• View Communities
    • Citrix Developer Network
      The place for unfiltered straight talk on Citrix products. Blogs, code downloads, best practices, APIs, and more can all be found here.
    • Citrix Ready Community Verified
      Does it work with Citrix? Application compatibility questions are a thing of the past with the new Citrix Community Verified site.
    • Blogs
      Learn the latest from the Citrix employees who are building application delivery infrastructure technologies.
    • Blogosphere
      The Citrix Blogosphere is a window into the thousands of conversations taking place about Citrix and Application Delivery.
  •  Sign In
The Citrix Blog
Blogs for tag 'validation'

Permalink | Twitter Post to Twitter | Comments (1) | Views (7209) |

20 Nov 2008 01:30 PM EST
What is new in the Application firewall in 9.0?
[ Tags:  appfirewall ,   xml ,   soa ,   security ,   firewall ,   soap ,   woa ,   rest ,   validation ,   xdos ,   xss ,   web services ,   sql injection ,   web 2 ,   threat protection ,   denial of service ,   nonspecific ]
posted by vamsi Korrapati

XML firewall

In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include

  •     XML Denial of Service protection,
  •     XML Well-formedness check,
  •     XML attachment detection,
  •     Message validation (Schema)
  •     Cross Site scripting and SQL Injection protection
  •     Web services Interoperability (WSI) check

 XML protection is integrated into the Application Firewall. So all applicable firewall features including Start and Deny URLs, Buffer overflow, Cookie protection and Safe Object checks are available. More details on the XML firewall functionality can be found at XML Security Features in Netscaler 9.0

Application Firewall - Integrated Caching interoperability

The 9.0 release has full interoperability between the Application firewall and the Integrated Caching (IC) module on the Netscaler. In the 8.1 release, the Application firewall supports IC for features that do not require parsing the response body.  In 9.0, this restriction is removed. This results in better performance if the application html pages are cacheable. Features like Form field consistency and URL closure benefit from this new functionality.

URL Transform module

URL transform module provides an easy regular expression based approach to rewrite requests and response URLs. This feature is available separate from the application firewall license. It builds on the application firewall parsing technology to rewrite only valid html links.

Custom error pages

When the Application Firewall detects and blocks an invalid request, it can serve out a custom HTML response that has been uploaded or do a 302 redirect to a configured URL. Previous releases could only do the 302 redirect.

Expand Blog Post
Permalink | Twitter Post to Twitter | Comments (0) | Views (8830) |

14 Nov 2008 01:06 PM EST
XML Security Features in Netscaler 9.0
[ Tags:  xml ,   soa ,   woa ,   rest ,   security ,   firewall ,   validation ,   soap ,   xdos ,   netscaler ,   web 2 ,   web services ,   threat protection ,   sql injection ,   denial of service ]
posted by Sridhar Guthula

One of the long awaited new features in NetScaler 9.0 is XML security.  In 2007, Citrix acquired QuickTree, a small privately-held software technology provider on the forefront of addressing the key security and performance challenges of XML, web services and Web 2.0.  With Netscaler 9.0 the XML security capabilities acquired from QuickTree are fully integrated into the Netscaler web application delivery appliance.

Some the XML Security Features available in the new NetScaler release:

Feature

Benefits

Format Checks Prevents malformed or not well-formed messages from reaching the server.
Denial of Service Prevention Thwart attacks (like large elements, deeply nested messages, etc.) that attempt to exhaust server resources or exploit weakness in the xml parsers and applications on the server.
Recursive Expansion Attack Prevention Protects against messages containing recursive entity expansion attacks in their document type definition (DTD).
External Entity Attack Prevention Prevents server from processing data from untrusted sources.
XML Attachment Security Protects against attachments that contain malicious executables and viruses from reaching the server
SQL Injection Check Protects back-end SQL-based database servers and prevents from hackers obtaining information that they were not entitled to obtain
Cross-site Scripting Check Prevents Web 2.0 applications from cross-site scripting attacks
Start URLs Prevent against forceful scanning for services on a server.
Deny URLs Prevents attacks against various known security weaknesses that exist in different web servers
Cookie Consistency Protect sensitive data by preventing hackers from logging in under other user's credentials.
Buffer Overflow Prevents attacks against insecure operating system or web server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle.
Service Obfuscation Protects against service scanning attacks by rewriteing end-point locations to obfuscate the true location of the service.
SOAP Message Validation Ensures only messages that are compliant with the SOAP and WSDL standards reach the server and offloads this validation process from the server.
XML Schema Validation Ensures only messages that are compliant with a given XML Schema reach the server and offloads this validation process from the server.
Web Services Interoperability Checks Performs a wide variety of checks on SOAP messages to ensure that they are compliant with Web Services Interoperability Organization (WS-I) recommendations.
Data Leak Prevention Prevents credit card and other sensitive business data from leaving the organization.
Service Proxy Provides transport level security for all XML and Web Services messages by acting as the SSL proxy.
Rate Limiting Prevents overwhelming the server by limiting the number of requests per second
PCI DSS Report Provides a detailed Payment Card Industry (PCI) Data Security Standard (DSS) report which lists all the relevant PCI DSS criteria
Alerts Via SNMP Alerts a designated person or server when a there is a security violation.
Violation Counters Displays counters for monitoring all violations.
Historic Charts Built-in and customizable charts for viewing historic traffic patterns and violations.
Express Configuration Protects XML applications right out of the box with very little configuration and maintenance
Secures All Flavors of XML Applications With the combination of XML, HTML, and HTTP security features, a single appliance can protect Plain-old-XML (POX), SOAP, REST, Web 2.0, .Net and all other flavors of XML applications.


Expand Blog Post