settings -clientiploggingheader 185 show appfw profile 102 SQL database profile SSH 78, 90, 101, 146, 160, 164, 170, 174, 180, , 411 transform unsafe HTML 334 verifying policy configuration 325 verifying profile 334 CLI command add appfw confidfield 160 add appfw field type 170, 174 add appfw policy 78, 146, 149, , 337 add appfw profile 68, 90, 317, 332 bind appfw global 83, 152 enable ns feature 64 import appfw htmlerrorpage rm appfw fieldtype 162, 171 rm appfw htmlerrorpage 181 rm appfw policy 79, 149 rm appfw profile 91, 320 rm appfw wsdl 182 rm appfw xmlerrorpage 181 rm appfw xmlschema 182 save ns config 68, 79, 83, 90, 149, 153, 162, 166, 171, 175, 181, 319, 325, 334, 338 set appfw confidfield 164 set appfw policy 149 set appfw profile 68, 102, , , 408 show appfw fieldtype 162, 166, 171, 175 show appfw htmlerrorpage 181 show appfw policy 79, 149, 325, 338 show appfw profile 90, 319, 334 show appfw wsdl 182 show appfw xmlerrorpage 181 show appfw xmlschema 182 client IP header name about 185 CLII adding a confidential field?? 162 CLI. See also SSH. Close button confidential fields 159 Credit Card check 220 HTML SQL Injection check 270 policies 77 command line interface. See CLI. comments Cookie Consistency check 213 Form Field Consistency check 239 Start URL check 196 Comments setting Deny URL check 203 Field Formats check 248 HTML Cross-Site Scripting check 258 compromised web server about 3 bot 346 botmaster 346 child pornography 346 CP web site 347 definition 346 hacker 346 malware 346 compromised web site. See compromised web server.

375 confidential fields about adding adding at the CLI 160 Close button 159 comments 159 Create button 159 Disable button 164 disabling 164 Enable button 164 Enabled check box 163 enabling 164 identity theft 155 logging 155 modifying modifying at the CLI 164 Remove button 164 removing 164 types 155 UTF-8 character encoding in URL 159, 161, 165 Index 361

376 362 Citrix Application Firewall Guide configuration about 303 about simple configuration 67 advanced defaults 326 advanced features 84 CLI 10 client IP header name 185 Cookie Consistency check 311, 318, 328, 333 creating a policy creating a profile 68 Credit Card check 314, 319 Credit Card check X-Out option 319 Cross-Site Scripting check 330, 333 defaults 71 Deny URL check 198 disabling Start URL check 328, 333 disabling URL closure 328, 333 error page 332, 334 Field Formats check 241 field types?? 175 filtering specific URLs 335, 337 Form Field Consistency check 312, 318, 329, 333 globally binding policies GUI 105 html error page list of security checks modifying a policy 149 named expression 141 policies policy 352 policy name 78, 140, 146, 160, 164, 170, 174, 321 policy names 74 preventing false positives 305 profile 5 profile names 70, 90, 408 profiles 85 protected credit card types 319 saving policy 325 security checks 103, 308 session cookie name 183 session timeout 184 settings 121 simple 83 SQL comment handling 281 SQL comments handling 263 SQL Injection check 312, 318 SQL protection 83 Start URL check 308, 318, 327 transform cross-site scripts 331 transform SQL special characters 313, 319 transform unsafe HTML 334 updating licenses 67 URL closure 318 user 355 user interface 9 verifying policy 325 configuration utility about Add Expression dialog box 142 adding a profile 326 Application Firewall Policies page 73 Application Firewall Profiles page 69 associating policy and profile 321 Bind/Unbind Firewall Policy(s) to Global dialog box 80, 150 configuring security checks 308 Create Policy dialog box 139 create profile dialog box 70 creating a policy creating a profile definition 346 deleting a policy 149 dialog box 347 Expression Editor 141 logo bar 13 modifying a policy 149 navigation tree 13 page data area 14 page title bar 14 Policies page 139 policy?? 323 reviewing learned relaxations screen areas 13 scripted content profile Setup Wizard SQL database profile System menu 53 system overview 13 Upgrade Wizard upgrade wizard 16 wizards 14, 356 configuration. See also configuration utility. control interface definition 346 control IP definition 346 cookie about cookie tampering 304 about security of 3 Cookie Consistency check 3 definition 347 regular expression 353

377 Index 363 cookie check about 103 Cookie check. See Cookie Consistency check. Cookie Consistency Check Enable button 210 Log setting 208 Cookie Consistency check about , 308 about cookie tampering 304 Add Cookie Consistency Check Relaxation dialog box 211 Add... button 210 Block setting blocking 312, 318, 329, 333 comments 213 configuration 328 configuring 311, 318, 333 cookie name 211 Create button 213 definition 347 Disable button 210 Enabled check box 211 Learn setting 208 logon relaxation 212 Modify Cookie Consistency Check dialog box, Settings tab 210 Modify Rule... button 205 Modify... button 213 profile Remove button 210 shopping cart item relaxation 212 Statistics setting 209 UTF-8 character encoding 212 cookie consistency check CLI parameter and values 116 cookie security. See Cookie Consistency check. CP web site about 3 child pornography 347 compromised web server 347 definition 347 CP web site. See also bot, hacker, malware. CP. See child pornography. Create button confidential fields 159 Cookie Consistency check 213 Deny URL check 204 Field Formats check 248 HTML SQL Injection check 269 policies 77 Start URL check 196 credit card how to protect credit card numbers 220 Credit Card check about , 308 Block setting 218 blocking 319 Close button 220 configuring 314, 319 credit card protection enabled 220 definition 347 Learning setting not available 218 list of protected credit cards 316 Log setting 218 maximum credit cards allowed setting 219 Modify Credit Card Check dialog box, General tab 218 Modify Credit Card Check dialog box, Settings tab 219 Modify Rule... button 217 Open... button 217 parameters 219 Protect button 220 protected credit cards 319 Statistics setting 218 types of credit cards 220 Unprotect button 220 X-Out 314, 319 X-Out setting 219 credit card check about 103 CLI parameter and values 119 credit card max allowed CLI parameter and values 119 credit card protected types CLI parameter and values 119 credit card x-out CLI parameter and values 119 cross site scripting. See cross-site scripting, Cross-Site Scripting check. cross-site scripting about 4 5, 250, 277 attacks 326 definition 347 description of 326 HTML Cross-Site Scripting check 4 same origin policy 4 5, 347 same origin rule 250, 277 transforming 331 what is it? 250, 277 XML Cross-Site Scripting check 5

378 364 Citrix Application Firewall Guide Cross-Site Scripting check about 326 blocking 330, 333 configuring 330, 333 definition 347 same origin rule 334 transform cross-site scripts 331 URL setting 257 Cross-Site Scripting check. For HTML requests, see HTML Cross-Site Scripting check. For XML requests, see XML Cross-Site Scripting check. Cross-Site Scripting rule transform unsafe HTML 334 cross-site scripting. See also Cross-Site Scripting check, same origin policy. cryptographic algorithm integrity checking 349 customer ID. See safe object. D datagram. See packet. DDOS definition 347 deep linking definition 347 defacement. See web site defacement. default charset CLI parameter and values 125 settings 121 default field format max length CLI parameter and values 118 default field format min length CLI parameter and values 118 default field format type CLI parameter and values 118 default field type settings 121 defaults about 71

379 Index 365 definition Access Gateway 345 alarm 345 alert 345 Application Accelerator 345 Application Switch 345 binding 345 bot 346 botmaster 346 breach 346 breach attempt 346 buffer overflow 346 CGI 346 check 346 child pornography 346 CLI 346 compromised web server 346 configuration utility 346 control interface 346 control IP 346 cookie 347 Cookie Consistency check 347 CP web site 347 Credit Card check 347 cross-site scripting 347 Cross-Site Scripting check 347 DDOS 347 deep linking 347 deny URL 347 Deny URL check 347 dialog box 347 DOS 347 error page 347 false positive 348 Field Formats check 348 field types 348 filter 348 FIPS 348 flow type 348 forceful browsing 348 Form Field Consistency check 348 HA 348 hacker 349 hidden field 349 HTML profile 349 HTTP 349 HTTP data 349 HTTP headers 349 HTTP request 349 HTTP response 349 HTTP traffic 349 identity theft 349 integrity checking 349 IPSEC 349 LAN interface 350 LAN IP 350 learning feature 350 license 350 license key file 350 log 350 malware 350 malware author 350 MIP 350 negative security model 350 NetScaler OS 350 network layers 350 node 350 node property 350 NSIP 350 NTP 351 operation 351 operation part 351 operator 351 packet 351 packet switching 351 pharming 351 phishing 352 policy 352 port 352 positive security model 353 profile 353 protocol 353 qualifier 353 regular expression 353 request 353 response 353 rule 353 Safe Object check 353 same origin policy 354 security model 354 session 354 session timeout 354 SMTP 354 SMTP server 354 SNMP 354 SOAP 354 spoofing 354 SQL 354 SQL injection 354 SQL Injection check 354 SSH 354 SSL 354

380 366 Citrix Application Firewall Guide SSL VPN 354 start URL 354 Start URL check 354 state 354 threshold 355 UDDI 355 URL 355 URL closure 355 user 355 value 355 VRRP 355 WAN 349, 355 WAN interface 355 WAN IP 355 web server 356 web service 356 web services profile 356 web site 356 web site defacement 356 wizard 356 WSDL 356 WSDL file 356 XML 356 denial of service. See DOS. deny URL CGI scripts 347 CLI parameter and values 116 definition 347 Deny URL check about Comments setting 203 configuring 198 Create button 204 definition 347 forceful browsing 348 Modify Rule... button 198 Modify... button 204 Save button 204 The Modify Deny URL Check Relaxation dialog box 204 UTF-8 character encoding in URL 203 deny URL check about 103 dialog box configuration utility 347 definition 347 Diner s Club Credit Card check 220 Disable button confidential fields 164 Cookie Consistency check 210 Field Formats check 244 HTML Cross-Site Scripting check 254 Start URL check 193 Discover Credit Card check 220 distributed denial of service. See DDOS. DOS definition 347 driver s license number. See safe object. E Enable button confidential fields 164 Cookie Consistency check 210 Field Formats check 244 HTML Cross-Site Scripting check 254 Start URL check 193 Enable check box Start URL check 194 enable form tagging CLI parameter and values 126 Enabled check box confidential fields 163 Cookie Consistency check 211 Field Formats check 245 HTML Cross-Site Scripting check 255 HTML SQL Injection check 266 engine settings about 183 adding a confidential field client IP header name 185 confidential field?? 166 confidential fields 155 disabling a confidential field 164 enabling a confidential field 164 field types?? 175 modifying a confidential field 162 modifyng a confidential field?? 166 removing a confidential field 164 session cookie name 183 session timeout 184 tracking user s Application Firewall session 183 error page configuring 332, 334 definition 347

381 Index 367 error URL CLI parameter and values 125 settings 121 exclude file uploads from checks CLI parameter and values 126 expression creating example 148 flow type 75, 142, 146 header name 145, 148 matching all requests 77 matching policy expressions 140 named expression 141 operator 76, 143, 147 policy 78 protocol 75, 142, 147 qualifier 75, 142, 147 value 144, 148 extensible markup language. See XML. F false positive about 305 Cookie Consistency check, preventing 312, 318, 329 Credit Card check, preventing 319 Cross-Site Scripting check, preventing 330 definition 348 Form Field Consistency check, preventing 312, 318, 330 preventing via adaptive learning 348 SQL Injection check, preventing 313 Start URL check, preventing 310, 318 transform SQL special characters, preventing 313 field format check CLI parameter and values 118 Field Formats check about Action URL setting 247 Add Field Format dialog box 245 Add... button 244 advanced defaults 242 basic defaults 242 Block setting Comments setting 248 comparison with Form Field Consistency check 241 configuring 241 Create button 248 definition 348 Disable button 244 Enable button 244 Enabled check box 245 Field Name setting 245 field types 167, 348 Format setting 248 HTML profiles only 240 Learn setting 243 Log setting 243 Maximum length setting 248 Minimum Length setting 248 Modify Field Formats Check dialog box, General tab 242 Modify Field Formats Check dialog box, Settings tab 244 Modify Rule... button 241 Modify... button 248 Remove button 244 Statistics setting 243 The Modify Field Format dialog box 249 Type setting 248 UTF-8 character encoding 246 UTF-8 character encoding in URL 247 "Is Field Name Regular Expression" check box 245 field formats check about 104 Field Name setting HTML Cross-Site Scripting check 255 HTML SQL Injection check 266 field type about?? 175 Field Formats check 167 field types adding 168, alphanum 167 any 167 default 167 definition 348 deleting 175 Field Formats check 348 integer 167 modifying 172 nohtml 167 priority 169, 171, Remove button 175 warning about the any field type 167

382 368 Citrix Application Firewall Guide filter definition 348 filtering about 6, 8 blocking 6 flowchart 7 session profile 6 the filtering process 8 filter. See also check, rule. FIPS definition 348 flow type about 75, 142, 146 Application Firewall requirements 348 configuring 321, 336 definition 348 REQ 348 requests 348 RES 348 responses 348 forceful browsing about 4, 187 buffer overflow 4 definition 348 Deny URL check 4, 348 start URL 4 Start URL check 4, 348 form field regular expression 353 form field check about 103 Form Field Consistency check about Block setting blocking 312, 318, 330, 333 comparison with Field Formats check 241 configuring 312, 318, 329, 333 definition 348 Field Formats check 230 HTML profiles only 229 Learn setting 233 Log setting 233 Modify Form Field Consistency Check dialog box, General tab Modify Rule... button 230 Statistics setting 234 UTF-8 character encoding 237 UTF-8 character encoding in URL 238 when to use Field Formats check instead 230 form field consistency check CLI parameter and values 116 form security. See Form Field Consistency check. form structural security. See Form Field Consistency check. Format setting, Field Formats check 248 G global binding about CLI 82 83, configuration utility 80 82, priorities 79, 149 state 81, 151 global settings. See also engine settings. GUI Add Expression dialog box 74 Add Expression dialog box, HEADER EXISTS operator 76 Add Expression dialog box, HEADER qualifier 76 adding a confidential field adding field types 168 configuring security checks creating a policy creating a profile modifying field types 172 session cookie name 184 GUI. See configuration utility. H HA definition 348 hacked web server. See compromised web server. hacker Application Firewall 1 bot 346 compromised web server 346 definition 349 filtering 2 identity theft 2 legal consequences 3 hacker. See also malware. hardware platforms header configuring 322, 336

383 Index 369 header name about 77, 145, 148 URL 77 hidden field definition 349 hidden field. See also form field consistency checks. high availability. See HA. HTML Cross-Site Scripting check about Add HTML Cross-Site Scripting Check Relaxation dialog box 255 Add... button 254 advanced defaults and learning 252 basic defaults and learning 251 Block setting 251 Check complete URLs for cross-site scripting 253 Comments setting 258 Disable button 254 Enable button 254 Enabled check box 255 Field Name setting 255 Is Field Name Regular Expression check box 256 Learn setting 251 Log setting 252 Modify HTML Cross-Site Scripting Check dialog box, General tab 251 Modify HTML Cross-Site Scripting Check dialog box, Settings tab 254 Modify Rule... button 250 Modify... button 258 Open... button 250 Remove button 254 same origin rule 250 Save button 259 Statistics setting 252 Transform cross-site scripts check box 252 UTF-8 character encoding 256 UTF-8 URL examples 257 HTML cross-site scripting check. See HTML XSS check. HTML error object CLI parameter and values 125 html error page name source HTML profile about 68 definition 349 Field Formats check 240 Form Field Consistency check 229 HTML profiles HTML SQL Injection check 259 HTML profile. See also profile. HTML SQL injection about 259 HTML SQL Injection check about 259 Add HTML SQL Injection Check Relaxation dialog box 266 Add... button 265 Block setting 261 Close button 270 Create button 269 Enabled check box 266 Field Name setting 266 HTML profiles only 259 Is Field Name Regular Expression check box 267 Learn setting Log setting 262 Modify HTML SQL Injection Check dialog box, General tab 261 Modify HTML SQL Injection Check dialog box, Settings tab 265 Modify... button 260, 269 Open... button 260 Parameters area 263 Restrict checks to fields containing SQL special characters 263 Save button 270 SQL Comments Handling setting 263 Statistics setting 262 the Modify HTML SQL Injection Check Relaxation dialog box 270 Transform SQL special characters 262 HTML SQL injection check about 104 CLI parameter and values 117 HTML SQL injection only check SQL CLI parameter and values 117 HTML SQL injection parse comments CLI parameter and values 117 HTML SQL injection transform special characters CLI parameter and values 117 HTML XSS check about 104 CLI parameter and values 117 HTML XSS check complete URL CLI parameter and values 117 HTML XSS transform unsafe HTML CLI parameter and values 117

384 370 Citrix Application Firewall Guide HTTP definition 349 HTTP data definition 349 HTTP headers definition 349 HTTP request definition 349 HTTP request. See also request. HTTP request/response cycle. See HTTP request, HTTP response. HTTP response definition 349 HTTP response. See also response. HTTP traffic definition 349 fltering 8 routing 8 HTTP traffic. See also HTTP request, HTTP response. I identity theft about 3 and web site attacks 2 confidential fields 155 cookie tampering 304 defintion 349 hacker 2 malware author 2 identity theft. See also phish. installation about Application Firewall 8, 17 installation mode about 18 one-arm mode 18 two-arm mode 18 integrity checking definition 349 packet 349 IPSEC Access Gateway 345 definition 349 Is Field Name Regular Expression check box about 256, 267 J javascript cross-site scripting 250, 277 Cross-Site Scripting check 331, 334 same origin rule 250, 277, 326 use case JCB Credit Card check 220 K Knowledge Center alerts v known web attack about 5 L LAN Access Gateway 345 definition 349 LAN interface definition 350 LAN IP definition 350 layer 1. See network layers. layer 2 network bridge Application Firewall 6 layer 2. See network layers. layer 3 network device Application Firewall 6 layer 3. See network layers. layer 4. See network layers. layer 5. See network layers. layer 6. See network layers. layer 7. See network layers. layer. See network layers. Learn setting Cookie Consistency check 208 Field Formats check 243 Form Field Consistency check 233 HTML Cross-Site Scripting check 251 HTML SQL Injection check Start URL check 191 unavailable with WS-I check 285 unavailable with XML Attachment check 283 unavailable with XML Cross-Site Scripting check

385 Index unavailable with XML DoS check 274 unavailable with XML Format check 272 unavailable with XML SQL Injection check 280 unavailable with XML Validation check 288 learned relaxations about 339 deploy 343 edit & deploy 342 generalized 341 simple 341 where to review 339 learning definition 350 generalized learned relaxations 341 learning visualizer 132 profile 5 simple learned relaxations 341 learning engine learning visualizer 132 learning mode. See learning feature. learning visualizer about 132 license definition 350 license key file definition 350 license key file. See also license. licenses updating 67 license. See also license key file. log definition 350 Log setting Buffer Overflow check 215 Cookie Consistency check 208 Credit Card check 218 Field Formats check 243 Form Field Consistency check 233 HTML Cross-Site Scripting check 252 HTML SQL Injection check 262 Start URL check 191 WS-I check 285 XML Attachment check 283 XML Cross-Site Scripting check 278 XML DoS check 274 XML Format check 272 XML SQL Injection check 280 XML Validation check 288 logo bar about 13 logs confidential fields 155 M malware about 1 Application Firewall 1 bot 346 compromised web server 346 definition 350 legal consequences 3 malware author definition 350 identity theft 2 malware author. See also malware, botmaster. malware. See also hacker. mapped IP. See MIP. MasterCard Credit Card check 220 maximum credit cards allowed setting about 219 MIP definition 350 Modify Rule... button Buffer Overflow check 214 Cookie Consistency check 205 Credit Card check 217 Deny URL check 198 Field Formats check 241 Form Field Consistency check 230 HTML Cross-Site Scripting check 250 Safe Object check 221 Start URL check 188 Modify... button confidential fields 162 Cookie Consistency check 213 Deny URL check 204 Field Formats check 248 HTML Cross-Site Scripting check 258 HTML SQL Injection check 260, 269 Start URL check 196 WS-I check 284 XML Attachment check 282 XML Cross-Site Scripting check 277 XML DOS check 273 XML Format check 271 XML SQL Injection check 279 XML Validation check 287

386 372 Citrix Application Firewall Guide N named expression. See expression, NetScaler expression. navigation tree about 13 negative security model definition 350 negative security model. See also security model. NetScaler IP. See NSIP. NetScaler operating system. See NetScaler OS. NetScaler OS about 17 definition 350 operator and policy 351 priorities 81, 83, protocol and policy 353 qualifier and policy 353 value and policy 355 NetScaler platform network features 9 network Application Firewall 6 Application Firewall location 8 layers 350 node 350 node attribute 350 network layers Application Firewall 9 definition 350 network time protocol. See NTP. node definition 350 node property definition 350 NSIP CLI 78, 146, 160, 164, 170, 174 definition 350 NTP definition 351 O one-arm mode, about 18 online graffiti. See web site defacement. Open... button Credit Card check 217 HTML Cross-Site Scripting check 250 HTML SQL Injection check 260 Safe Object check 221 operation definition 351 operation part definition 351 operation part. See also web service. operation. See also web service. operator about 76, 143, 147 configuring 322, 336 CONTAINS 351 CONTENTS 351 definition 351 EXISTS 351 NOTCONTAINS 351 NOTEXISTS 351 policy 351 value 351, 355!= 351 == 351 P packet definition 351 packet switching definition 351 page data area about 14 page title bar about 14 parallel. See port. parameters Credit Card check 219 Payment Card Industry Data Security Standard. See PCI DSS. PCI DSS about the PCI DSS report about the PCI DSS standard 293, description section 295 Detailed PCI DSS Criteria Information 295 Executive Summary section 295 Firewall License and Feature Status section 295 QSA 293 report sections 295 security audit 293

387 Index 373 PCRE about field types 167 CGI relaxation 196 CGI-BIN relaxation 196 cookie expression with UTF-8 encoding 212 cookie name expression Cross-Site Scripting check examples?? 257 entering UTF-8 characters 246 Field Formats check Field Formats check Action URL setting 247 Field Formats check expression with UTF-8 encoding 246 Field Formats check Field Name setting 245 field types 160, 164, 170, 174 Form Field Consistency check expression with UTF-8 encoding 237 GIF relaxation 196 home page 195 HTML Cross-Site Scripting check examples 255, 257 HTML Cross-Site Scripting check expression with UTF-8 encoding 256 HTML page relaxation 195 HTML SQL Injection check Field Name setting 266 image content relaxation 196 JPG relaxation 196 Microsoft Office documents relaxation 196 PDF relaxation 196 PERL relaxation 196 PNG relaxation 196 policy expressions 74 SQL Injection check expression with UTF-8 encoding 267 SQL Injection check UTF-8 URL examples 268 Start URL check?? 196 Start URL examples URL expression with UTF-8 encoding 159, 161, 165, 195, 203, 238, 247 UTF-8 URL examples 257 warning against careless use 196 warning not to use carelessly 247 PCRE expression Start URL check 194 PCRE. See regular expression. PERL-compatible regular expressions. See PCRE. PERL. See CGI, SQL, scripting. pharming compromised web site 3 definition 351 pharming. See also phishing. phisher. See phishing. phishing compromised web site 3 definition 352 phishing web site. See phishing. phishing. See also pharming. phish. See phishing. policies about 72 Action 74 Add Expression dialog box 74 Add... button associating with profile 74 Close button 77 Create Application Firewall Policy dialog box 74 Create button 77 creating and configuring flow type 75 global binding header name 77 matching all requests 77 operator 76 Policy Name 74 protocol 75 qualifier 75 regular expression 74 requests 75 responses 75 The Application Firewall Policies Page, wiht data 78 Value 77 policy about about generic 79 about specific 79 about state 81, 151 action 137, 335 associating with profile 79, 140, 148, 321, 325, 335 binding 345 comparison between Application Firewall and other

388 374 Citrix Application Firewall Guide 137 creating creating an expression definition 352 deleting 149 evaluation order 79, 149 example of add appfw policy CLI command 338 example of regular expression 325 expression 78, 137, 321 expression example 148 filtering specific URLs 335, 337 flow type 142, 146, 321, 336 global binding?? 153 header 322 header name 145, 148 matching all requests 148 matching expressions 140 matching requests to a specific host 324 modify 149 name 78, 140, 146, 160, 164, 170, 174, 321, 335 named expression 141 operator 143, 147, 322, 351 profile 72, 352 protecting an SQL database protecting scripted content protocol 142, 147, 321, 336, 353 qualifier 142, 147, 322, 353 regular expression 324, 335 requests 142 responses 142 saving configuration 325 value 144, 148, 322, 355 verifying configuration 325 port Centronics 352 definition 352 hardware 352 parallel 352 RJ RJ RS232C 352 software 352 USB 352 positive security model about 5 definition 353 profile 5 positive security model. See also security model. post body limit CLI parameter and values 125 priority about 79, 81, 83, 149, field types 169, 171, product alerts v profile about 85 action 137 advanced defaults 305, 317, 326, 332 associating with policy 74, 79, 140, 148, 321, 325, 335 avoiding false positives 348 binding 345 check 353 Checks tab common security checks 102 configuring Cookie Consistency check 311, 318, 328, 333 configuring Credit Card check 314, 319 configuring Cross-Site Scripting check 330, 333 configuring Form Field Consistency check 312,

389 Index , 329, 333 configuring security checks 308 configuring SQL Injection check 312 configuring Start URL check 308, 318, 327 configuring with advanced defaults confirming settings 90, 102 creating 86 creating at CLI 317 Credit Card check X-Out option 319 Credit Card check, X-Out option 314 defaults 71 definition 353 disabling Start URL check 328, 333 disabling URL closure 328, 333 error page 332, 334 header 336 HTML 68 HTML security checks 102 learned relaxations 339 learning feature 5 list of security checks name 70, 90, 408 operator 336 policy 72, 352 positive security model 5 protected credit card types 319 protected web site 5 protecting scripted content protecting SQL database 305 qualifier 336 relaxation 353 request 353 response 353 saving at CLI 334 Settings tab 97 SQL Injection check, configuring 318 transform cross-site scripts 331 transform SQL special characters 313, 319 transform unsafe HTML 334 types 68 URL closure 318 value 336 verifying 319 verifying at CLI 334 Web XML 68 XML security checks 102 profiles creating a profile 68 profile. See also session profile. Protect button Credit Card check 220 protocol about 75, 142, 147 configuring 321, 336 definition 353 HTTP 75, 142 policy 353 qualifier 353 Q QSA about 293 PCI DSS 293 qualifier about 75, 142, 147 configuring 322, 336 definition 353 header 75 policy 353 protocol 353 R regex editor about regex tokens about 111 regular expression about NetScaler policy expressions 137 definition 353 definition of PCRE format 353 example 325 field types 160, 164, 170, 174 flow type 321, 336 header 336 matching all requests 148 names in check relaxations 111 operator 322, 336, 351 policy 146, 321, 324, 335 protocol 321, 336, 353 qualifier 322, 336, 353 safe object 353 value 322, 336 regular expression editor. See regex editor. regular expressions regex editor regex tokens 112 warning against careless use 196 regular expressions. See also PCRE. regular expressions. See also regex.

390 376 Citrix Application Firewall Guide relaxation profile 353 regular expression 353 Start URL check 195 Remove button confidential fields 164 Cookie Consistency check 210 Field Formats check 244 field types 175 HTML Cross-Site Scripting check 254 Start URL check 193 reports PCI DSS 293 request about 75, 142 definition 353 filtering 348 flow type 348 handling 7 header name 77 matching all requests 77 policy 352 profile 353 requests matching all 148 matching requests to a specific host 324 response about 75, 142 definition 353 filtering 348 flow type 348 handling 8 policy 352 profile 353 Restrict checks to fields containing SQL special characters about 263, 281 reverse proxy layer 3 network device 6 RJ11. See port. RJ45. See port. RS232C. See port. RSS feed. See Web 2.0 profile. rule definition 353 rule. See also check, filter. S safe object regular expression 353 Safe Object check about Add... button 222 definition 353 Modify Rule... button 221 Modify Safe Object Check dialog box, Settings tab 222 Open... button 221 what is it? 221 safe object check about 103 same origin policy about 4 5 cross-site scripting 4 5, 347 definition 354 same origin policy. See also cross-site scripting. same origin rule about 250, 277, 326 cross-site scripting 250, 277 Cross-Site Scripting check 334 Save button confidential fields 164 Deny URL check 204 HTML Cross-Site Scripting check 259 HTML SQL Injection check 270 scripting protecting SQL databases 304 secure shell. See SSH. security PCI DSS 293 security audit PCI DSS 293 security breach attempt. See breach attempt. security breach. See breach. security checks learning visualizer 132 list of common security checks 103 list of HTML security checks list of security checks list of XML security checks parameter table 116 security model definition 354 security model. See also negative security model and positive security model. session definition 354 session cookie about 183

391 Index 377 session cookie name setting at CLI 184 setting at the GUI 184 session profile filtering 6 session timeout about 184 definition 354 session timeout. See also session. session. See also session profile. settings error page 332 Setup Wizard about SGML. See XML. shopping cart. See SQL database, use case. simple mail transfer protocol. See SMTP. SMTP definition 354 SMTP server definition 354 SNMP definition 354 SOAP definition 354 web service 356 XML 354 social security number. See safe object. spoofing definition 354 spoofing. See also pharming. SQL definition 354 HTML SQL Injection check 4 SQL injection 4 5 transform SQL special characters 319 use case XML SQL Injection check 5 SQL comments settings 263, 281 SQL Comments Handling setting about 263 ANSI 264, 281 ANSI/Nested 264, 282 Check all Comments 264, 282 Nested 264, 282 SQL injection about 4 5, 304 definition 354 policy profile SQL Injection check about?? 270, 308 blocking 313, 319 configuring 312, 318 definition 354 transform SQL special characters 313, 319 UTF-8 character encoding 267 UTF-8 URL examples 268 SQL Injection check. For HTML profiles, see HTML SQL Injection check. For XML profiles, see XML SQL Injection check. SQL keyword. See SQL, SQL injection. SQL special characters. See SQL, SQL injection. SSH CLI 78, 90, 101, 146, 160, 164, 170, 174, 180, , 411 definition 354 SSH. See also CLI. SSL definition 354 SSL VPN Access Gateway 345 definition 354 start URL definition 354 forceful browsing 4 regular expression 353 Start URL Check Block setting 190 Learn setting 191 Log setting 191 Statistics setting 192

392 378 Citrix Application Firewall Guide Start URL check about adding a Start URL Add... button 194 blocking 309, 318 CGI relaxation 196 comments 196 configuration 327 configuring 308, 318 Create button 196 definition 354 Disable button 193 disabling 328, 333 Enable button 193 Enabled check box 194 entering a Start URL 194 forceful browsing 187, 348 home page relaxation 195 HTML page relaxation 195 image content relaxation 196 Microsoft Office documents relaxation 196 Modify button 196 Modify Rule... button 188 modifying a Start URL PDF relaxation 196 PERL relaxation 196 Remove button 193 reviewing learned relaxations 340 URL closure 187, 318 URL closure setting 192 UTF-8 character encoding in URL 195 start URL check about 103 CLI parameter and values 116 Start URL check. See also URL closure. Start URL expression CGI-BIN relaxation 196 state about 81, 151 definition 354 Statistics setting Buffer Overflow check 215 Cookie Consistency check 209 Credit Card check 218 Field Formats check 243 Form Field Consistency check 234 HTML Cross-Site Scripting check 252 HTML SQL Injection check 262 Start URL check 192 WS-I check 286 XML Attachment check 283 XML Cross-Site Scripting check 279 XML DoS check 274 XML Format check 273 XML SQL Injection check 281 XML Validation check 288 strip comments settings 121 T threshold definition 355 threshold. See also adaptive learning. Transform cross-site scripts about 252 Transform SQL special characters about 262 transformation HTML and XML SQL injection check 109 HTML and XML XSS checks 109 trojan. See malware. two-arm mode, about 18 U UDDI definition 355 web service 356 XML 355 universal serial bus. See port. unknown web attack about 5 positive security model 5 Unprotect button Credit Card check 220 Upgrade Wizard about upgrade wizard about 16

393 Index 379 URL definition 355 HTTP header 77 URL closure about 109, 187 CLI parameter and values 116 definition 355 disabling 328, 333 URL Closure setting 192 URL closure. See also start URL. URL setting. See Action URL setting. USB. See port. use case adaptive learning 339 cookie tampering 304 Javascript SQL database SQL database profile?? 320 SQL injection 304 Start URL check 308 use HTML error object CLI parameter and values 125 user configuration 355 definition 355 web site 355 user interface about 9 CLI 9 configuration utility 9 user. See also system administrator. UTF-8 Field Formats check expression 246 Form Field Consistency check expression 237 HTML Cross-Site Scripting check examples 257 HTML Cross-Site Scripting check expression 256 PCRE expression example 159, 161, 165, 195, 203, 212, 238, 247 SQL Injection check examples 268 SQL Injection check expression 267 V Value about 77 value about 144, 148 configuring 322, 336 definition 355 operator 351, 355 policy 355 vandalism. See defacement. virtual router redundancy protocol. See VRRP, HA. virus. See malware. Visa Credit Card check 220 VRRP definition 355 VRRP. See also HA. W WAN definition 355 WAN interface definition 355 WAN IP definition 355 Web 2.0 profile about 68 web form about security of 4 cross-site scripting 326 Field Formats check 4 Form Field Consistency check 4 HTML SQL Injection check 4 javascript 325 protecting SQL databases 304 web form integrity. See Form Field Consistency check. web form security. See Form Field Consistency check, Field Formats check. web forms field types 167 web server Apache 356 Application Firewall 1 blocking hackers 2 definition 356 hardware 356 hosting multiple web sites 356 instance 356 malware 2 Microsoft IIS 356 multiple instances of 356 protection of 2 request 353 response 353 software 356

394 380 Citrix Application Firewall Guide web service definition 356 filtering 6 XML profile 68 XML SQL Injection check 5 web services definition language. See WSDL. web services profile definition 356 web services profile. See also profile. web site Application Firewall 1 blocking hackers 2 definition 356 filtering 6 hostname 356 malware 2 policy 352 profile 5 protection of 2 simple configuration 83 SQL 354 SQL configuration 83 user 355 web server 356 web site defacement about 3 definition 356 wizard about 14 configuration utility 356 definition 356 WSDL definition 356 web service 356 XML 356 WSDL file definition 356 WS-I Check Block setting 285 Statistics setting 286 WS-I check about Learn setting not available 285 Log setting 285 Modify... button 284 X XML definition 356 SOAP 354 UDDI 355 WSDL 356 XML Attachment Check Block setting 283 Statistics setting 283 XML Attachment check about Learn setting not available 283 Log setting 283 Modify... button 282 XML attachment check about 105 CLI parameter and values 121 XML Cross-Site Scripting Check Block setting 278 Statistics setting 279 XML Cross-Site Scripting check Learn setting not available 278 Log setting 278 Modify... button 277 same origin rule 277 XML cross-site scripting check. See XML XSS check. XML DOS check Modify... button 273 XML DoS Check Block setting 274 Statistics setting 274 XML DoS check about 104 CLI parameter and values 119 Learn setting not available 274 Log setting 274 XML error object CLI parameter and values 125 XML Format Check Block setting 272 Statistics setting 273 XML Format check about 104 Learn setting not available 272 Log setting 272 Modify... button 271 XML format check CLI parameter and values 119 XML profile about 68

395 XML SQL Comments Handling setting about 281 XML SQL Injection Check Block setting 280 Statistics setting 281 XML SQL Injection check Learn setting not available 280 Log setting 280 Modify... button 279 Parameters area 281 Restrict checks to fields containing SQL special characters 281 SQL Comments Handling setting 281 XML SQL injection check about 105 CLI parameter and values 119 XML SQL injection only check fields with SQL CLI parameter and values 120 XML SQL injection parse comments CLI parameter and values 120 XML Validation Check Block setting 288 Statistics setting 288 XML Validation check about Learn setting not available 288 Log setting 288 Modify... button 287 XML validation check CLI parameter and values 121 XML WS-I check CLI parameter and values 120 XML XSS check about 104 CLI parameter and values 120 X-Out setting about 219 XSS. See cross-site scripting. Index 381

396 382 Citrix Application Firewall Guide

397 APPENDIX A PCRE Character Encoding Format This appendix describes how to enter non-ascii characters including those found in the English, Chinese, Japanese, Korean, and Turkish languages into your Application Firewall configuration. Representing UTF-8 Characters The NetScaler operating system supports direct entry of characters in the printable ASCII character set only characters with hexadecimal codes between HEX 20 (ASCII 32) and HEX 7E (ASCII 127). To include a character with a code outside that range in your Application Firewall configuration using either the Configuration Utility or the NetScaler command line, you must enter its UTF-8 hexadecimal code as a PCRE regular expression. A number of character types require encoding using a PCRE regular expression if you include them in your Application Firewall configuration as a URL, form field name, or Safe Object expression. These include: Upper-ASCII characters. Characters with encodings from HEX 7F (ASCII 128) to HEX FF (ASCII 255). Depending on the character map used, these encodings can refer to control codes, ASCII characters with accents or other modifications, non-latin alphabet characters, and symbols not included in the basic ASCII set. These characters can appear in URLs, form field names, and Safe Object expressions. Double-Byte characters. Characters with encodings that use two 8-byte words. Double-byte characters are used primarily for representing Chinese, Japanese, and Korean text in electronic format. These characters can appear in URLs, form field names, and Safe Object expressions. ASCII control characters. Non-printable characters used to send commands to a printer. All ASCII characters with hexadecimal codes less than HEX 20 (ASCII 32) fall into this category. These characters should never appear in a URL or form field name, however, and would rarely if ever appear in a Safe Object expression.

398 384 Citrix Application Firewall Guide The NetScaler appliance does not support the entire UTF-8 character set, but only the characters found in the following eight encodings: English US (ISO ). Although the label reads, English US, the Application Firewall supports all characters in the ISO character set, also called the Latin-1 character set. This character set fully represents most modern western European languages, and represents all but a few uncommon characters in the rest. Chinese Traditional (Big5). The Application Firewall supports all characters in the BIG5 character set, which includes all of the Traditional Chinese characters (ideographs) commonly used in modern Chinese as spoken and written in Hong Kong, Macau, Taiwan, and by many people of Chinese ethnic heritage who live outside of mainland China. Chinese Simplified (GB2312). The Application Firewall supports all characters in the GB2312 character set, which includes all of the Simplified Chinese characters (ideographs) commonly used in modern Chinese as spoken and written in mainland China. Japanese (SJIS). The Application Firewall supports all characters in the Shift-JIS (SJIS) character set, which includes most characters (ideographs) commonly used in modern Japanese. Japanese (EUC-JP). The Application Firewall supports all characters in the EUC-JP character set, which includes all characters (ideographs) commonly used in modern Japanese. Korean (EUC-KR). The Application Firewall supports all characters in the EUC-KR character set, which includes all characters (ideographs) commonly used in modern Korean. Turkish (ISO ). The Application Firewall supports all characters in the ISO character set, which includes all letters used in modern Turkish. Unicode (UTF-8). The Application Firewall supports certain additional characters in the UTF-8 character set, including those used in modern Russian. When configuring the Application Firewall, you enter all non-ascii characters as PCRE-format regular expressions using the hexadecimal code assigned to that character in the UTF-8 specification. Symbols and characters within the normal ASCII character set have a single two-digit hexadecimal code assigned to them in the UTF-8 character set, the same single two-digit code assigned to them in the ASCII character set. For example, the exclamation point (!) is assigned UTF-8 code 21. Symbols and characters from another supported character set have a paired set of hexadecimal codes assigned to them. For example, the letter a with an acute accent (á) is assigned UTF-8 code C3 A1.

399 Appendix A 385 The syntax you use to represent these UTF-8 codes in the Application Firewall configuration is \xnn for ASCII characters; \xnn\xnn for non-ascii characters used in English, Russian, and Turkish; and \xnn\xnn\xnn for characters used in Chinese, Japanese, and Korean. For example, if you want to represent a! in an Application Firewall regular expression as a UTF-8 character, you would type \x21. If you want to include an á, you would type \xc3\xa1. Note: Normally you will not need to represent ASCII characters in UTF-8 format, but when those characters might confuse a web browser or an underlying operating system, you can use the character s UTF-8 representation to avoid this confusion. For example, if a URL contains a space, you might want to encode the space as \x20 to avoid confusing certain browsers and web server software. Below are examples of URLs, form field names, and Safe Object expressions that contain non-ascii characters that must be entered as PCRE-format regular expressions to be included in the Application Firewall configuration. Each example shows the actual URL, field name, or expression string first, followed by a PCRE-format regular expression for it. A URL containing extended ASCII characters. Actual URL: Encoded URL: ^ Another URL containing extended ASCII characters. Actual URL: Encoded URL: ^ A form field name containing extended ASCII characters. Actual field name: nome_do_usuário Encoded field name: ^nome_do_usu\xc3\xa1rio$ A Safe Object expression containing extended ASCII characters. Unencoded expression: [A-Z]{3,6} [1-9][0-9]{6,6} Encoded expression: [A-Z]{3,6}\xC2\xA5[1-9][0-9]{6,6} UTF-8 Character Encodings Reference You can find a number of tables that include the entire Unicode character set and matching UTF-8 encodings on the Internet. A useful web site that contains this information is located at the following URL:

400 386 Citrix Application Firewall Guide For the characters in this table to display correctly, you must have an appropriate Unicode font installed on your computer. If you do not, the visual display of the character may be in error. Even if you do not have an appropriate font installed to display a character, however, the description and the UTF-8 and UTF-16 codes on this set of web pages will be correct. Note: Citrix does not host or specifically recommend this web page. This URLis provided here to assist users.

401 APPENDIX B PCI DSS Standard This appendix contains the text of the PCI DSS 1.2 specification, in English.

402 388 Citrix Application Firewall Guide Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 1.2 October 2008

403 Appendix B 389 Table of Contents Introduction and PCI Data Security Standard Overview...3 PCI DSS Applicability Information...4 Scope of Assessment for Compliance with PCI DSS Requirements...5 Network Segmentation... 5 Wireless... 6 Third Parties/Outsourcing... 6 Sampling of Business Facilities and System Components... 6 Compensating Controls... 7 Instructions and Content for Report on Compliance...8 Report Content and Format... 8 Revalidation of Open Items PCI DSS Compliance Completion Steps Detailed PCI DSS Requirements and Security Assessment Procedures...12 Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers...59 Appendix B: Compensating Controls...61 Appendix C: Compensating Controls Worksheet...62 PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 1

404 390 Citrix Application Firewall Guide Appendix D: Attestation of Compliance Merchants...64 Appendix E: Attestation of Compliance Service Providers...68 Appendix F: PCI DSS Reviews Scoping and Selecting Samples...72 PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 2

405 Appendix B 391 Introduction and PCI Data Security Standard Overview The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. This document, PCI Data Security Standard Requirements and Security Assessment Procedures, uses as its foundation the 12 PCI DSS requirements, and combines them with corresponding testing procedures into a security assessment tool. It is designed for use by assessors conducting onsite reviews for merchants and service providers who must validate compliance with the PCI DSS. Below is a high-level overview of the 12 PCI DSS requirements. The next several pages provide background about preparing for, conducting, and reporting a PCI DSS assessment, whereas the detailed PCI DSS requirements begin on page 13. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 3

406 392 Citrix Application Firewall Guide PCI DSS Applicability Information The following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element is permitted or prohibited; and whether each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element. Cardholder Data Data Element Primary Account Number (PAN) Storage Permitted Protection Required PCI DSS Req. 3.4 Yes Yes Yes Cardholder Name 1 Yes Yes 1 No Service Code 1 Yes Yes 1 No Expiration Date 1 Yes Yes 1 No Sensitive Full Magnetic Stripe Data 3 No N/A N/A Authentication CAV2/CVC2/CVV2/CID No N/A N/A Data 2 PIN/PIN Block No N/A N/A 1 These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. 2 Sensitive authentication data must not be stored after authorization (even if encrypted). 3 Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 4

407 Appendix B 393 Scope of Assessment for Compliance with PCI DSS Requirements The PCI DSS security requirements apply to all system components. System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications. Network Segmentation Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the storage, processing or transmission of cardholder data. Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices. Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any network segmentation is effective at isolating the cardholder data environment. If network segmentation is in place and will be used to reduce the scope of the PCI DSS assessment, the assessor must verify that the segmentation is adequate to reduce the scope of the assessment. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may be implemented. Appendix F: PCI DSS Reviews Scoping and Selecting Samples provides more information on the effect of scoping during a PCI DSS assessment. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 5

408 394 Citrix Application Firewall Guide Wireless If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, line-busting ), or if a wireless local area network (LAN) is connected to or part of the cardholder data environment (for example, not clearly separated by a firewall), the PCI DSS requirements and testing procedures for wireless environments apply and must be performed as well (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Before wireless technology is implemented, a company should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only for non-sensitive data transmission. Third Parties/Outsourcing For service providers required to undergo an annual onsite assessment, compliance validation must be performed on all system components where cardholder data is stored, processed, or transmitted. A service provider or merchant may use a third-party provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment. For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the reviewed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance: 1) They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance, or 2) If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customer's PCI DSS assessments. See the bullet beginning For managed service provider (MSP) reviews under Part 3 in the Instructions and Content for Report on Compliance section below for more information. Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data. Refer to Requirement 12.8 in this document for details. Sampling of Business Facilities and System Components The assessor may select representative samples of business facilities and system components in order to assess PCI DSS requirements. These samples must include both business facilities and system components, must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected. Examples of business facilities include corporate offices, stores, franchise merchants, and business facilities in different locations. Sampling should include system components for each business facility. For example, for each business facility, include a variety of operating systems, functions, and applications that are applicable to the area under review. Within each business facility, the reviewer could choose Sun servers running Apache WWW, Windows servers running Oracle, mainframe systems running legacy card processing applications, data transfer servers running HP-UX, and Linux Servers running MYSQL. If all applications run from a single OS (for example, Windows or Sun), then the sample PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 6

409 Appendix B 395 should still include a variety of applications (for example, database servers, web servers, data transfer servers). (See Appendix F: PCI DSS Reviews Scoping and Sampling.) When selecting samples of business facilities and system components, assessors should consider the following: If there are standard, required PCI DSS processes in place that each facility must follow, the sample can be smaller than is necessary if there are no standard processes, to provide reasonable assurance that each facility is configured per the standard process. If there is more than one type of standard process in place (for example, for different types of system components or facilities), then the sample must be large enough to include system components or facilities secured with each type of process. If there are no standard PCI DSS processes in place and each facility is responsible for their processes, then sample size must be larger to be assured that each facility understands and implements PCI DSS requirements appropriately. Please also refer to Appendix F: PCI DSS Reviews Scoping and Selecting Samples. Compensating Controls On an annual basis, any compensating controls must be documented, reviewed and validated by the assessor and included with the Report on Compliance submission, per Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet. For each and every compensating control, the Compensating Controls Worksheet (Appendix C) must be completed. Additionally, compensating control results should be documented in the ROC in the corresponding PCI DSS requirement section. See the above-mentioned Appendices B and C for more details on compensating controls. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 7

410 396 Citrix Application Firewall Guide Instructions and Content for Report on Compliance This document must be used as the template for creating the Report on Compliance. The assessed entity should follow each payment brand s respective reporting requirements to ensure each payment brand acknowledges the entity s compliance status. Contact each payment brand to determine reporting requirements and instructions. Report Content and Format Follow these instructions for report content and format when completing a Report on Compliance: 1. Executive Summary Include the following: Describe the entity s payment card business, including: - Their business role with payment cards, which is how and why they store, process, and/or transmit cardholder data Note: This is not intended to be a cut-and-paste from the entity s web site, but should be a tailored description that shows the assessor understands payment and the entity s role. - How they process payment (directly, indirectly, etc.) - What types of payment channels they serve, such as card-not-present, (for example, mail-order-telephone-order (MOTO), e- Commerce), or card-present - Any entities that they connect to for payment transmission or processing, including processor relationships A high-level network diagram (either obtained from the entity or created by assessor) of the entity s networking topography that includes: - Connections into and out of the network - Critical components within the cardholder data environment, including POS devices, systems, databases, and web servers, as applicable - Other necessary payment components, as applicable PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 8

411 Appendix B Description of Scope of Work and Approach Taken Describe the scope, per the Scope of Assessment section of this document, including the following: Environment on which assessment focused (for example, client s Internet access points, internal corporate network, processing connections) If network segmentation is in place and was used to reduce scope of the PCI DSS review, briefly explain that segmentation and how assessor validated the effectiveness of the segmentation Document and justify sampling used for both entities (stores, facilities, etc.) and system components selected, including: - Total population - Number sampled - Rationale for sample selected - Why sample size is sufficient to allow assessor to place reasonable reliance that controls reviewed represent controls in place throughout entity - Describe any locations or environments that store, process, or transmit cardholder data that were EXCLUDED from the scope of the review, and why these locations/environments were excluded List any wholly-owned entities that require compliance with the PCI DSS, and whether they are reviewed separately or as part of this assessment List any International entities that require compliance with the PCI DSS, and whether they are reviewed separately or as part of this assessment List any wireless LANs and/or wireless payment applications (for example, POS terminals) that are connected to, or could impact the security of the cardholder data environment, and describe security in place for these wireless environments The version of the PCI DSS Requirements and Security Assessment Procedures document used to conduct the assessment Timeframe of assessment 3. Details about Reviewed Environment Include the following details in this section: A diagram of each piece of the communication link, including LAN, WAN or Internet Description of cardholder data environment, for example: - Document transmission and processing of cardholder data, including authorization, capture, settlement, chargeback and other flows as applicable PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 9

412 398 Citrix Application Firewall Guide - List of files and tables that store cardholder data, supported by an inventory created (or obtained from the client) and retained by the assessor in the work papers. This inventory should include, for each cardholder data store (file, table, etc.): List all of the elements of stored cardholder data How data is secured How access to data stores are logged List of hardware and critical software in use in the cardholder data environment, along with description of function/use for each List of service providers and other entities with which the company shares cardholder data (Note: these entities are subject to PCI DSS Requirement 12.8) List of third-party payment application products and versions numbers in use, including whether each payment application has been validated according to PA-DSS. Even if a payment application has been PA-DSS validated, the assessor still needs to verify that the application has been implemented in a PCI DSS compliant manner and environment, and according to the payment application vendor s PA-DSS Implementation Guide. Note: It is not a PCI DSS requirement to use PA-DSS validated applications. Please consult with each payment brand individually to understand their PA-DSS compliance requirements. List of individuals interviewed and their titles List of documentation reviewed For managed service provider (MSP) reviews, the assessor must clearly identify which requirements in this document apply to the MSP (and are included in the review), and which are not included in the review and are the responsibility of the MSP s customers to include in their reviews. Include information about which of the MSP s IP addresses are scanned as part of the MSP s quarterly vulnerability scans, and which IP addresses are the responsibility of the MSP s customers to include in their own quarterly scans. 4. Contact Information and Report Date Include: Contact information for merchant or service provider and assessor Date of report 5. Quarterly Scan Results Summarize the four most recent quarterly scan results in the Executive Summary as well as in comments at Requirement 11.2 Note: It is not required that four passing quarterly scans must be completed for initial PCI DSS compliance if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning going forward, and 3) any vulnerabilities noted in the initial scan have been corrected as shown in a re-scan. For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 10

413 Appendix B 399 Scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI DSS Security Scanning Procedures 6. Findings and Observations Summarize in the Executive Summary any findings that may not fit into the standard Report on Compliance template format. All assessors must use the Detailed PCI DSS Requirements and Security Assessment Procedures template to provide detailed report descriptions and findings on each requirement and sub-requirement. The assessor must review and document any compensating controls considered to conclude that a control is in place. See Compensating Controls section above and Appendices B and C for more details on compensating controls. Revalidation of Open Items A controls in place report is required to verify compliance. The report is considered non-compliant if it contains open items, or items that will be finished at a future date. The merchant/service provider must address these items before validation is completed. After these items are addressed by the merchant/service provider, the assessor will then reassess to validate that the remediation occurred and that all requirements are satisfied. After revalidation, the assessor will issue a new Report on Compliance, verifying that the cardholder data environment is fully compliant, and submit it consistent with instructions (see below). PCI DSS Compliance Completion Steps 1. Complete the Report on Compliance (ROC) according to the section above entitled Instructions and Content for Report on Compliance. 2. Ensure passing vulnerability scan(s) have been completed by a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of passing scan(s) from the ASV. 3. Complete the Attestation of Compliance, for either Service Providers or Merchants as applicable, in its entirety. See Appendices D and E for Attestations of Compliance. 4. Submit the ROC, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to the acquirer (for merchants) or to the payment brand or other requester (for service providers). PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 11

414 400 Citrix Application Firewall Guide Detailed PCI DSS Requirements and Security Assessment Procedures For the PCI DSS Requirements and Security Assessment Procedures, the following defines the table column headings: PCI DSS Requirements This column defines the Data Security Standard and lists requirements to achieve PCI DSS compliance; compliance will be validated against these requirements. Testing Procedures This column shows processes to be followed by the assessor to validate that PCI DSS requirements are in place In Place This column must be used by the assessor to provide a brief description of controls found in place, including those controls found to be in place as a result of compensating controls. (Note: that this column must not be used for items that are not yet in place or for open items to be completed at a future date.) Not in Place This column must be used by the assessor to provide a brief description controls that are not in place. Note that a noncompliant report should not be submitted to a payment brand or acquirer unless specifically requested. See Appendix D and Appendix E: Attestations of Compliance for further instructions on non-compliant reports. Target Date/Comments For those controls Not In Place the assessor may include a target date that the merchant or service provider expects to have controls In Place. Any additional notes or comments may be included here as well. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 12

415 Appendix B 401 Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are computer devices that control computer traffic allowed between a company s network (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within a company s internal trusted network. The cardholder data environment is an example of a more sensitive area within the trusted network of a company. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employees Internet access through desktop browsers, employees access, dedicated connection such as business to business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. PCI DSS Requirements Testing Procedures In Place 1.1 Establish firewall and router configuration standards that include the following: A formal process for approving and testing all network connections and changes to the firewall and router configurations Current network diagram with all connections to cardholder data, including any wireless networks Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone Description of groups, roles, and responsibilities for logical management of network components 1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following: Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks b Verify that the diagram is kept current Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone. Verify that the current network diagram is consistent with the firewall configuration standards Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components. Not in Place Target Date/ Comments PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 13

416 402 Citrix Application Firewall Guide PCI DSS Requirements Testing Procedures In Place Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure Requirement to review firewall and router rule sets at least every six months 1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service. An example of an insecure service, protocol, or port is FTP, which passes user credentials in clear-text a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months. 1.2 Examine firewall and router configurations to verify that connections are restricted between untrusted networks and system components in the cardholder data environment, as follows: Not in Place Target Date/ Comments Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment Secure and synchronize router configuration files a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit deny all or an implicit deny after allow statement Verify that router configuration files are secure and synchronized for example, running configuration files (used for normal running of the routers) and start-up configuration files (used when machines are re-booted), have the same, secure configurations. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 14

417 Appendix B 403 PCI DSS Requirements Testing Procedures In Place Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment Limit inbound Internet traffic to IP addresses within the DMZ Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment Do not allow internal addresses to pass from the Internet into the DMZ Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ Verify that there are perimeter firewalls installed between any wireless networks and systems that store cardholder data, and that these firewalls deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. 1.3 Examine firewall and router configurations, as detailed below, to determine that there is no direct access between the Internet and system components, including the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment Verify that a DMZ is implemented to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment Verify that inbound Internet traffic is limited to IP addresses within the DMZ Verify there is no direct route inbound or outbound for traffic between the Internet and the cardholder data environment Verify that internal addresses cannot pass from the Internet into the DMZ Verify that outbound traffic from the cardholder data environment to the Internet can only access IP addresses within the DMZ. Not in Place Target Date/ Comments PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 15

418 404 Citrix Application Firewall Guide PCI DSS Requirements Testing Procedures In Place Implement stateful inspection, also known as dynamic packet filtering. (That is, only established connections are allowed into the network.) Place the database in an internal network zone, segregated from the DMZ Verify that the firewall performs stateful inspection (dynamic packet filtering). [Only established connections should be allowed in, and only if they are associated with a previously established session (run a port scanner on all TCP ports with syn reset or syn ack bits set a response means packets are allowed through even if they are not part of a previously established session).] Verify that the database is on an internal network zone, segregated from the DMZ. Not in Place Target Date/ Comments Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies for example, port address translation (PAT). 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network For the sample of firewall and router components, verify that NAT or other technology using RFC 1918 address space is used to restrict broadcast of IP addresses from the internal network to the Internet (IP masquerading). 1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization s network, have personal firewall software installed and active. 1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by mobile computer users. PCI DSS Requirements and Security Assessment Procedures, v1.2 October 2008 Copyright 2008 PCI Security Standards Council LLC Page 16

419 APPENDIX C Configuring for Large Files and Web Pages This appendix describes how to configure a web site that handles very large HTTP POST requests to minimize processing delays and hangs on the Citrix Application Firewall. Overview The Application Firewall is processor intensive. On multi-processor hardware platforms, it makes heavy use of coprocessors, which limits loading on the main processor. On single processor platforms, however, certain types of requests can overload the Application Firewall and cause slow processing on the Citrix NetScaler appliance. In extreme cases, the NetScaler appliance will appear to hang while it processes the request, causing a failover in an HA pair installation. In a single unit installation, users will be unable to access protected servers and applications until the unit finishes processing the large request or is rebooted. In particular, when a user uploads a large file or returns any type of large POST request to a protected web server, this condition may be triggered. If the Transform Cross-Site Scripts check action, the Transform SQL Special Characters check action, or both are enabled, this condition may be triggered more easily. The actual size of POST body required to trigger this condition varies depending on CPU speed and the amount of RAM available on the NetScaler appliance. Normally the total size of a POST request must be over 2 MB to trigger this condition. Three Workarounds Depending on whether your protected web servers process large POST requests, and if they do, how many large POST requests they process, there are three workarounds for this issue.

420 406 Citrix Application Firewall Guide Legitimate large uploaded files. If users may legitimately upload extremely large files to your web server, you can simply disable security checks on uploaded files. Web servers do not normally execute code in uploaded files, even those that contain active code. It is extremely unlikely that a successful cross-site scripting attack or SQL injection attack could be launched using an uploaded file, so it is normally safe to disable security checks for this type of content. Legitimate large Web form POST bodies. If your protected web site has web forms that can legitimately create extremely large POST bodies, you need to configure your NetScaler appliance to minimize processing of large POST bodies. To prevent SQL injection or cross-site scripting attacks, you should do this only when the form contents are not used as parameters for SQL queries or displayed on a web page. No legitimate large POST bodies. If users should never upload extremely large files to your web server, and if none of your web forms, when filled wiith legitimate data, can create extremely large POST bodies, you can simply configure the Application Firewall to reject any POST bodies above a certain size. This is the safest option, and is recommended whenever you know that it will not block legitimate traffic. The following procedures describe how to configure your system appropriately. The first procedure describe how to disable checking of uploaded files using the configuration utility. To disable checking of uploaded files from the configuration utility 1. If you have not already done so, log onto the configuration utility. For instructions, see To log on to the configuration utility on page In the Menu tree, click the plus to the left of the Application Firewall entry to expand it and display its submenu, then click the Profiles entry to display the Profiles page. 3. Create a profile to protect web forms that receive large file uploads. You can create this profile with basic or with advanced defaults. Normally it is wise to use advanced defaults when creating a profile to protect web forms because the Application Firewall can require specific relaxations to protect specific web form content appropriately, relaxations most easily generated using the Learning feature. Advanced defaults provide appropriate starter settings when you will use the Learning feature. For instructions on creating a profile using the configuration utility, see To create a profile using the configuration utility on page In the Profile page data area, click the entry for the profile you just created once, to highlight it.

421 Appendix C Click the Open button to open the Configure Application Firewall Profile dialog box for the profile you selected. 6. Configure the profile security checks as appropriate, disabling blocking for security checks that might block legitimate requests until they are properly configured. For instructions on configuring a profile using the configuration utility, see To configure a profile using the configuration utility on page Click the Settings tab to display the Settings page, shown in The Configure Application Firewall Profile Dialog Box, Settings Page on page 407. The Configure Application Firewall Profile Dialog Box, Settings Page 8. Check the check box labeled, Exclude uploaded files from security checks. 9. Click the OK button to save your changes.

422 408 Citrix Application Firewall Guide The Configure Application Firewall Profile dialog box closes, and you return to the Profiles page. 10. Create and configure an appropriate policy to detect connections to those web pages that contain web forms used to accept uploaded files. For detailed instructions on configuring a policy, see To create a policy using the configuration utility on page Globally bind your new policy to put it into effect. For detailed instructions on globally binding a policy, see To globally bind a policy using the configuration utility on page 150. The second procedure, below, describe how to disable checking of uploaded files using the NetScaler command line. To disable checking of uploaded files from the NetScaler command line 1. Run the secure shell (SSH) client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page Create a profile to protect web forms that receive large file uploads. You can create this profile with basic or with advanced defaults. Normally it is wise to use advanced defaults when creating a profile to protect web forms because the Application Firewall can require specific relaxations to protect specific web form content appropriately, relaxations most easily generated using the Learning feature. Advanced defaults provide appropriate starter settings when you will use the Learning feature. Using the NetScaler command line, you enter the following command to create a new profile with advanced defaults: > add appfw profile <name> -defaults advanced For <name>, substitute a name for your profile. 3. Configure the profile to disable blocking and enable learning for the security checks you will use. For detailed instructions on configuring a new profile with advanced defaults, see To configure a profile using the NetScaler command line on page Enter the following command to disable checking of uploaded files for that particular profile. > set appfw profile <name> -excludefileuploadfromchecks ON For <name>, substitute the name of the profile that will be used when filtering the URLs that contain web forms used to upload files.

423 Appendix C Create and configure an appropriate policy to detect connections to those web pages that contain web forms used to accept uploaded files. For detailed instructions on configuring a policy, see To create a policy at the NetScaler command line on page Globally bind your new policy to put it into effect. For detailed instructions on globally binding a policy, see To globally bind a policy using the NetScaler command line on page 152. The next procedure, below, describes how to configure your NetScaler appliance to minimize processing of large POST bodies. Some parts of this procedure can be performed using the configuration utility, but some must be performed using the NetScaler command line. For that reason, the procedure describes how to perform the configuration at the NetScaler command line. To configure the NetScaler appliance for minimal processing of large POST requests 1. Run the secure shell (SSH) client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page Type the following command to enter the BSD shell from the NetScaler command line. > shell The prompt changes from > to #, and you are in the BSD shell. 3. Type the following command to disable scanning of POST bodies above a certain size when applying security checks. # nsapimgr -s appfw_post_body_scan_limit=<limit> For <limit>, substitute the maximum number of bytes the Application Firewall should scan for security check violations. For example, if you want to set a POST body scan limit of 1 MB, for <limit> you would substitute This command applies globally to all Application Firewall profiles on the NetScaler appliance or HA pair. 4. Type the following command to disable extraction of the web form ID from POST bodies. # nsapimgr -s appfw_post_body_extract_formid=<limit> For <limit>, substitute the number 0. By default, this parameter is set to a value of 1, which enables extraction of web form IDs. Turning off web form ID extraction speeds processing of extremely large POST bodies considerably.

424 410 Citrix Application Firewall Guide This command applies globally to all Application Firewall profiles on the NetScaler appliance or HA pair. 5. Type the following command to leave the BSD shell. # exit The prompt changes from # back to >, and you exit the BSD shell and return to the NetScaler command line. 6. If you are certain that users will never legitimately return a POST above a certain size in response to any content protected by a particular profile, type the following command to block outright any POST requests above this limit. > set appfw profile <name> -postbodylimit <limit> For <name>, substitute the name of the profile. For <limit>, substitute the number of bytes above which POST requests should be blocked. For example, if you want to block all POST bodies above 2 MB in size, for <limit> you would substitute Setting a post body limit can significantly reduce the impact of any extremely large POST requests that might be sent to your server in error or as part of an attack. Note: If you set the POST body limit to a higher value than you set the global POST body scan limit, the Application Firewall will allow POST requests larger than the POST body scan limit, but smaller than the POST body limit, to proceed without security scanning. This may introduce a vulnerability into your configuration. 7. Repeat the previous step for each profile used to filter large POST body content. Unlike the nsapimgr command in the previous step, the set appfw profile command always applies only to the specific profile you chose. You must therefore issue the command in the previous step once for each profile you want to configure. The final procedure, below, describes how to configure the Application Firewall to reject requests with POST bodies over a certain size outright. Note: This procedure can be used on any NetScaler appliance to prevent possible problems caused by requests with overly large POST bodies when you do not expect your protected web servers to receive any such requests.

425 Appendix C 411 To configure the Application Firewall to reject large POST requests 1. Run the secure shell (SSH) client of your choice, connect to the NSIP of your appliance, and log on to the NetScaler command line. For instructions on doing this, see To log onto the NetScaler command line via SSH on page Enter the following command to block outright any POST requests above this limit for the specified profile. > set appfw profile <name> -postbodylimit <limit> For <name>, substitute the name of the profile. For <limit>, substitute the number of bytes above which POST requests should be blocked. For example, if you want to block all POST bodies above 2 MB in size, for <limit> you would substitute Repeat the previous step for each profile used to filter large POST body content.

426 412 Citrix Application Firewall Guide

427 APPENDIX D SQL Injection Check Keywords This appendix provides a list of the SQL keywords recognized by the Application Firewall SQL Injection check. These SQL keywords are used by the HTML SQL Injection check and the XML SQL Injection check to determine whether a request contains unauthorized injected SQL code. Note: Since SQL servers treat SQL keywords as case-sensitive, the list of keywords below is also case-sensitive, with capitalized letters sorting before lower-case letters. MSysACEs MSysObjects MSysQueries MSysRelationships SYS.ALL_CATALOG SYS.ALL_CONSTRAINTS SYS.ALL_OBJECTS SYS.ALL_TABLES SYS.ALL_TAB_COLUMNS SYS.ALL_TAB_PRIVS SYS.ALL_TRIGGERS SYS.ALL_USERS SYS.ALL_VIEWS SYS.TAB SYS.USER_CATALOG SYS.USER_CONSTRAINTS

428 414 Citrix Application Firewall Guide SYS.USER_OBJECTS SYS.USER_ROLE_PRIVS SYS.USER_SYS_PRIVS SYS.USER_TABLES SYS.USER_TAB_COLUMNS SYS.USER_TAB_PRIVS SYS.USER_TRIGGERS SYS.USER_VIEWS add alter and begin case char commit constraint create decode delete distinct drop execute exec exists grant group insert intersect join like minus modify null or revoke rollback select shutdown sp_sdidebug syscolumns sysobjects union update where xp_availablemedia xp_cmdshell xp_delet xp_dirtree xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg xp_fixeddrives xp_getfiledetails xp_getnetname xp_grantlogin xp_logevent xp_loginconfig xp_logininfo xp_makewebtask

429 Appendix D 415 xp_msver xp_perfend xp_perfmonitor xp_perfsample xp_perfstart xp_readerrorlog xp_readmail xp_regread xp_revokelogin xp_runwebtask xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister xp_sqltrace xp_sscanf xp_startmail xp_stopmail xp_subdirs xp_unc_to_drive

430 416 Citrix Application Firewall Guide

431 APPENDIX E Cross-Site Scripting: Allowed Tags and Attributes This appendix provides a list of the HTML tags and attributes allowed as safe by the Application Firewall Cross-Site Scripting check. Note: HTML tags are not case-sensitive, so the HTML tags shown below are in all-capital letters. Any combination of capitals and lower-case letters can be used for an HTML tag name, however, and the tag will still be valid and still have the same effect. Allowed Tags <A> <ADDRESS> <B> <BASEFONT> <BGSOUND> <BIG> <BLOCKQUOTE> <BQ> <BR> <CAPTION> <CENTER> <CITE> <DD>

432 418 Citrix Application Firewall Guide <DEL> <DFN> <DIV> <DL> <DT> <EM> <FONT> <H1> <H2> <H3> <H4> <H5> <H6> <HR> <I> <IMG> <KBD> <LI> <MAP> <MARQUEE> <OL> <P> <SMALL> <STRIKE> <STRONG> <SUB> <SUP> <TABLE> <TD> <TH> <TR> <TT> <U> <UL> Allowed Attributes abbr accesskey align alt axis bgcolor border cellpadding cellspacing char charset charoff cite class clear color colspan compact coords dir face headers height hreflang

433 Appendix E 419 href hspace id ismap lang longdesc name noshade nowrap rel rev rowspan rules scope shape size src start summary tabindex target title type usemap valign value vspace width

434 420 Citrix Application Firewall Guide