Download presentation
Presentation is loading. Please wait.
Published byGriffin Reynold Bond Modified over 8 years ago
1
Protect your data from web-based attacks with NetScaler Application Firewall
Rónán O’Brien Senior Support Readiness May 2012
2
Agenda Application Firewalls Security Models
Application Firewall Wizard Attack Examples Learning Logging Deployment checklist
3
Application Firewalls
4
Application Firewalls
Application implies Layer 7 Not to be confused with Network Firewalls Application Firewalls Vs Deep Packet Inspection (DPI) SSL Offload XML Aware Payment Card Industry Data Security Standards (PCI-DSS) Packet filters were seen as faster but could be easily bypassed (e.g. a nmap ACK scan used to passed packet filter firewalls because the packet filter assumed a packet with an ACK was part of an already-established session). Network firewalls have transformed from firstly basic packet filters to then stateful packet filters (see CheckPoint's 'stateful inspection' term as they began to become session aware, e.g. passive ftp) and then to dpi. The DPI firewall will know what valid HTTP is, what FTP should look like etc. but it will not know what is appropriate (data) for your web app. A DPI will typically not be able to detect a XSS, XSRF attack but it can detect something like skype (or other protocol anomalies) being tunnelled through HTTP, for example. It will most likely to perform basic SQL injection analysis as it probably looks for '1=1' etc in the URL or POST body but it will not 'KNOW' the application.
5
us-cert.gov Some vulnerability and attack reports can be found on Operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).
6
Application Firewall citrix.com site
7
Traffic Flow Architecture
Server1 IP Client IP Server2 IP VIP SNIP Vserver A Server3 IP
8
Lab Structure Self contained labs – cloud hosted.
Go to and enter the course code and your business address. Course code: SanFran
9
Lab Structure Click to open Web Interface, where you can launch published XenCenter The digital lab guide is here. Limited printed copies available.
10
LABS 1 & 2
11
Security Models
12
Security Models Positive Security Model – allow only known good traffic Negative Security Model – block only known bad traffic
13
Security Models NetScaler provides both models
Positive and Negative use cases Signatures available for download Learning makes positive security model easier to configure
14
Application Firewall Actions - Blocking
Request side block results in: Redirect to root of the website (/) – default. Redirect to a URL of your choice (relative or absolute) Custom error page served from appliance Transform Response side block results in: Termination of response X-Out of sensitive data.
15
Application Firewall Actions - Logging
Every block action will be logged. We can choose not to block, but still log the violation. We can create ‘relaxations’ directly from the logs. Logging is on the appliance, or can be sent to 3rd party. Logging is in Syslog format, and as of NetScaler 10 – CEF Format.
16
Application Firewall Actions - Stat
NetScaler AppFirewall will collect stats on violations Reporting is on the appliance Reporting can be performed by 3rd party also (e.g. Splunk or Citrix Command Center).
17
Application Firewall Actions - Learn
NetScaler App Firewall built in learning intelligence Creates Regex rule – so you don’t have to! For scale (when thousands of learned rules are presented), we use the Visualizer.
18
Application Firewall Wizard
19
Application Firewall Wizard
Can be used to modify configs previously created by the wizard. One stop shop for configuring Application Firewall. Positive and Negative security models. Deep Protections. Integrates also with Learning
20
Application Firewall Wizard
21
Lab 3 & 4
22
Attack Examples
23
Forceful Browsing Experienced internet\application users
Predictable file system layout Lack of Web Server security (directory browsing not disabled Reconnaissance Site may be used as attack platform (but otherwise left untouched
24
URL Closure <A Href="headline1.htm">
WWW GET headline4.htm Host: newstimes.com
25
Lab 5
26
SQL Injection Uses SQL logic and a vulnerable web form to extract information from the database. Does not impact or violate the web server, but results in unauthorised access to data. Adds an additional SQL command to a non-validated form field.
27
SQL Injection Custom Actions
Violation action include allowing the request continue after neutralising the attack. SQL comments can be used to get around basic string scanning protection.
28
Lab 6
29
Cross Site Scripting Tricking a browser into executing a malicious script. Can be dynamic or static. Customer logs into onlinebank.com onlinebank.com cookies Malicious user sends to customer with a HTTP link which user clicks on. cookies to
30
Lab 7
31
Application Vulnerability Scans
Security companies offer an automated scan to test for known vulnerabilities. Scanning usually performed on continual basis as the application itself is changed\developed New attack methods & vulnerabilities are discovered. NetScaler Application Firewall understands the scan report & suggest the necessary protections to close the security holes.
32
Lab 8
33
Form Field Consistency
Attack method: Client-side modification of form properties. Vulnerability: Client Input not validated. Result: Compromise of application logic. Hidden form elements (e.g. prices) Form structure – e.g. radio buttons, check boxes etc.
34
Lab 9
35
Protecting Application Cookies
Cookies are Web Application\Web Server identity tokens. Session vs Persistent Name value configuration Application Firewall Cookie ‘proactive’ Actions include encrypting and proxying cookies (next). If cookie is tampered with, action is to block.
36
Cookie Encryption & Decryption
Set-Cookie: user = KLJDG84NMRG Set-Cookie: user=bob Cookie: user = KLJDG84NMRG Cookie: user=bob
37
Cookie Proxying Set-Cookie: user=bob Set-Cookie: access=limited
Set-Cookie: AppfwCookieJar=H77HFDSH908 Set-Cookie: user=bob Set-Cookie: access=limited Cookie: user=bob Cookie: access=limited Cookie: AppfwCookieJar=H77HFDSH908
38
Lab 10
39
Learning
40
Learning Learned data is used to create rules for the positive security model. can be exported to a CSV for analysis. is propagated in a HA pair of appliances. is stored in RegEx format. should not be left permanently turned on in production.
41
Lab 11
42
HTML Comment Stripping
Programming Comments <!--This is a comment. Comments are not displayed in the browser But may contain all sorts of temporary information --> Some scripts include comments: <script type="text/javascript"> <!-- function displayMsg() { alert("Hello World!") } //--> </script>
43
Lab 12
44
Deployment points to bear in mind
45
Before Turning on Application Firewall
Sizing – look at the web application logs & response sizes. Decide which parts of the application need to be protected, and if it requires different levels of protection. Some protections are more resource intensive than others Clever usage of policies and ACLs can allow only specific groups access to the application to fill the learning DB with valid traffic patterns.
46
Before you leave… Conference surveys are available online at starting Thursday, May 10 Provide your feedback and pick up a complimentary gift at the registration desk Download presentations starting Monday, May 21, from your My Organizer tool located in your My Account
47
We value your feedback! Take a survey of this session now in the mobile app Click 'Sessions' button Click on today's tab Find this session Click 'Surveys'
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.