Follow on Twitter
Post to Twitter
XML firewall
In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include
- XML Denial of Service protection,
- XML Well-formedness check,
- XML attachment detection,
- Message validation (Schema)
- Cross Site scripting and SQL Injection protection
- Web services Interoperability (WSI) check
XML protection is integrated into the Application Firewall. So all applicable firewall features including Start and Deny URLs, Buffer overflow, Cookie protection and Safe Object checks are available. More details on the XML firewall functionality can be found at XML Security Features in Netscaler 9.0
Application Firewall - Integrated Caching interoperability
The 9.0 release has full interoperability between the Application firewall and the Integrated Caching (IC) module on the Netscaler. In the 8.1 release, the Application firewall supports IC for features that do not require parsing the response body. In 9.0, this restriction is removed. This results in better performance if the application html pages are cacheable. Features like Form field consistency and URL closure benefit from this new functionality.
URL Transform module
URL transform module provides an easy regular expression based approach to rewrite requests and response URLs. This feature is available separate from the application firewall license. It builds on the application firewall parsing technology to rewrite only valid html links.
Custom error pages
When the Application Firewall detects and blocks an invalid request, it can serve out a custom HTML response that has been uploaded or do a 302 redirect to a configured URL. Previous releases could only do the 302 redirect.
NetScaler's Application Firewall offers great protection for Web Applications via a positive security model that lets the user decide what is allowed to reach their web server. Web site vulnerability and compliance requirements can be met by deploying this integrated firewall.
But the concept of the web is changing. Expanding beyond the traditional web pages, many sites now include programmable interfaces accessible via XML based APIs. While web sites are mainly for consumers, the programmable APIs are used by business partners and customers to automate and integrate systems. The APIs are also getting used by emerging Web 2.0 enabled Rich Internet Applications (such as Adobe Flex and Microsoft Silverlight) that get deployed inside a consumer's browser. Once deployed, these RIAs will make active and passive calls to the exposed APIs of a web site. Often exchanging information in the background using an XML based protocol like REST or Web Services.
As the Web and programmatic APIs continue to become more of an integrated offering, it is important to provide security for the APIs as well as for the Web site. NetScaler 9.0 introduces a major new module inside the Application Firewall centered on XML Security. With these new capabilities, users will be able to simultaneously secure HTML based web sites as well as XML based REST and Web Services APIs.
Useful Links
One of the long awaited new features in NetScaler 9.0 is XML security. In 2007, Citrix acquired QuickTree, a small privately-held software technology provider on the forefront of addressing the key security and performance challenges of XML, web services and Web 2.0. With Netscaler 9.0 the XML security capabilities acquired from QuickTree are fully integrated into the Netscaler web application delivery appliance.
Some the XML Security Features available in the new NetScaler release:
Many news reports have recently identified the increased threat to web sites and applications from SQL injections, the most recent example being the Nihaorr1 script that resulted in over 600,000 sites being infected even including the Department of Homeland Security and the UN. Although initially identified as a Windows IIS server vulnerability, the root cause of the recent exposure goes beyond IIS and has identified lax web application coding as the culprit. A Register interview with the DHS assistant secretary for Cybersecurity is quoted as saying " our networks are only as strong as the weakest link " which makes sense but also identifies how vulnerable web applications are on the web. If a company is relying on the variability of programmer security knowledge and limited QA testing to protect their web app from yet to be defined threats, it's no wonder that so many sites are exposed and hacked.
Perhaps one of the ways to better protect an organization from the next undefined attack is to look at minimizing the impact of variability. A common best practice in the manufacturing industry is to evaluate every process and implement techniques and tools to reduce variability so as not be overly dependent on a final test or inspection which always has some level of escapes. This is the core of the Six Sigma technique that many world class manufacturers utilize to improve product quality.
As applied to IT protecting Web Applications, a tool that can be implemented to reduce the impact of programmer variability is to utilize a Web App firewall such the positive security model feature of the NetScaler Application Firewall. This feature recognizes best coding practices for HTML and Industry HTTP standards and automatically blocks Web App behavior and variations outside a known-good model. The result is a significant reduction in the risk created by variable programmer skills and expensive but incomplete QA testing. In the specific example of the Nihaorr1 attack, a recent test validated that the NetScaler Firewall was indeed able to block the Nihaorr1 script using the default configurations. Additionally the learning features of the App Firewall can be used for more granular configurations and protection as well.
So before the next threat to your web applications is discovered, it may be worth further investigation as to the human influence of variability in IT operations and consider steps to mitigate the risks.
Hundreds of Thousands of Web Servers have been getting hacked, including several at the United Nations. The appearance is that the hack exploits a vulnerability in Microsoft IIS because of a Microsoft SQL Specific injection payload, however the attack is capable of infecting any type of web server open to SQL Injection and Cross Site Scriting (XSS) attacks.
Microsoft released some security bulletins (951306, MS08-006) stating vulnerabilities in their IIS web server, alluding to the vulnerabilities recently brought to light. A script homed at nihaorr1.com based in China was found to be infecting many servers, and spreading quickly. Further research into the problem indicates that non-Microsoft types of servers may also be affected by the attack.
As of May 12, 2008, Google's Index had 1,700,000 infected pages. The domains currently being injected that contain the malicious Javascript are:
- nihaorr1.com
- 2117966.net
- aspder.com
- haoliuliang.net
- nmidahena.com
- free.hostpinoy.info
- xprmn4u.info
- winzipices.cn
- wowgm1.cn
- killwow1.cn
- wowyeye.cn
- wowgm1.cn
- winzipices.cn
This vulnerability and others like it can easily be stopped with a Citrix Web Application Firewall using default policies to block SQL injection and Cross Site Scripting. We setup a demo in our lab, to show how easy it is to configure and block this type of threat.
See the mailicious script in action:
Watch how Citrix Web App Firewall blocks the malicious script:
See how easy it is to configure the Citrix Web App Firewall:
Read about the Citrix Application Firewall here.
Buy the Citrix Application Firewall here.
Tap into the power of AppExpert
So, this is my first ever blog post. Thought I share a diagram that I been using since December when the two products were married together. It been passed around, so you may have seen it before. It is also starting to get awefully busy, so things like CRL are left off.
