Deployment GuideDeploying NetScalerAppFirewallDeployment GuideThis deployment guide provides general guidelines for deploying theNetScaler Application

Deployment GuideDeploying NetScaler AppFirewallTable of ContentsIntroduction3AppFirewall Features3Rules and Signatures7Integrating with other NetScaler features8Packet Processing with NetScaler and AppFirewall8Standard Workflow for Deploying AppFirewall9Deploying the AppFirewall11Basic and Advanced PoliciesCustom Policy BindingsConclusioncitrix.com1216182

Deployment GuideDeploying NetScaler AppFirewallCitrix NetScaler AppFirewall is a comprehensive ICSA certified webapplication security solution that blocks known and unknownattacks against web and web services applications. NetScalerAppFirewall enforces a hybrid security model that permits onlycorrect application behaviour and efficiently scans and protectsagainst known application vulnerabilities. It analyzes allbidirectional traffic, including SSL-encrypted communication, toprotect against a broad range of security threats without anymodification to applications.IntroductionNetScaler AppFirewall (also referred to as AppFirewall, Web Application Firewall or WAF) technology is included in and integrated with Citrix NetScaler MPX and NetScaler VPX , Platinum Edition,and is available as an optional module that can be added to NetScaler MPX appliances runningNetScaler Enterprise Edition. NetScaler AppFirewall is also available as a stand-alone solution onsome NetScaler MPX appliances. The stand-alone NetScaler AppFirewall models can be upgradedthrough software licensing to full NetScaler Application Delivery Controllers (ADCs).This guide focuses on defining the general deployment guidelines for Citrix NetScaler AppFirewall.The product versions described here are ProductVersionNetScaler (AppFirewall IntegratedModule)10.5 (Enterprise/Platinum License)AppFirewall FeaturesHybrid security modelThe NetScaler hybrid security model allows you to take advantage of both a positive security model and a negative security model to come up with a configuration ideally suited for yourapplications.The positive security model protects against Buffer Overflow, CGI-BIN Parameter Manipulation,Form/Hidden Field Manipulation, Forceful Browsing, Cookie or Session Poisoning, Broken ACLs,Cross-Site Scripting (XSS), Command Injection, SQL Injection, Error Triggering Sensitive InformationLeak, Insecure Use of Cryptography, Server Misconfiguration, Back Doors and Debug Options,Rate-Based Policy Enforcement, Well Known Platform Vulnerabilities, Zero-Day Exploits, Cross SiteRequest Forgery (CSRF), and leakage of Credit Card and other sensitive data.The negative security model uses a rich set signatures to protect against L7 and HTTP applicationvulnerabilities. The application firewall is integrated with several third party scanning tools, such asthose offered by Cenzic, Qualys, Whitehat, and IBM. The built-in XSLT files allow easy importationcitrix.com3

Deployment GuideDeploying NetScaler AppFirewallof rules, which can be used in conjunction with the native-format Snort based rules. An autoupdate feature gets the latest updates for new vulnerabilities.The positive security model might be the preferred choice for protecting applications that have ahigh need for security, because it gives you the option to fully control who can access what data.You allow only what you want and block the rest. This model includes a built-in security checkconfiguration, which is deployable with a few clicks. However, keep in mind that the tighter thesecurity, the greater the processing overhead.The negative security model might be preferable for customized applications. The signatures allowyou to combine multiple conditions, and a match and the corresponding action are triggered onlywhen all the conditions are satisfied. You block only what you don’t want and allow the rest. A specific fast-match pattern in a specified location can significantly reduce processing overhead tooptimize performance. The option to add your own signature rules, based on the specific securityneeds of your applications, gives you the flexibility to design your own customized securitysolutions.Request as well as response side detection and protectionYou can inspect the incoming requests to detect any suspicious behavior and take appropriateactions, and you can check the responses to detect and protect against leakage of sensitive data.Rich set of built-in protections for HTML, XML and JSON payloadsThe application firewall offers 19 different security checks. Six of them (such as Start URL and DenyURL) apply to both HTML and XML data. Five checks (such as Field Consistency and Field Format)are specific to HTML, and eight (such as XML Format and Web Service Interoperability) are specificto XML payloads. This feature includes a rich set of actions and options. For example, URL Closureenables you to control and optimize the navigation through your website, to safeguard againstforceful browsing without having to configure relaxation rules to allow each and every legitimateURL. You have the option to remove or x-out the sensitive data, such as credit-card numbers, in theresponse. Be it SOAP array attack protection, XML denial of service (XDoS), WSDL scan prevention,attachment check, or any number of other XML attacks, you have the comfort of knowing that youhave an ironclad shield protecting your data when your applications are protected by the application firewall. The signatures allow you to configure rules using XPATH-Expressions to detectviolations in the body as well as the header of a JSON payload.GWTSupport for protecting Google Web Toolkit applications to safeguard against SQL, XSS and FormField Consistency check violations.Java-free, user friendly graphical user interface (GUI)An intuitive GUI and preconfigured security checks make it easy to deploy security by clicking a fewbuttons. A wizard prompts and guides you to create the required elements, such as profiles, policies, signatures, and bindings. The HTML5 based GUI is free of any Java dependency. It’sperformance is significantly better than that of the older, Java based versions.citrix.com4

Deployment GuideDeploying NetScaler AppFirewallEasy to Use and automatable CLIMost of the configuration options that are available in GUI are also available in the command lineinterface (CLI). The CLI commands can be executed by a batch file and are easy to automate.Support for REST APIThe NetScaler NITRO protocol supports a rich set of REST API’s to automate application firewallconfiguration and collect pertinent statistics for ongoing monitoring of security violations.LearningThe application firewall’s ability to learn by monitoring traffic to fine tune security is very userfriendly. The learning engine recommends rules, which makes it easy to deploy relaxations withoutproficiency in regular expressions.RegEx editor supportRegular expression offer an elegant solution to the dilemma of wanting to consolidate rules andyet optimize search. You can capitalize on the power of regular expressions to configure URLs,field names, signature patterns, and so on. The rich built-in GUI RegEx editor offers you a quick reference for the expressions and provides a convenient way to validate and test your RegEx foraccuracy.Customized error pageBlocked requests can be redirected to an error URL. You also have the option to display a customized error object that uses supported variables and Citrix default syntax (advanced PI expressions)to embed troubleshooting information for the client.PCI-DSS, stats, and other violation reportsThe rich set of reports makes it easy to meet the PCI-DSS compliance requirement, gather statsabout traffic counters, and view violation reports for all profiles or just one profile.Logging and click-to-rule from logDetailed logging is supported for native as well as CEF format. The application firewall offers youthe ability to filter targeted log messages in the syslog viewer. You can select a log message anddeploy a corresponding relaxation rule by a simple click of a button. You have the flexibility to customize log messages and also have support for generating web logs. For additional details, ity/application-firewall/logs.html.Include violation logs in trace recordsThe ability to include log messages in the trace records makes it very easy to debug unexpectedbehavior such as reset and block.CloningThe useful Import/Export profile option allows you to clone the security configuration from oneNetScaler appliance to others. Export learned data options make it easy to export the learned rulesto an Excel file. You can then get them reviewed and approved by the application owner beforeapplying them.citrix.com5

Deployment GuideDeploying NetScaler AppFirewallAppExpert TemplatesAn AppExpert template (a set of configuration settings) can be designed to provide appropriateprotection for your websites. You can simplify and expedite the process of deploying similar protection on other appliances by exporting these cookie-cutter templates to a template file. Foradditional details, see Sessionless security checksDeploying sessionless security checks can help you reduce the memory footprint and expedite theprocessing.Interoperability with other NetScaler featuresThe application firewall works seamlessly with other NetScaler features, such as rewrite, URL transformation, integrated caching, CVPN, and rate limiting.Support of PI expressions in policiesYou can leverage the power of advanced PI expressions to design policies to implement differentlevels of security for different parts of your application.Support for IPv6The application firewall supports both IPv4 and IPv6 protocols.Geolocation based security protection:You have the flexibility of using Citrix default syntax (PI Expressions) for configuring location basedpolicies, which can be used in conjunction with a built-in location database to customize firewallprotection. You can identify the locations from which malicious requests originate, and enforce thedesired level of security-check inspections for requests that originate from a specific geographicallocation.PerformanceRequest-side streaming significantly improves performance. As soon as a field is processed, theresulting data is forwarded to the back end while evaluation continues for the remaining fields.The improvement in processing time is especially significant when handling large posts.Other security featuresThe application firewall has several other security knobs that can help ensure the security of yourdata. For example, the Confidential Field lets you block leakage of sensitive information in the logmessages, and Strip HTML Comment allows you to remove the HTML comments from theresponse before forwarding it to the client. Field Types can be used to specify what inputs areallowed in the forms submitted to your application.citrix.com6

Deployment GuideDeploying NetScaler AppFirewallRules and SignaturesThe application firewall makes it very easy to design the right level of security for your applications.You can have multiple application firewall policies, bound to different application firewall profiles,to implement different levels of security-check inspections for your applications. You can initiallymonitor the logs to observe what security threats are being detected and which violations arebeing triggered. Rule creation is made straightforward with the application firewall’s rule engine,which supports two types of rules – learned rules and relaxation rules. You can either manually addrelaxation rules or take advantage of the application firewall’s recommended learned rules todeploy the required relaxations to avoid false positives.The Citrix application firewall offers visualizer support in the GUI, which makes rule managementvery easy. You can easily view all the data on one screen, and take action on several rules with oneclick. The biggest advantage of the visualizer is that it recommends regular expressions to consolidate several rules. You can select a subset of the rules, basing your selection on the delimiter andAction URL. Visualizer support is available for viewing 1) learned rules and 2) relaxation rules.1) The visualizer for learned rules offers the option to edit the rules and deploy them as relaxations.You can also skip (ignore) rules.2) The visualizer for deployed relaxations offers you the option to add a new rule or edit an existingone. You can also enable or disable a group of rules by selecting a node and clicking the Enable orDisable button in the relaxation visualizer.A signature is an object that can have multiple rules. Each rule consists of one or more patternsthat can be associated with a specified set of actions. The application firewall has a built-in defaultsignature object consisting of more than 1,300 signature rules, with an option to get the latestrules by using the auto-update feature to get protection against new vulnerabilities. Rules createdby other scan tools can also be imported.Signatures are very powerful because they use pattern matching to detect malicious attacks andcan be configured to check both the request and the response of a transaction. They are a preferred option when a customizable security solution is needed. Multiple action choices (forexample, block, log, learn, and transform) are available for when a signature match is detected.The default signatures, such as web-cgi, web-coldfusion, web-frontpage, web-iis, web-php, webclient, web-activex, web-shell-shock, and web-struts, cover rules to protect different types ofapplications. To match the needs of your application, you can select and deploy the rules belonging to a specific category.citrix.com7

Deployment GuideDeploying NetScaler AppFirewallSignature usage tips: You can just make a copy of the default signature object and modify it to enable the rules youneed and configure the actions you want. The signature object can be customized by adding new rules, which can work in conjunction withother signature rules. The signature rules can also be configured to work in conjunction with the security checks specified in the application firewall profile. If a match indicating a violation is detected by a signatureas well as a security check, the more restrictive action is the one that gets enforced. A signature rule can have multiple patterns and be configured to flag a violation only when allthe patterns are matched, thereby avoiding false positives. Careful selection of a literal fast-match pattern for a rule can significantly optimize processingtime.Integrating with other NetScaler featuresThe application firewall is fully integrated into the NetScaler appliance and works seamlessly withother features. You can configure maximum security for your application by using other NetScalersecurity features in conjunction with the application firewall. For example, AAA-TM can be used toauthenticate the user, check the user’s authorization to access the content, and log the accesses,including invalid login attempts. Rewrite can be used to modify the URL or to add, modify or deleteheaders, and responder can be used to deliver customized content to different users. You candefine the maximum load for your website by using rate limiting to monitor the traffic and throttlethe rate if it is too high. HTTP Denial-of-Service (DoS) protection can help distinguish between realHTTP clients and malicious DoS clients. You can narrow the scope of security-check inspection bybinding the application firewall policies to virtual servers, while still optimizing the user experienceby using the load balancing feature to manage heavily used applications. Requests for staticobjects such as images or text can bypass security check inspection, taking advantage of integrated caching or compression to optimize the bandwidth usage for such content.Packet Processing with NetScaler and AppFirewallThe flow of a packet in the NetScaler appliance is shown in the diagram below. This diagram is alsoavailable in the Processing Order of Features section at started-with-netscaler.html.citrix.com8

Deployment GuideDeploying NetScaler AppFirewallStandard Workflow for Deploying AppFirewallKnow your environment: Knowing your environment will help you to identify the best securityprotection solution (signatures, security checks, or both) for your needs. Before you begin configuration, you should gather the following information. OS: What kind of OS (MS Windows, Linux, BSD, Unix, others) do you have? Web Server: What web server (IIS, Apache or NetScaler Enterprise Server) are you running? Application: What type of applications are running on your application server (for example, ASP.NET, PHP, Cold Fusion, ActiveX, FrontPage, Struts, CGI, Apache Tomcat, Domino, and WebLogic)? Do you have customized applications or off-the-shelf (for example, Oracle, SAP) applications?What version you are using? SSL: Do you require SSL? If so, what key size (512, 1024, 2048, 4096) is used for signingcertificates? Traffic Volume: What is the average traffic rate through your applications? Do you have seasonalor time-specific spikes in the traffic? Server Farm: How many servers do you have? Do you need to use load balancing? Database: What type of database (MS-SQL, MySQL, Oracle, Postgres, SQLite, nosql, Sybase,citrix.com9

Deployment GuideDeploying NetScaler AppFirewall DB Connectivity: What kind of data base connectivity do you have (DSN, per-file connectionstring, single file connection string) and what drivers are used?Identify your security needs: You might want to evaluate which applications or specific data needmaximum security protection, which ones are less vulnerable, and the ones for which securityinspection can safely be bypassed. This will help you in coming up with an optimal configuration,and in designing appropriate policies and bind points to segregate the traffic. For example, youmight want to configure a policy to bypass security inspection of requests for static web content,such as images, MP3 files, and movies, and configure another policy to apply advanced securitychecks to requests for dynamic content. You can use multiple policies and profiles to protect different contents of the same application.License requirement: Citrix offers a unified solution to optimize the performance of your application by taking advantage of a rich set of features such as load balancing, content switching,caching, compression, responder, rewrite, and content filtering, to name a few. Identifying the features that you want can help you decide which license you need.Install and baseline a NetScaler appliance: Create a virtual server and run test traffic through it toget an idea of the rate and amount of traffic flowing through your system. This information willhelp you to identify your capacity requirement and select the right appliance (VPX, MPX, or SDX).For a detailed description of various available platforms and their throughput capabilities, see thefollowing data sheet: t.pdf?accessmode directDeploy the application firewall: Use the application firewall wizard to proceed with a simplesecurity configuration. The wizard walks you through several screens and prompts you to add aprofile, policy, signature, and security checks. Profile: Select a meaningful name and the appropriate type (HTML, XML or WEB 2.0) for yourprofile. The default policy and signatures will be auto-generated using the same name. Policy: The auto-generated policy has the default expression (true), which selects all traffic and isbound globally. This is a good starting poi