This article discusses how you can use NetScaler Rewrite policies to improve security on your web servers and deny information to would-be attackers.
Summary
In the past two years, cybercriminals involved in identity theft, phishing, spamming, and similar activities have increasingly stopped using their own web servers to host their web sites. Instead, they use computer viruses, trojans, and other methods to exploit flaws in web site scripts, web server software and the underlying operating systems to take control of the servers and workstations of other people. They then host their web sites and DNS servers on these compromised servers.
The Citrix Application Firewall does an excellent job of protecting web servers from these attacks. You can increase that protection using another feature of the Citrix NetScaler appliance - the Rewrite feature. This feature allows you to modify the entire HTTP request and response - both headers and HTTP bodies - at will. You can use this to:
Remove Unnecessary HTTP Headers
Web servers add many headers to the responses they send to user requests. Some of these headers are not needed by legitimate users, but contain information that can help an attacker compromise your web server. For example, the Content-Location header is not needed by the user, and can give information about your server's file system to an attacker. You can remove this header as shown below:
> add rewrite action "act_delete-content-location" delete_http_header "Content-Location"
> add rewrite policy "pol_delete-content-location" true "act_delete-content-location"
> bind lb vserver <vservername> -policyName "pol_delete-content-location" -priority <prioritynumber> -gotoPriorityExpression NEXT -type RESPONSE
For <vservername>, substitute the name of your load-balancing vserver. For <prioritynumber>, substitute a positive integer that represents the priority of the policy.
You can use this procedure to create similar Rewrite policies to remove other headers that users do not need and that contain information about your web server.
Mask the Web Server Software Type
Web servers add a Server header to responses that provides the type and version of the web server software. This information is not needed by clients, and can be extremely useful to attackers. You should not delete the header outright because some clients expect to see it, but you can replace the header's contents with an innocuous and uninformative string that provides no useful information to attackers.
> add rewrite action "act_obscure-server" replace "http.RES.HEADER(\"Server\")" "\"Web Server 1.0\""
> add rewrite policy "pol_obscure-server" true "act_obscure-server"
> bind lb global -policyName "pol_obscure-server" -priority <prioritynumber> -gotoPriorityExpression NEXT -type RESPONSE
For <prioritynumber>, substitute a positive integer that represents the priority of the policy.
You can use this procedure to modify other HTTP headers using a Rewrite policy.
More Information
