Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protect your data from web-based attacks with NetScaler Application Firewall Rónán O’Brien Senior Support Readiness May 2012.

Published byGriffin Reynold Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "Protect your data from web-based attacks with NetScaler Application Firewall Rónán O’Brien Senior Support Readiness May 2012."— Presentation transcript:

1 Protect your data from web-based attacks with NetScaler Application Firewall
Rónán O’Brien Senior Support Readiness May 2012

2 Agenda Application Firewalls Security Models
Application Firewall Wizard Attack Examples Learning Logging Deployment checklist

3 Application Firewalls

4 Application Firewalls
Application implies Layer 7 Not to be confused with Network Firewalls Application Firewalls Vs Deep Packet Inspection (DPI) SSL Offload XML Aware Payment Card Industry Data Security Standards (PCI-DSS) Packet filters were seen as faster but could be easily bypassed (e.g. a nmap ACK scan used to passed packet filter firewalls because the packet filter assumed a packet with an ACK was part of an already-established session). Network firewalls have transformed from firstly basic packet filters to then stateful packet filters (see CheckPoint's 'stateful inspection' term as they began to become session aware, e.g. passive ftp) and then to dpi. The DPI firewall will know what valid HTTP is, what FTP should look like etc. but it will not know what is appropriate (data) for your web app. A DPI will typically not be able to detect a XSS, XSRF attack but it can detect something like skype (or other protocol anomalies) being tunnelled through HTTP, for example. It will most likely to perform basic SQL injection analysis as it probably looks for '1=1' etc in the URL or POST body but it will not 'KNOW' the application.

5 us-cert.gov Some vulnerability and attack reports can be found on Operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).

6 Application Firewall citrix.com site

7 Traffic Flow Architecture
Server1 IP Client IP Server2 IP VIP SNIP Vserver A Server3 IP

8 Lab Structure Self contained labs – cloud hosted.
Go to and enter the course code and your business address. Course code: SanFran

9 Lab Structure Click to open Web Interface, where you can launch published XenCenter The digital lab guide is here. Limited printed copies available.

10 LABS 1 & 2

11 Security Models

12 Security Models Positive Security Model – allow only known good traffic Negative Security Model – block only known bad traffic

13 Security Models NetScaler provides both models
Positive and Negative use cases Signatures available for download Learning makes positive security model easier to configure

14 Application Firewall Actions - Blocking
Request side block results in: Redirect to root of the website (/) – default. Redirect to a URL of your choice (relative or absolute) Custom error page served from appliance Transform Response side block results in: Termination of response X-Out of sensitive data.

15 Application Firewall Actions - Logging
Every block action will be logged. We can choose not to block, but still log the violation. We can create ‘relaxations’ directly from the logs. Logging is on the appliance, or can be sent to 3rd party. Logging is in Syslog format, and as of NetScaler 10 – CEF Format.

16 Application Firewall Actions - Stat
NetScaler AppFirewall will collect stats on violations Reporting is on the appliance Reporting can be performed by 3rd party also (e.g. Splunk or Citrix Command Center).

17 Application Firewall Actions - Learn
NetScaler App Firewall built in learning intelligence Creates Regex rule – so you don’t have to! For scale (when thousands of learned rules are presented), we use the Visualizer.

18 Application Firewall Wizard

19 Application Firewall Wizard
Can be used to modify configs previously created by the wizard. One stop shop for configuring Application Firewall. Positive and Negative security models. Deep Protections. Integrates also with Learning

20 Application Firewall Wizard

21 Lab 3 & 4

22 Attack Examples

23 Forceful Browsing Experienced internet\application users
Predictable file system layout Lack of Web Server security (directory browsing not disabled Reconnaissance Site may be used as attack platform (but otherwise left untouched

24 URL Closure <A Href="headline1.htm">
WWW GET headline4.htm Host: newstimes.com

25 Lab 5

26 SQL Injection Uses SQL logic and a vulnerable web form to extract information from the database. Does not impact or violate the web server, but results in unauthorised access to data. Adds an additional SQL command to a non-validated form field.

27 SQL Injection Custom Actions
Violation action include allowing the request continue after neutralising the attack. SQL comments can be used to get around basic string scanning protection.

28 Lab 6

29 Cross Site Scripting Tricking a browser into executing a malicious script. Can be dynamic or static. Customer logs into onlinebank.com onlinebank.com cookies Malicious user sends to customer with a HTTP link which user clicks on. cookies to

30 Lab 7

31 Application Vulnerability Scans
Security companies offer an automated scan to test for known vulnerabilities. Scanning usually performed on continual basis as the application itself is changed\developed New attack methods & vulnerabilities are discovered. NetScaler Application Firewall understands the scan report & suggest the necessary protections to close the security holes.

32 Lab 8

33 Form Field Consistency
Attack method: Client-side modification of form properties. Vulnerability: Client Input not validated. Result: Compromise of application logic. Hidden form elements (e.g. prices) Form structure – e.g. radio buttons, check boxes etc.

34 Lab 9

35 Protecting Application Cookies
Cookies are Web Application\Web Server identity tokens. Session vs Persistent Name value configuration Application Firewall Cookie ‘proactive’ Actions include encrypting and proxying cookies (next). If cookie is tampered with, action is to block.

36 Cookie Encryption & Decryption
Set-Cookie: user = KLJDG84NMRG Set-Cookie: user=bob Cookie: user = KLJDG84NMRG Cookie: user=bob

37 Cookie Proxying Set-Cookie: user=bob Set-Cookie: access=limited
Set-Cookie: AppfwCookieJar=H77HFDSH908 Set-Cookie: user=bob Set-Cookie: access=limited Cookie: user=bob Cookie: access=limited Cookie: AppfwCookieJar=H77HFDSH908

38 Lab 10

39 Learning

40 Learning Learned data is used to create rules for the positive security model. can be exported to a CSV for analysis. is propagated in a HA pair of appliances. is stored in RegEx format. should not be left permanently turned on in production.

41 Lab 11

42 HTML Comment Stripping
Programming Comments <!--This is a comment. Comments are not displayed in the browser But may contain all sorts of temporary information --> Some scripts include comments: <script type="text/javascript"> <!-- function displayMsg() { alert("Hello World!") } //--> </script>

43 Lab 12

44 Deployment points to bear in mind

45 Before Turning on Application Firewall
Sizing – look at the web application logs & response sizes. Decide which parts of the application need to be protected, and if it requires different levels of protection. Some protections are more resource intensive than others Clever usage of policies and ACLs can allow only specific groups access to the application to fill the learning DB with valid traffic patterns.

46 Before you leave… Conference surveys are available online at starting Thursday, May 10 Provide your feedback and pick up a complimentary gift at the registration desk Download presentations starting Monday, May 21, from your My Organizer tool located in your My Account

47 We value your feedback! Take a survey of this session now in the mobile app Click 'Sessions' button Click on today's tab Find this session Click 'Surveys'

48

Download ppt "Protect your data from web-based attacks with NetScaler Application Firewall Rónán O’Brien Senior Support Readiness May 2012."

Similar presentations

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.

CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Similar presentations

Ads by Google