Presentation on theme: " The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business."— Presentation transcript:
The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business or customer information. It accomplishes this by filtering both requests and responses, examining them for evidence of malicious activity and blocking those that exhibit it.
To use the Application Firewall, you must configure at least one profile to tell it what to do with the connections it filters, one policy to tell it which connections to filter, and then associate the profile with the policy. You can configure an arbitrary number of different profiles and policies to protect more complex Web sites. You can adjust how the Application Firewall operates on all connections in the Engine Settings.
You can enable, disable, and adjust the setting of each security check separately. Finally, you can configure and use the included PCIDSS report to assess your security configuration for compliance with PCI-DSS standard.
The Application Firewall is a filter that sits between Web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects Web servers and Web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, Web server software, and the underlying operating system.
The simplest Application Firewall configuration consists of one profile and one associated policy. Such a configuration, which requires little customization or detailed knowledge about the Application Firewall’s operation, is sufficient for many users. Users with more complex Web sites can perform a simple configuration to provide immediate protection, and then do additional configuration later.
To perform a simple configuration, you enable the Application Firewall, create profile, create a policy, and bind the profile to the policy.
To enable the Application Firewall using the configuration utility 1. In the navigation pane, expand System and click Settings. 2. In the Settings pane, under Modes & Features, click basic features. 3. In the Configure Basic Features dialog box, select the Application Firewall check box. 4. Click OK.
A profile is a collection of security settings that are used to protect specific types of web content or specific parts of your Web site or application. The Application Firewall has two categories of profile: built-in profiles and user-created profiles. Built-in profiles provide out-of-the-box tools for handling simple content that can either be passed on without further filtering, or blocked without further filtering. User-created profiles provide tools for handling more complex content that cannot simply be passed on or blocked without filtering
When configuring a new Application Firewall, after you create your profiles, you must create a policy for each profile. Policies are used to determine whether a request or a response meets specific criteria. When a request or response meets a policy’s criteria, or matches a policy, the Application Firewall then filters the request or response using the associated profile. A policy is a set of parameters that defines a particular type of web content or particular part of a Web site.
The Application Firewall uses policies to determine which profile to use when filtering specific requests or responses. During initial configuration, you create a policy that protects all vulnerable content on your Web sites. Later, if necessary, you can create additional policies that better protect specific parts of your Web site.
If you create more than one policy, you also must set the order in which the Application Firewall tests requests and responses against each policy. This lets you easily create specific policies for special content without requiring changes to the more general policy. You simply set a higher priority for a specific policy than a more general policy.
You can create significantly more complex policies in the Application Firewall, policies that designate specific web pages, specific types of connections, or a complex combination of factors. You can use either classic or advanced policies and expressions to configure the Application Firewall. Classic expressions are simpler, and provide a basic set of tools that allow you to filter requests based on the HTTP header.
Advanced expressions are more complex, and provide a considerably richer set of expression elements, along with options to control the flow of evaluation within a policy bank. These elements and options enable you to maximize the capabilities of Application Firewall. Advanced policies, which comprise a set of rules and actions that use the advanced expression format, further enhance your ability to analyze data at various network layers and at different points along the flow of traffic.
To put a policy and its associated profile into effect, you bind the policy, either globally or to a bind point, and assign it a priority. You bind each policy to activate that policy, so that the NetScaler operating system knows to implement it. The priority you assign determines the order in which your policies are evaluated, allowing you to evaluate the most specific policy first, and more general policies in descending order, finishing with your most general policy.
When you are binding your first policy, which is generic and should apply to all HTTP traffic that is not covered by a more specific policy, you should assign that policy a low priority, so that you can create and bind other, higher-priority policies later without having to reconfigure your first policy.