scripted content that accesses and/or modifies information on other Web servers.
• Appendix A, “PCRE Character Encoding.” Provides a primer on using PCRE character encoding to represent non-ASCII characters in Application Firewall regular expressions.
• Appendix B, “PCI DSS Standard.” Provides a copy of the official Payment Card Industry (PCI) Data Security (DSS) Standard.
• Appendix C, “Configuring for Large Files and Web Pages.” Provides instructions on how to configure the Application Firewall to handle large uploaded files and large, complex Web pages with minimal impact on performance.
• Appendix D, “SQL Injection Check Keywords.” Lists the SQL keywords that the Application Firewall SQL Injection security check uses when examine requests.
• Appendix E, “Cross-Site Scripting: Allowed Tags and Attributes.” Lists the HTML tags and attributes that the Application Firewall Cross-Site
Scripting security check will allow in requests without blocking the request.
New in This Release
NetScaler nCore Technology uses multiple CPU cores for packet handling and greatly improves the performance of many NetScaler features. Release 9.2 adds nCore support for many additional features, including load balancing, virtual private networks (VPNs), and the Application Firewall.
In Release 9.2, the following new features are also supported in the Application Firewall:
• Built-in profiles. The Application Firewall now installs with four built-in profiles. These profiles provide tools to allow or block connections that do not require further filtering.
• Default and undefined profiles. You can now designate a default profile and an undefined profile on a per-profile basis. The default profile is used for connections that do not match any Application Firewall policy. The undefined profile is used when a connection evaluates as undefined.
• Learning feature GUI changes. The Manage Learned Rules dialog box has been simplified and streamlined, and the Learning Data Visualizer has been integrated more completely with the Learning feature.
• NetScaler advanced policies. You can now use advanced policies and expressions to configure the Application Firewall. Advanced expressions provide a rich set of expression elements along with options to control the flow of evaluation within a policy bank. These elements and options enable you to maximize the capabilities of the Application Firewall. Advanced policies, which comprise a set of rules and actions that use the advanced expression format, further enhance your ability to analyze data at various network layers and at different points along the flow of traffic. For more information about the benefits of using advanced policies and expressions, see the “Introduction to Policies and Expressions” chapter in the Citrix NetScaler Policy Configuration and Reference Guide.
• User-configurable SQL and XSS lists. Users can now modify the lists of SQL special characters, SQL keywords, cross-site scripting allowed tags, and cross-site scripting allowed attributes used by the HTML and XML SQL injection security check and the HTML and XML cross-site scripting check. Users can create and upload multiple different lists, and designate the list to be used on a per-profile basis.
For a summary of the new features and remaining unsupported features, see the Citrix NetScaler 9.2 Release Notes.
Audience
This guide is intended for the following audience:
• IT Managers. IT managers or other individuals responsible for managing your network.
• System Administrators. Any system administrators responsible for managing your standalone Citrix Application Firewall, or your Citrix NetScaler Application Accelerator or NetScaler appliance.
The concepts and tasks described in this guide require you to have a basic understanding of networking and firewall concepts and terminology, the HTTP protocol, HTML and XML Soap, and Web security.
Formatting Conventions
This documentation uses the following formatting conventions.
Formatting Conventions
Convention Meaning
Boldface Information that you type exactly as shown (user input);
elements in the user interface.
<Angle Brackets> Placeholders for information or parameters that you provide. For example, <FileName> in a command means you type the actual name of a file. Also, new terms, and words referred to as words (which would otherwise be enclosed in quotation marks).
%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.
Monospace System output or characters in a command line. User input and placeholders also are formatted using monspace text.
{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves.
[ brackets ] Optional items in command statements. For example, in the following command, [-range
positiveInteger] means that you have the option of entering a range, but it is not required:
add lb vserver name serviceType IPAddress port [-range positiveInteger]
Do not type the brackets themselves.
Related Documentation
A complete set of documentation is available on the Documentation tab of your NetScaler and from http://support.citrix.com/. (Most of the documents require Adobe Reader, available at http://adobe.com/.)
To view the documentation
1. From a Web browser, log on to the NetScaler.
2. Click the Documentation tab.
3. To view a short description of each document, hover your cursor over the title. To open a document, click the title.
Getting Service and Support
Citrix offers a variety of resources for support with your Citrix environment, including the following:
• The Knowledge Center is a self-service, Web-based technical support database that contains thousands of technical solutions, including access to the latest hotfixes, service packs, and security bulletins.
• Technical Support Programs for both software support and appliance maintenance are available at a variety of support levels.
• The Subscription Advantage program is a one-year membership that gives you an easy way to stay current with the latest product version upgrades and enhancements.
• Citrix Education provides official training and certification programs on virtually all Citrix products and technologies.
| (vertical bar) A separator between options in braces or brackets in command statements. For example, the following indicates that you choose one of the following load balancing methods:
lbMethod = ( ROUNDROBIN | LEASTCONNECTION | LEASTRESPONSETIME | URLHASH | DOMAINHASH | DESTINATIONIPHASH | SOURCEIPHASH |
SRCIPDESTIPHASH | LEASTBANDWIDTH |
LEASTPACKETS | TOKEN | SRCIPSRCPORTHASH | LRTM | CALLIDHASH | CUSTOMLOAD )
Formatting Conventions
Convention Meaning
For detailed information about Citrix services and support, see the Citrix Systems Support Web site at
http://www.citrix.com/lang/English/support.asp.
You can also participate in and follow technical discussions offered by the experts on various Citrix products at the following sites:
• http://community.citrix.com
• http://twitter.com/citrixsupport
Documentation Feedback
You are encouraged to provide feedback and suggestions so that we can enhance the documentation. You can send email to the following alias or aliases, as appropriate. In the subject line, specify “Documentation Feedback.” Be sure to include the document name, page number, and product release version.
• For NetScaler documentation, send email to [email protected].
• For Command Center documentation, send email to [email protected].
• For Access Gateway documentation, send email to [email protected].
You can also provide feedback from the Knowledge Center at http://
support.citrix.com/.
To provide feedback from the Knowledge Center home page
1. Go to the Knowledge Center home page at http://support.citrix.com/.
2. On the Knowledge Center home page, under Products, expand NetScaler, and then click the NetScaler release for which you want to provide
feedback.
3. On the Documentation tab, click the guide name, and then click Article Feedback.
4. On the Documentation Feedback page, complete the form, and then click Submit.
Introduction
The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business or customer information. It accomplishes this by filtering both requests and
responses, examining them for evidence of malicious activity and blocking those that exhibit it.
To use the Application Firewall, you must configure at least one profile to tell it what to do with the connections it filters, one policy to tell it which connections to filter, and then associate the profile with the policy. You can configure an arbitrary number of different profiles and policies to protect more complex Web sites. You can adjust how the Application Firewall operates on all connections in the Engine Settings. You can enable, disable, and adjust the setting of each security check separately. Finally, you can configure and use the included PCI-DSS report to assess your security configuration for compliance with PCI-PCI-DSS standard.
You can configure the Application Firewall using either the Citrix NetScaler Configuration Utility (configuration utility) or the Citrix NetScaler Command Line Interface (NetScaler command line).
What is the Application Firewall?
The Application Firewall is a filter that sits between Web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects Web servers and Web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, Web server software, and the underlying operating system.
The Application Firewall is available on two platforms. First, the Citrix Application Firewall is a standalone appliance based on the Citrix NetScaler Application Accelerator platform and Citrix NetScaler Application Delivery System operating system. Second, the Citrix NetScaler Application Firewall feature is part of the Citrix NetScaler Application Delivery System, which runs on all models of the Citrix NetScaler Application Accelerator or Citrix NetScaler appliance. Therefore, users who want a dedicated Application Firewall can purchase a standalone Citrix Application Firewall. Users who want the Application Firewall functionality in addition to other NetScaler operating system features can purchase a new Citrix NetScaler appliance, or upgrade to version 9.1 of the NetScaler operating system and install it on their existing appliance appliance.
Note: Citrix also supports the Citrix Application Firewall EX, which is built on a different hardware and operating system platform than the Application Firewall discussed in this manual. The Citrix Application Firewall EX has its own separate documentation set. This manual does not apply to the Citrix Application Firewall EX. If you need to obtain the Citrix Application Firewall EX documentation, contact Citrix Customer Support for further assistance.
What the Application Firewall Does
The Citrix Application Firewall protects Web servers and Web sites from misuse by hackers and malware, such as viruses and trojans, by filtering traffic between each protected Web server and users that connect to any Web site on that Web server. The Application Firewall examines all traffic for evidence of attacks on Web server security or misuse of Web server resources, and takes the appropriate action to prevent these attacks from succeeding.
Most types of attacks against Web servers and Web sites are launched to accomplish two overall goals. These are:
• Obtaining private information. The Application Firewall watches for attacks intended to obtain sensitive private information from your Web sites and the databases that your Web sites can access. This information can include customer names, addresses, phone numbers, social security num-bers, credit card numnum-bers, medical records, and other private information.
The hacker or malware author can then use this information directly, sell it to others, or both.
Much of the information obtained by such attacks is protected by law, and all of it by custom and expectation. A breach of this type can have extremely serious consequences for customers whose private information was compromised. At best, these customers will have to exercise vigilance
to prevent others from abusing their credit cards, opening unauthorized credit accounts in their name, or appropriate the customer’s identity outright to commit criminal activities in their name (or identity theft). At worst, the customers may face ruined credit ratings or even be blamed for criminal activities in which they had no part.
If a hacker or malware author manages to obtain such information through your Web site and then misuses it, that can create an embarrassing situation at best, and may expose your company to legal consequences.
• Obtaining unauthorized access and control. The Application Firewall watches for attacks intended to give the attacker access to and control of your Web server without your knowledge or permission. This prevents hackers from using your Web server to host unauthorized content, act as a proxy for content hosted on another server, provide SMTP services to send unsolicited bulk email, or provide DNS services to support these activities on other compromised Web servers. Such activities constitute theft of your server capacity and bandwidth for purposes you did not authorize.
By preventing unauthorized access to and control of your Web servers, the Application Firewall also helps prevent the common practice of unautho-rized modifications of your home page or other pages on your Web site (or Web site defacement).
Most Web sites that are hosted on hacked Web servers (or compromised Web servers) promote questionable or outright fraudulent businesses. For example, the majority of pharming Web sites, phishing Web sites, and child pornography Web sites (or CP Web sites) are hosted on compromised Web servers. So are many sites that sell prescription medications without a prescription, illegal OEM copies of copyrighted software, and untested and often worthless quack medical remedies.
If a hacker or malware author manages to host such a Web site on your company’s Web server, or use your company’s Web server to provide spam support services, that can create an embarrassing incident at the very least.
Many types of attacks can be used to obtain private information from or make unauthorized use of your Web servers. These attacks include:
• Buffer overflow attacks. Sending an extremely long URL, cookie, or other bit of information to a Web server in hopes of causing it or the underlying operating system to hang, crash, or behave in some manner useful to the attacker. A buffer overflow attack can be used to gain access to unautho-rized information, to compromise a Web server, or both.
• Cookie security attacks. Sending a modified cookie to a Web server, usu-ally in hopes of obtaining access to unauthorized content using falsified credentials.
• Forceful browsing. Accessing URLs on a Web site directly, without navi-gating to the URLs via hyperlinks on the home page or other common start URLs on the Web site. Individual instances of forceful browsing may sim-ply indicate a user who bookmarked a page on your Web site, but repeated attempts to access non-existent content or content that users should never access directly often represents an attack on Web site security. Forceful browsing is normally used to gain access to unauthorized information, but can also include a buffer overflow attack and be used to compromise your server.
• Web form security attacks. Sending inappropriate content to your Web site using a Web form. Inappropriate content can include modified hidden fields, HTML or code in a field intended for alphanumeric data only, a overly long string in a field that accepts only a short string, an alphanumeric string in a field that accepts only an integer, and a wide variety of other data that your Web site does not expect to receive in that Web form. A Web form security attack can be used either to obtain unauthorized information from your Web site or to compromise the Web site outright, usually when com-bined with a buffer overflow attack.
In addition to standard Web form security attacks, there are two specialized types of attacks on Web form security that deserve special mention:
- SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords using a Web form, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information.
- Cross-site scripting attacks. Using a script on a web page to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different Web site.
Since scripts can obtain information and modify files on your Web site, allowing a script access to content on a different Web site can provide an attacker the means to obtain unauthorized information, to compromise a Web server, or both.
• XML security attacks. Sending inappropriate content to an XML-based application, or attempting to breach security on your XML-based applica-tion. There are a number of special attacks that can be made against XML-based applications using XML requests that contain malicious code or objects. These include attacks based on badly-formed XML requests, or XML requests that do not conform to the W3C XML specification, XML requests used to stage a denial of service (DoS) attack, and on XML requests that contain attached files that can breach site security.
In addition to standard XML-based attacks, there are two specialized types of XML attacks that deserve special mention:
- SQL injection attacks. Sending an active SQL command or commands using SQL special characters and keywords in a XML-based request, with the goal of causing a back-end SQL database to execute that command or commands. SQL injection attacks are normally used to obtain unauthorized information.
- Cross-site scripting attacks. Using a script included in an XML-based application to violate the same origin policy, which forbids any script from obtaining properties from or modifying any content on a different application. Since scripts can obtain information and modify files using your XML application, allowing a script access to content belonging to a different application can provide an attacker the means to obtain unauthorized information, to compromise the application, or both.
The Application Firewall has special filters, or checks, that look for each of these types of attack and prevent them from succeeding. The checks use a range of filters and techniques to detect each attack, and respond to different types of attacks or potential attacks differently. A potential attack that does not pose a significant threat may simply be logged. If the same pattern of activity does not reoccur, it probably was not a deliberate attack and no further action was needed.
A series of potential attacks may require a different response, which may include blocking further requests from that source.
The greatest threat against Web sites and applications does not come from known attacks, however. It comes from new and unknown attacks, attacks for which the Application Firewall may not yet have a specific check. For this reason, the core Application Firewall methodology does not rely upon specific checks. It relies upon comparing requests and responses to a profile of normal use of a protected Web site or application. The user helps create the profile during initial
configuration and at intervals thereafter by providing certain information to the Application Firewall. The Application Firewall then generates the rest of this profile using its learning feature.
Thereafter, if a request or response falls outside of the profile for that Web site or application, either the threat in the request or response is neutralized, or the request or response is blocked. This is called a positive security model, and allows
Thereafter, if a request or response falls outside of the profile for that Web site or application, either the threat in the request or response is neutralized, or the request or response is blocked. This is called a positive security model, and allows