• View Communities
    • Citrix Developer Network
      The place for unfiltered straight talk on Citrix products. Blogs, code downloads, best practices, APIs, and more can all be found here.
    • Citrix Ready Community Verified
      Does it work with Citrix? Application compatibility questions are a thing of the past with the new Citrix Community Verified site.
    • Blogs
      Learn the latest from the Citrix employees who are building application delivery infrastructure technologies.
    • Blogosphere
      The Citrix Blogosphere is a window into the thousands of conversations taking place about Citrix and Application Delivery.
  •  Sign In
The Citrix Blog
Blogs for tag 'application firewall'

Permalink | Twitter Post to Twitter | Comments (0) | Views (1015) |

12 Oct 2009 08:57 AM EDT
Optimize your datacenter with advanced NetScaler training
[ Tags:  netscaler ,   training ,   education application delivery ,   edgesight ,   application firewall ,   team-education ]
posted by Keira Pack

If you currently manage a Platinum appliance, or are considering migrating to this platform in the future, it is recommended that you take the next step towards optimal Web application delivery with advanced NetScaler training: CNS-300-1I Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Upon successful completion of this course, you will have the expert knowledge required to:

  • Identify common Web attacks and vulnerabilities
  • Write PERL compatible regular expressions
  • Configure Citrix Application Firewall 9.0 to protect Web applications
  • Troubleshoot Citrix Application Firewall 9.0
  • Install and configure Citrix EdgeSight for NetScaler to monitor Web application performance
  • Install, configure and use Citrix Command Center to manage NetScaler devices
  • Configure and use additional advanced features of NetScaler 9.0 including NetScaler Web
  • Logging, HTTP Callout and AAA authentication for Web applications

Register Now
Cost: $4,995 USD
Duration: 5 days
Upcoming Q4 2009 Dates: November 2-6 (San Francisco, CA); November 2-6 (Instructor-led Online); December 14-18 (Instructor-led Online)

Questions? Contact a Citrix Education training specialist at 866-714-1260 or e-mail americaseducation@citrix.com

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (1428) |

23 Sep 2009 06:46 PM EDT
Protect XML applications with the NetScaler Application Firewall (Whitepaper)
[ Tags:  netscaler ,   access-gateway ,   application firewall ,   xml ,   waf ,   application security ,   application delivery controller ,   load balancing ]
posted by vamsi Korrapati

A new whitepaper describing the XML firewall features available in NetScaler version 9.x is available here.
It includes a concise summary of the feature capabilities and the types of applications that the Application firewall can secure. Security is a core component of the Application Delivery Controller (ADC) platform. For a broad overview of the security related features available in the NetScaler, get Citrix NetScaler - A Comprehensive Application Security Solution.

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (1046) |

17 Sep 2009 07:49 PM EDT
Citrix NetScaler Application Firewall 9.x does Content Switching too!
[ Tags:  netscaler ,   application firewall ,   waf ,   content switching ]
posted by vamsi Korrapati

NetScaler Application Firewall devices are commonly deployed as a cluster of devices behind (hopefully) a NetScaler loadbalancer or Application Delivery Controller (ADC), as we like to call them now. Content Switching or URL based routing decisions are typically done on the load balancer, but some topologies require the flexibility of performing this action from the firewall tier itself. In this case, the firewall is directly connected to the web server tier without a loadbalancer in between.

The NetScaler Application Firewall can do content switching using the AppExpert policy engine based on any incoming request parameters to direct traffic to backend servers. Upgrading to the Platinum edition will make all NetScaler features available in an integrated platform enabling consolidation of server tiers. This feature is available in NetScaler 9.0 Build 69.x onwards as well as the 9.1 release.

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (1) | Views (3444) |

08 Apr 2009 05:59 PM EDT
Securing Web Applications with an Application Firewall
[ Tags:  load balancer ,   load balancing ,   appfw ,   application firewall ,   application security ,   attack prevention ,   false positives ,   false positive ,   pci ,   netscaler ,   cloud ,   citrix delivery center ,   adc ,   application delivery controller ,   security ,   architecture ,   team-consulting ,   netscaler ]
posted by Stefan Drege

Securing Web Applications with an Application Firewall

I have been working with Application Firewalls for quite a few years - many times to protect web applications published in languages and character sets that I didn't understand. Frequently, I have seen these Application Firewall deployment projects get bogged down in pursuit of the perfect policy set.

I have also seen many situations in which this process and application changes actually break these applications.

The NetScaler Application Firewall deployment can also be subject to these issues since the appliance provides extensive application firewall features. Even with the learning capabilities, creating the ideal set of security policies for any application can be a trial and error process that can take significant time.

In this blog, I would like to share an implementation methodology that shortens the deployment, and helps avoid breaking the applications to be protected. Experience has shown that approaching the configuration of the Application Firewall in stages is the key to timely success. This methodology is effective for all types of applications and their needs.

To alleviate the time and risk of varying degrees of policy complexity, break the task into stages. That is, separate the policy configuration into groups of ascending risk.  While some may raise the point that a simplified protection policy set is not complete, it must be remembered that protection stages will build upon each other, and will be better than allowing unfiltered access while all policies are in learning or logging/warning mode.

The benefit of staging is that a basic set of policies are made operational.  Then, the following stages will consist of conducting a repeatable process of "policy tightening" procedures as required by the application.

Stage I

When configuring the NetScaler Application firewall policies, start with some of the basic protections.  Activating the simple, generic policies almost never produce false positives.  These typically include:

  • Protect against Cross Site Scripting (XSS) attacks
  • Protect against SQL Injection attacks
  • Protect against Buffer Overflow attacks
  • Prevent Credit Card Leakage
  • Prevent access to system files
  • Alter the contents of the server headers

Activating these policies will typically not break applications.  As such, a small user community - with etc/hosts overrides - can be used to validate the configuration over a fairly brief validation period.

More importantly, this is a great start. These policies create security effectiveness that can typically be rated as a level seven on scale of zero though nine (you can never get to a perfect "10" in security).

Stage II

The next stage will include applying policies that require more application validation to determine the application specific relaxation adjustments ("policy overrides").

But first, don't forget to ask yourself if this application actually requires tightened policies.

If so, Stage II protections should be sequenced - Cookie Tampering prevention should be blocked first. Then, move on to blocking tampering with the values of parameter and/or hidden form fields.

Start with cookie poisoning prevention ("Cookie Consistency"). It will be likely require the least number of relaxations. This will build on the Stage I successes most rapidly.

To do this, use the learning process to identify the cookies that are legitimately altered between the response and request process. Minimally, relaxations will be required for cookies that are set and modified by third party monitoring services. Again, because of the staging, this learning can happen while the basic policies are in place and actively applying their protection mechanisms.

If further tightening is required, focus on creating policies that prevent users from tampering with the values of parameter and hidden form fields. This is achieved by activating "Field Consistency" learning in the NetScaler application firewall. Depending on the architecture of the application or a frequent use of client side scripting, these policies carry a higher risk of blocking legitimate requests. These policies thus require a more extensive learning period and associated relaxation overrides.

It should also be noted that these Stage II policies and their relaxations do have a tendency to be susceptible to producing false positives as applications change, and should be re-evaluated in conjunction with major application changes.

Stage III and Beyond

If the application is contains super sensitive information, and undergoes frequent changes, further security configuration may be required.

Stage III typically involves enforcing field formats and enforcing user navigation paths. Adding restrictions to field input types, such as date formats, and more, will require further time for learning these application attributes. Be aware that these policies will also be more likely to be sensitive to application changes.

Enabling the "Start URL" facility allows users to access only the specifically stated URL types. Due to the flexibility inherent in application architectures, however, these restrictions may require modification to include additional request types present in a particular application.

Lastly, carefully consider activating "URL Closure" to control the flow of access by users. Enforcement of this policy set disallows users from navigating to locations not previously offered by an application response. These policies may require significant application validation if client side scripts modify URLs, or if FLASH objects contain links.

The above policies tend to bend the needle towards the nine level and will be more likely to cause false positives during policy refinement or when the application changes. Leaving these to Stage III, however, allows continued protection afforded by the policies of Level I and Level II during the refinement, however.

Summary

Personally, when I plan my application firewall deployments, I always attack the assignment in the phases outlined above. I focus on the quick return policies first. Then I take time to consider if the sensitivities of the specific application even warrant the extra effort of going all the way to Stage III. This last question can produce some interesting answers that pit my application security ideals against the practicalities driven by the depth of my current to-do list.

And then, of course, this staged approach may be completely ignored in situations in which a specific application just suffered from an attack through a specific Level III vulnerability. Such situations may warrant overriding the staged approach and focusing on addressing the impacted vulnerability immediately.

Also, don't forget to sign on to MyCitrix and download the Application Hacking Kit and actually try some of the most common application attacks on the BadStore application!

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (6390) |

23 Feb 2009 11:23 AM EST
Entity Templates
[ Tags:  appexpert ,   apptemplates ,   templates ,   load balancing ,   load balancer ,   site balancer ,   caching ,   compression ,   apptips ,   howto ,   netscaler ,   tips ,   application templates ,   entity templates ,   application delivery ,   application acceleration ,   application optimization ,   tcp multiplexing ,   application delivery controller ,   website load balancer ,   website template ,   number 1 load balancer ,   link balancer ,   web filter ,   application firewall ,   netscaler ]
posted by Craig Ellrod

Entity Templates

An entity template simplifies configuration by providing a set of configured defaults for a policy, service, action, or other configuration entity. After you create an entity template, it can be reused with specific instances of entities of the same type. For example, an entity template created for Load Balancing, can be used to create the same load balancing configuration on the same load balancer, or can be used on a different NetScaler or NetScalers to create the same load balancing configuration.

Entity Templates are most helpful when you have built your configuration for an entity such as load balancing and want to duplicate it across the organization's load balancers without having to re-type all of the configuration commands. In fact, the entity template manager, will allow you to prompt for certain configuration parameters to be input by the user, such as IP Address and port number, at the time of import, which might be specific to a certain locality.

Application Templates

The NetScaler includes the ability to create and manage application templates that provide the administrator a way to configure the NetScaler to handle application-specific traffic without directly configuring NetScaler entities. An application template is a reusable bundle of application's configuration information and can be exported after creation for use on other NetScalers. Also, these templates can be created once and then re-used across multiple NetScalers.

Application vs. Entity Templates

Entity Templates simplify configuration by providing a set of configured default for a specific configuration entity, such as load balancing, rewrite or content switching.

Application Templates simplify configuration by providing configuration details for all entities for an Application, such as Sharepoint, SAP, Oracle, or other web based applications. Application Templates are more comprehensive and contain configuration details for caching, compression, load balancing, ssl offload, rewrite, filtering, responder and application firewall. For one application you might have several policies in each of these categories that are saved into an Application Template.

Both Entity and Application Templates can be exported and imported for ease of use across different NetScalers. All of the configuration policies, including all expressions, pattern sets and policy labels are exported with the Entity or Application Template - once you define your policies, you don't have to define them again.

Watch how easy this is:


Tap into the power of AppExpert!

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (1) | Views (8532) |

15 Aug 2008 12:27 PM EDT
High Performance Citrix meets Number 1 Web Filter
[ Tags:  antivirus ,   hybrid ,   iprism ,   stbernard ,   eprism ,   proxy ,   bridge ,   netscaler ,   appexpert ,   apptips ,   tips ,   appdos ,   appfw ,   rnat ,   ssl ,   rewrite ,   client-ip ,   x-forwarded-for ,   apache ,   iis ,   headers ,   netscaler ,   number 1 web filter ,   web filter ,   web filters ,   web filtering ,   url filtering ,   internet filter ,   website filter ,   content filter ,   content filtering ,   im filter ,   p2p filter ,   im filtering ,   p2p filtering ,   email filter ,   email filtering ,   transparent proxy ,   citrix ready ,   security switch ,   application firewall ,   app firewall ,   website firewall ,   spam firewall ,   ssl offload ,   ssl vpn ,   content rewrite ,   external url ,   internal url ,   home page redirect ,   apache rewrite ,   server obfuscation ,   application obfuscation ,   http header ,   citrix web filter ]
posted by Craig Ellrod

The #1 Web Filter by St.Bernard is now Citrix Ready. The Highest Performance Web Application Solution from Citrix Systems can now be deployed with the the #1 Web Filter by St. Berdard. IDC ranked them #1, SC Magazine gives them high ratings, and you will agree when you plug this thing in. The Citrix Web Application Firewall protects inbound traffic destined to Web and Application Servers without degrading throughput or response time. Now, with St.Bernard's iPrism h-Series high performance appliances, you can also do outbound Web filtering, IM/P2P filtering, and antivirus detection. The iPrism Web Filter is optimized for the datacenter infrastructure and sits behind the firewall while it monitors traffic. St. Bernard's platforms are hybrid so that Web filtering, antivirus and IM/P2P filtering are all contained within one box - unlike other point solutions.

St.Bernard's iPrism Web Filter is easy to use and easy to manage. If fact, it's so easy, we had the device up and running in Proxy mode and then in Bridge mode in a matter of seconds. The management software auto-discovers the box, so you don't have to plug in a console cable - very nice!

It is far better than a transparent proxy because St.Bernard has engineered their filtering technology at the kernel level, so their bridge mode really is a bridge between interfaces, and not just a transparent proxy like other solutions in the market.

We deployed the iPrism Web Filter behind our NetScaler, and had the NetScaler perform NAT (Reverse NAT) for outbound connections to the Internet. The iPrism Web Filter adds another level of security that IT organizations sometimes look for to complement their existing base of high-performance Citrix Gear.


Citrix & St.Bernard Deployment Guide!






You can try this product for free.


The product demo is awesome.


As a hybrid unit, this is a steal.












NetScaler Developer Network!

Expand Blog Post