NetScaler ADC VPX on AWS Deployment Guide Part 2

Contributed By: Luis Ugarte and Beth Pollack

Overview

Application Security Protection

NetScaler ADM

NetScaler Application Delivery Management Service (NetScaler ADM) provides a scalable solution to manage NetScaler ADC deployments that include NetScaler ADC MPX, NetScaler ADC VPX, NetScaler Gateway, NetScaler Secure Web Gateway, NetScaler ADC SDX, NetScaler ADC CPX, and NetScaler SD-WAN appliances that are deployed on-premises or on the cloud.

NetScaler ADM Application Analytics and Management Features

The following features are key to the ADM role in App Security.

Application Analytics and Management

The Application Analytics and Management feature of NetScaler ADM strengthens the application-centric approach to help users address various application delivery challenges. This approach gives users visibility into the health scores of applications, helps users determine the security risks, and helps users detect anomalies in the application traffic flows and take corrective actions. The most important among these roles for App Security is Application Security Analytics:

• Application security analytics: Application Security Analytics. The App Security Dashboard provides a holistic view of the security status of user applications. For example, it shows key security metrics such as security violations, signature violations, threat indexes. The App Security dashboard also displays attack related information such as SYN attacks, small window attacks, and DNS flood attacks for the discovered NetScaler ADC instances.

StyleBooks

StyleBooks simplify the task of managing complex NetScaler ADC configurations for user applications. A StyleBook is a template that users can use to create and manage NetScaler ADC configurations. Here users are primarily concerned with the StyleBook used to deploy the Web Application Firewall. For more information on StyleBooks, see: StyleBooks.

Analytics

Provides an easy and scalable way to look into the various insights of the NetScaler ADC instances’ data to describe, predict, and improve application performance. Users can use one or more analytics features simultaneously. Most important among these roles for App Security are:

• Security Insight: Security Insight. Provides a single-pane solution to help users assess user application security status and take corrective actions to secure user applications.

• Bot Insight

• For more information on analytics, see Analytics: Analytics.

Other features that are important to ADM functionality are:

Event Management

Events represent occurrences of events or errors on a managed NetScaler ADC instance. For example, when there is a system failure or change in configuration, an event is generated and recorded on NetScaler ADM. Following are the related features that users can configure or view by using NetScaler ADM:

• Creating event rules: Create Event Rules

• View and export syslog messages: View and Export Syslog Messages

For more information on event management, see: Events.

Instance Management

Enables users to manage the NetScaler ADC, NetScaler Gateway, NetScaler Secure Web Gateway, and NetScaler SD-WAN instances. For more information on instance management, see: Adding Instances.

License Management

Allows users to manage NetScaler ADC licenses by configuring NetScaler ADM as a license manager.

• NetScaler ADC pooled capacity: Pooled Capacity. A common license pool from which a user NetScaler ADC instance can check out one instance license and only as much bandwidth as it needs. When the instance no longer requires these resources, it checks them back in to the common pool, making the resources available to other instances that need them.

• NetScaler ADC VPX check-in and check-out licensing: NetScaler ADC VPX Check-in and Check-out Licensing. NetScaler ADM allocates licenses to NetScaler ADC VPX instances on demand. A NetScaler ADC VPX instance can check out the license from the NetScaler ADM when a NetScaler ADC VPX instance is provisioned, or check back in its license to NetScaler ADM when an instance is removed or destroyed.

• For more information on license management, see: Pooled Capacity.

Configuration Management

NetScaler ADM allows users to create configuration jobs that help them perform configuration tasks, such as creating entities, configuring features, replication of configuration changes, system upgrades, and other maintenance activities with ease on multiple instances. Configuration jobs and templates simplify the most repetitive administrative tasks to a single task on NetScaler ADM. For more information on configuration management, see Configuration jobs: Configuration Jobs.

Configuration Audit

Enables users to monitor and identify anomalies in the configurations across user instances.

• Configuration advice: Get Configuration Advice on Network Configuration. Allows users to identify any configuration anomaly.

• Audit template: Create Audit Templates. Allows users to monitor the changes across a specific configuration.

• For more information on configuration audit, see: Configuration Audit.

Signatures provide the following deployment options to help users to optimize the protection of user applications:

• Negative Security Model: With the negative security model, users employ a rich set of preconfigured signature rules to apply the power of pattern matching to detect attacks and protect against application vulnerabilities. Users block only what they don’t want and allow the rest. Users can add their own signature rules, based on the specific security needs of user applications, to design their own customized security solutions.

• Hybrid security Model: In addition to using signatures, users can use positive security checks to create a configuration ideally suited for user applications. Use signatures to block what users don’t want, and use positive security checks to enforce what is allowed.

To protect user applications by using signatures, users must configure one or more profiles to use their signatures object. In a hybrid security configuration, the SQL injection and cross-site scripting patterns, and the SQL transformation rules, in the user signatures object are used not only by the signature rules, but also by the positive security checks configured in the Web Application Firewall profile that is using the signatures object.

The Web Application Firewall examines the traffic to user protected websites and web services to detect traffic that matches a signature. A match is triggered only when every pattern in the rule matches the traffic. When a match occurs, the specified actions for the rule are invoked. Users can display an error page or error object when a request is blocked. Log messages can help users to identify attacks being launched against user applications. If users enable statistics, the Web Application Firewall maintains data about requests that match a Web Application Firewall signature or security check.

If the traffic matches both a signature and a positive security check, the more restrictive of the two actions are enforced. For example, if a request matches a signature rule for which the block action is disabled, but the request also matches an SQL Injection positive security check for which the action is block, the request is blocked. In this case, the signature violation might be logged as [not blocked], although the request is blocked by the SQL injection check.

Customization: If necessary, users can add their own rules to a signatures object. Users can also customize the SQL/XSS patterns. The option to add their own signature rules, based on the specific security needs of user applications, gives users the flexibility to design their own customized security solutions. Users block only what they don’t want and allow the rest. A specific fast-match pattern in a specified location can significantly reduce processing overhead to optimize performance. Users can add, modify, or remove SQL injection and cross-site scripting patterns. Built-in RegEx and expression editors help users configure user patterns and verify their accuracy.

Use Cases

Compared to alternative solutions that require each service to be deployed as a separate virtual appliance, NetScaler ADC on AWS combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, flexible licensing, and other essential application delivery capabilities in a single VPX instance, conveniently available via the AWS Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises NetScaler ADC deployments. The net result is that NetScaler ADC on AWS enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers.

NetScaler Web Application Firewall (WAF)

NetScaler Web Application Firewall (WAF) is an enterprise grade solution offering state of the art protections for modern applications. NetScaler WAF mitigates threats against public-facing assets, including websites, web applications, and APIs. NetScaler WAF includes IP reputation-based filtering, Bot mitigation, OWASP Top 10 application threats protections, Layer 7 DDoS protection and more. Also included are options to enforce authentication, strong SSL/TLS ciphers, TLS 1.3, rate limiting and rewrite policies. Using both basic and advanced WAF protections, NetScaler WAF provides comprehensive protection for your applications with unparalleled ease of use. Getting up and running is a matter of minutes. Further, using an automated learning model, called dynamic profiling, NetScaler WAF saves users precious time. By automatically learning how a protected application works, NetScaler WAF adapts to the application even as developers deploy and alter the applications. NetScaler WAF helps with compliance for all major regulatory standards and bodies, including PCI-DSS, HIPAA, and more. With our CloudFormation templates, it has never been easier to get up and running quickly. With auto scaling, users can rest assured that their applications remain protected even as their traffic scales up.

Web Application Firewall Deployment Strategy

The first step to deploying the web application firewall is to evaluate which applications or specific data need maximum security protection, which ones are less vulnerable, and the ones for which security inspection can safely be bypassed. This helps users in coming up with an optimal configuration, and in designing appropriate policies and bind points to segregate the traffic. For example, users might want to configure a policy to bypass security inspection of requests for static web content, such as images, MP3 files, and movies, and configure another policy to apply advanced security checks to requests for dynamic content. Users can use multiple policies and profiles to protect different contents of the same application.

The next step is to baseline the deployment. Start by creating a virtual server and run test traffic through it to get an idea of the rate and amount of traffic flowing through the user system.

Then, deploy the Web Application Firewall. Use NetScaler ADM and the Web Application Firewall StyleBook to configure the Web Application Firewall. See the StyleBook section below in this guide for details.

After the Web Application Firewall is deployed and configured with the Web Application Firewall StyleBook, a useful next step would be to implement the NetScaler ADC WAF and OWASP Top 10.

Finally, three of the Web Application Firewall protections are especially effective against common types of Web attacks, and are therefore more commonly used than any of the others. Thus, they should be implemented in the initial deployment. They are:

• HTML Cross-Site Scripting. Examines requests and responses for scripts that attempt to access or modify content on a different website than the one on which the script is located. When this check finds such a script, it either renders the script harmless before forwarding the request or response to its destination, or it blocks the connection.

• HTML SQL Injection. Examines requests that contain form field data for attempts to inject SQL commands into a SQL database. When this check detects injected SQL code, it either blocks the request or renders the injected SQL code harmless before forwarding the request to the Web server.

• If users enable the HTML Cross-Site Scripting check or the HTML SQL Injection check (or both), and
• User protected websites accept file uploads or contain Web forms that can contain large POST body data.

For more information about configuring the Web Application Firewall to handle this case, see Configuring the Application Firewall: Configuring the Web App Firewall.

• Buffer Overflow. Examines requests to detect attempts to cause a buffer overflow on the Web server.

Configuring the Web Application Firewall (WAF)

The following steps assume that the WAF is already enabled and functioning correctly.

NetScaler recommends that users configure WAF using the Web Application Firewall StyleBook. Most users find it the easiest method to configure the Web Application Firewall, and it is designed to prevent mistakes. Both the GUI and the command line interface are intended for experienced users, primarily to modify an existing configuration or use advanced options.

SQL Injection

The Application Firewall HTML SQL Injection check provides special defenses against the injection of unauthorized SQL code that might break user Application security. NetScaler Web Application Firewall examines the request payload for injected SQL code in three locations: 1) POST body, 2) headers, and 3) cookies.

A default set of keywords and special characters provides known keywords and special characters that are commonly used to launch SQL attacks. Users can also add new patterns, and they can edit the default set to customize the SQL check inspection.

There are several parameters that can be configured for SQL injection processing. Users can check for SQL wildcard characters. Users can change the SQL Injection type and select one of the 4 options (SQLKeyword, SQLSplChar, SQLSplCharANDKeyword, SQLSplCharORKeyword) to indicate how to evaluate the SQL keywords and SQL special characters when processing the payload. The SQL Comments Handling parameter gives users an option to specify the type of comments that need to be inspected or exempted during SQL Injection detection.

Users can deploy relaxations to avoid false positives. The learning engine can provide recommendations for configuring relaxation rules.

The following options are available for configuring an optimized SQL Injection protection for the user application:

Block — If users enable block, the block action is triggered only if the input matches the SQL injection type specification. For example, if SQLSplCharANDKeyword is configured as the SQL injection type, a request is not blocked if it contains no key words, even if SQL special characters are detected in the input. Such a request is blocked if the SQL injection type is set to either SQLSplChar, or SQLSplCharORKeyword.

Log — If users enable the log feature, the SQL Injection check generates log messages indicating the actions that it takes. If block is disabled, a separate log message is generated for each input field in which the SQL violation was detected. However, only one message is generated when the request is blocked. Similarly, 1 log message per request is generated for the transform operation, even when SQL special characters are transformed in multiple fields. Users can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack.

Stats — If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that the user application is under attack. If legitimate requests are getting blocked, users might have to revisit the configuration to see if they need to configure new relaxation rules or modify the existing ones.

Learn — If users are not sure which SQL relaxation rules might be ideally suited for their applications, they can use the learn feature to generate recommendations based on the learned data. The Web Application Firewall learning engine monitors the traffic and provides SQL learning recommendations based on the observed values. To get optimal benefit without compromising performance, users might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning.

Transform SQL special characters—The Web Application Firewall considers three characters, Single straight quote (‘), Backslash (), and Semicolon (;) as special characters for SQL security check processing. The SQL Transformation feature modifies the SQL Injection code in an HTML request to ensure that the request is rendered harmless. The modified HTML request is then sent to the server. All default transformation rules are specified in the /netscaler/default_custom_settings.xml file.

• The transform operation renders the SQL code inactive by making the following changes to the request:

• Single straight quote (‘) to double straight quote (“).

• Backslash () to double backslash ().

• Semicolon (;) is dropped completely.

These three characters (special strings) are necessary to issue commands to a SQL server. Unless a SQL command is prefaced with a special string, most SQL servers ignore that command. Therefore, the changes that the Web Application Firewall performs when transformation is enabled prevent an attacker from injecting active SQL. After these changes are made, the request can safely be forwarded to the user protected website. When web forms on the user protected website can legitimately contain SQL special strings, but the web forms do not rely on the special strings to operate correctly, users can disable blocking and enable transformation to prevent blocking of legitimate web form data without reducing the protection that the Web Application Firewall provides to the user protected websites.

The transform operation works independently of the SQL Injection Type setting. If transform is enabled and the SQL Injection type is specified as a SQL keyword, SQL special characters are transformed even if the request does not contain any keywords.

Check for SQL Wildcard Characters—Wild card characters can be used to broaden the selections of a SQL (SQL-SELECT) statement. These wild card operators can be used with LIKE and NOT LIKE operators to compare a value to similar values. The percent (%), and underscore (_) characters are frequently used as wild cards. The percent sign is analogous to the asterisk (*) wildcard character used with MS-DOS and to match zero, one, or multiple characters in a field. The underscore is similar to the MS-DOS question mark (?) wildcard character. It matches a single number or character in an expression.

For example, users can use the following query to do a string search to find all customers whose names contain the D character.

SELECT * from customer WHERE name like “%D%”:

The following example combines the operators to find any salary values that have 0 in the second and third place.

SELECT * from customer WHERE salary like ‘_00%’:

Different DBMS vendors have extended the wildcard characters by adding extra operators. The NetScaler Web Application Firewall can protect against attacks that are launched by injecting these wildcard characters. The 5 default Wildcard characters are percent (%), underscore (_), caret (^), opening bracket ([), and closing bracket (]). This protection applies to both HTML and XML profiles.

The default wildcard chars are a list of literals specified in the *Default Signatures:

• <wildchar type=” LITERAL”>%

• <wildchar type=”LITERAL”]>_

• <wildchar type=”LITERAL”>^

• <wildchar type=”LITERAL”>[

• <wildchar type=”LITERAL”>]

Wildcard characters in an attack can be PCRE, like [^A-F]. The Web Application Firewall also supports PCRE wildcards, but the literal wildcard chars shown here are sufficient to block most attacks.

Check Request Containing SQL Injection Type—The Web Application Firewall provides 4 options to implement the desired level of strictness for SQL Injection inspection, based on the individual need of the application. The request is checked against the injection type specification for detecting SQL violations. The 4 SQL injection type options are:

• SQL Special Character and Keyword—Both a SQL keyword and a SQL special character must be present in the input to trigger a SQL violation. This least restrictive setting is also the default setting.

• SQL Special Character—At least one of the special characters must be present in the input to trigger a SQL violation.

• SQL key word—At least one of the specified SQL keywords must be present in the input to trigger a SQL violation. Do not select this option without due consideration. To avoid false positives, make sure that none of the keywords are expected in the inputs.

• SQL Special Character or Keyword—Either the key word or the special character string must be present in the input to trigger the security check violation.

SQL comments handling — By default, the Web Application Firewall checks all SQL comments for injected SQL commands. Many SQL servers ignore anything in a comment, however, even if preceded by an SQL special character. For faster processing, if your SQL server ignores comments, you can configure the Web Application Firewall to skip comments when examining requests for injected SQL. The SQL comments handling options are:

• ANSI — Skip ANSI-format SQL comments, which are normally used by UNIX-based SQL databases. For example:

  • /– (Two Hyphens) - This is a comment that begins with two hyphens and ends with end of line.

  • - Braces (Braces enclose the comment. The { precedes the comment, and the } follows it. Braces can delimit single- or multiple-line comments, but comments cannot be nested)

  • /**/: C style comments (Does not allow nested comments). Please note /*! <comment that begins with a slash followed by an asterisk and an exclamation mark is not a comment > */

  • MySQL Server supports some variants of C-style comments. These enable users to write code that includes MySQL extensions, but is still portable, by using comments of the following form: [/*! MySQL-specific code */]

  • .#: Mysql comments : This is a comment that begins with the # character and ends with an end of the line

• Nested — Skip nested SQL comments, which are normally used by Microsoft SQL Server. For example; – (Two Hyphens), and /**/ (Allows nested comments)

• ANSI/Nested — Skip comments that adhere to both the ANSI and nested SQL comment standards. Comments that match only the ANSI standard, or only the nested standard, are still checked for injected SQL.

• Check all Comments — Check the entire request for injected SQL without skipping anything. This is the default setting.

Check Request headers — Enable this option if, in addition to examining the input in the form fields, users want to examine the request headers for HTML SQL Injection attacks. If users use the GUI, they can enable this parameter in the Advanced Settings -> Profile Settings pane of the Web Application Firewall profile.

InspectQueryContentTypes — Configure this option if users want to examine the request query portion for SQL Injection attacks for the specific content-types. If users use the GUI, they can configure this parameter in the Advanced Settings -> Profile Settings pane of the Application Firewall profile.

Cross-Site Scripting

The HTML Cross-Site Scripting (cross-site scripting) check examines both the headers and the POST bodies of user requests for possible cross-site scripting attacks. If it finds a cross-site script, it either modifies (transforms) the request to render the attack harmless, or blocks the request.

To prevent misuse of the scripts on user protected websites to breach security on user websites, the HTML Cross-Site Scripting check blocks scripts that violate the same origin rule, which states that scripts should not access or modify content on any server but the server on which they are located. Any script that violates the same origin rule is called a cross-site script, and the practice of using scripts to access or modify content on another server is called cross-site scripting. The reason cross-site scripting is a security issue is that a web server that allows cross-site scripting can be attacked with a script that is not on that web server, but on a different web server, such as one owned and controlled by the attacker.

Unfortunately, many companies have a large installed base of JavaScript-enhanced web content that violates the same origin rule. If users enable the HTML Cross-Site Scripting check on such a site, they have to generate the appropriate exceptions so that the check does not block legitimate activity.

The Web Application Firewall offers various action options for implementing HTML Cross-Site Scripting protection. In addition to the Block, Log, Stats and Learn actions, users also have the option to Transform cross-site scripts to render an attack harmless by entity encoding the script tags in the submitted request. Users can configure Check complete URLs for the cross-site scripting parameter to specify if they want to inspect not just the query parameters but the entire URL to detect a cross-site scripting attack. Users can configure the InspectQueryContentTypes parameter to inspect the request query portion for a cross-site scripting attack for the specific content-types.

Users can deploy relaxations to avoid false positives. The Web Application Firewall learning engine can provide recommendations for configuring relaxation rules.

The following options are available for configuring an optimized HTML Cross-Site Scripting protection for the user application:

• Block — If users enable block, the block action is triggered if the cross-site scripting tags are detected in the request.

• Log — If users enable the log feature, the HTML Cross-Site Scripting check generates log messages indicating the actions that it takes. If block is disabled, a separate log message is generated for each header or form field in which the cross-site scripting violation was detected. However, only one message is generated when the request is blocked. Similarly, 1 log message per request is generated for the transform operation, even when cross-site scripting tags are transformed in multiple fields. Users can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack.

• Stats — If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that the user application is under attack. If legitimate requests are getting blocked, users might have to revisit the configuration to see if they must configure new relaxation rules or modify the existing ones.

• Learn — If users are not sure which relaxation rules might be ideally suited for their application, they can use the learn feature to generate HTML Cross-Site Scripting rule recommendations based on the learned data. The Web Application Firewall learning engine monitors the traffic and provides learning recommendations based on the observed values. To get optimal benefit without compromising performance, users might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning.

• Transform cross-site scripts — If enabled, the Web Application Firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:

  • Left angle bracket (<) to HTML character entity equivalent (<)

  • Right angle bracket (>) to HTML character entity equivalent (>)

This ensures that browsers do not interpret unsafe html tags, such as <script>, and thereby run malicious code. If users enable both request-header checking and transformation, any special characters found in request headers are also modified as described above. If scripts on the user protected website contain cross-site scripting features, but the user website does not rely upon those scripts to operate correctly, users can safely disable blocking and enable transformation. This configuration ensures that no legitimate web traffic is blocked, while stopping any potential cross-site scripting attacks.

• Check complete URLs for cross-site scripting — If checking of complete URLs is enabled, the Web Application Firewall examines entire URLs for HTML cross-site scripting attacks instead of checking just the query portions of URLs.

• Check Request headers — If Request header checking is enabled, the Web Application Firewall examines the headers of requests for HTML cross-site scripting attacks, instead of just URLs. If users use the GUI, they can enable this parameter in the Settings tab of the Web Application Firewall profile.

• InspectQueryContentTypes — If Request query inspection is configured, the Application Firewall examines the query of requests for cross-site scripting attacks for the specific content-types. If users use the GUI, they can configure this parameter in the Settings tab of the Application Firewall profile.

Buffer Overflow Check

The Buffer Overflow check detects attempts to cause a buffer overflow on the web server. If the Web Application Firewall detects that the URL, cookies, or header are longer than the configured length, it blocks the request because it can cause a buffer overflow.

The Buffer Overflow check prevents attacks against insecure operating-system or web-server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle. Proper programming techniques prevent buffer overflows by checking incoming data and either rejecting or truncating overlong strings. Many programs, however, do not check all incoming data and are therefore vulnerable to buffer overflows. This issue especially affects older versions of web-server software and operating systems, many of which are still in use.

The Buffer Overflow security check allows users to configure the Block, Log, and Stats actions. In addition, users can also configure the following parameters:

• Maximum URL Length. The maximum length the Web Application Firewall allows in a requested URL. Requests with longer URLs are blocked. Possible Values: 0–65535. Default: 1024

• Maximum Cookie Length. The maximum length the Web Application Firewall allows for all cookies in a request. Requests with longer cookies trigger the violations. Possible Values: 0–65535. Default: 4096

• Maximum Header Length. The maximum length the Web Application Firewall allows for HTTP headers. Requests with longer headers are blocked. Possible Values: 0–65535. Default: 4096

• Query string length. Maximum length allowed for a query string in an incoming request. Requests with longer queries are blocked. Possible Values: 0–65535. Default: 1024

• Total request length. Maximum request length allowed for an incoming request. Requests with a longer length are blocked. Possible Values: 0–65535. Default: 24820

Virtual Patching/Signatures

The signatures provide specific, configurable rules to simplify the task of protecting user websites against known attacks. A signature represents a pattern that is a component of a known attack on an operating system, web server, website, XML-based web service, or other resource. A rich set of preconfigured built-in or native rules offers an easy to use security solution, applying the power of pattern matching to detect attacks and protect against application vulnerabilities.

Users can create their own signatures or use signatures in the built-in templates. The Web Application Firewall has two built-in templates:

• Default Signatures: This template contains a preconfigured list of over 1,300 signatures, in addition to a complete list of SQL injection keywords, SQL special strings, SQL transform rules, and SQL wildcard characters. It also contains denied patterns for cross-site scripting, and allowed attributes and tags for cross-site scripting. This is a read-only template. Users can view the contents, but they cannot add, edit, or delete anything in this template. To use it, users must make a copy. In their own copy, users can enable the signature rules that they want to apply to their traffic, and specify the actions to be taken when the signature rules match the traffic.

The signatures are derived from the rules published by SNORT: SNORT, which is an open source intrusion prevention system capable of performing real-time traffic analysis to detect various attacks and probes.

• *Xpath Injection Patterns: This template contains a preconfigured set of literal and PCRE keywords and special strings that are used to detect XPath (XML Path Language) injection attacks.

Blank Signatures: In addition to making a copy of the built-in Default Signatures template, users can use a blank signatures template to create a signature object. The signature object that users create with the blank signatures option does not have any native signature rules, but, just like the *Default template, it has all the SQL/XSS built-in entities.

External-Format Signatures: The Web Application Firewall also supports external format signatures. Users can import the third-party scan report by using the XSLT files that are supported by the NetScaler Web Application Firewall. A set of built-in XSLT files is available for selected scan tools to translate external format files to native format (see the list of built-in XSLT files later in this section).

While signatures help users to reduce the risk of exposed vulnerabilities and protect the user mission critical Web Servers while aiming for efficacy, Signatures do come at a Cost of additional CPU Processing.

It is important to choose the right Signatures for user Application needs. Enable only the signatures that are relevant to the Customer Application/environment.

NetScaler offers signatures in more than 10 different categories across platforms/OS/Technologies.

The signature rules database is substantial, as attack information has built up over the years. So, most of the old rules may not be relevant for all networks as Software Developers may have patched them already or customers are running a more recent version of the OS.

Signatures Updates

NetScaler Web Application Firewall supports both Auto & Manual Update of Signatures. We also suggest enabling Auto-update for signatures to stay up to date.

These signatures files are hosted on the AWS Environment and it is important to allow outbound access to NetScaler IPs from Network Firewalls to fetch the latest signature files. There is no effect of updating signatures to the ADC while processing Real Time Traffic

Application Security Analytics

The Application Security Dashboard provides a holistic view of the security status of user applications. For example, it shows key security metrics such as security violations, signature violations, and threat indexes. Application Security dashboard also displays attack related information such as syn attacks, small window attacks, and DNS flood attacks for the discovered NetScaler ADC instances.

To view the security metrics of a NetScaler ADC instance on the application security dashboard

1. Log on to NetScaler ADM using the administrator credentials.

2. Navigate to Applications > App Security Dashboard, and select the instance IP address from the Devices list.

Users can further drill down on the discrepancies reported on the Application Security Investigator by clicking the bubbles plotted on the graph.

Centralized Learning on ADM

NetScaler Web Application Firewall (WAF) protects user web applications from malicious attacks such as SQL injection and cross-site scripting (XSS). To prevent data breaches and provide the right security protection, users must monitor their traffic for threats and real-time actionable data on attacks. Sometimes, the attacks reported might be false-positives and those need to be provided as an exception.

The Centralized Learning on NetScaler ADM is a repetitive pattern filter that enables WAF to learn the behavior (the normal activities) of user web applications. Based on monitoring, the engine generates a list of suggested rules or exceptions for each security check applied on the HTTP traffic.

It is much easier to deploy relaxation rules using the Learning engine than to manually deploy it as necessary relaxations.

To deploy the learning feature, users must first configure a Web Application Firewall profile (set of security settings) on the user NetScaler ADC appliance. For more information, see Creating Web Application Firewall profiles: Creating Web App Firewall Profiles.

NetScaler ADM generates a list of exceptions (relaxations) for each security check. As an administrator, users can review the list of exceptions in NetScaler ADM and decide to deploy or skip.

Using the WAF learning feature in NetScaler ADM, users can:

• Configure a learning profile with the following security checks

  • Buffer Overflow

  • HTML Cross-Site Scripting

  Note:
  The cross-site script limitation of location is only FormField.
  • HTML SQL Injection
  Note:
  For the HTML SQL Injection check, users must configure 
  set
  -sqlinjectionTransformSpecialChars
  to ON and 
  set -sqlinjectiontype sqlspclcharorkeywords
  in the NetScaler ADC instance.

• Check the relaxation rules in NetScaler ADM and decide to take necessary action (deploy or skip)

• Get the notifications through email, slack, and ServiceNow

• Use the dashboard to view relaxation details

To use the WAF learning in NetScaler ADM:

1. Configure the learning profile: Configure the Learning Profile

2. See the relaxation rules: View Relaxation Rules and Idle Rules

3. Use the WAF learning dashboard: View WAF Learning Dashboard

StyleBook

NetScaler Web Application Firewall is a Web Application Firewall (WAF) that protects web applications and sites from both known and unknown attacks, including all application-layer and zero-day threats.

NetScaler ADM now provides a default StyleBook with which users can more conveniently create an application firewall configuration on NetScaler ADC instances.

Deploying Application Firewall Configurations

The following task assists you in deploying a load balancing configuration along with the application firewall and IP reputation policy on NetScaler ADC instances in your business network.

To Create an LB Configuration with Application Firewall Settings

In NetScaler ADM, navigate to Applications > Configurations > StyleBooks. The StyleBooks page displays all the StyleBooks available for customer use in NetScaler

• ADM. Scroll down and find HTTP/SSL Load Balancing StyleBook with application firewall policy and IP reputation policy. Users can also search for the StyleBook by typing the name as lb-appfw. Click Create Configuration.

The StyleBook opens as a user interface page on which users can enter the values for all the parameters defined in this StyleBook.

• Enter values for the following parameters:

  • Load Balanced Application Name. Name of the load balanced configuration with an application firewall to deploy in the user network.

  • Load balanced App Virtual IP address. Virtual IP address at which the NetScaler ADC instance receives client requests.

  • Load Balanced App Virtual Port. The TCP Port to be used by the users in accessing the load balanced application.

  • Load Balanced App Protocol. Select the front-end protocol from the list.

  • Application Server Protocol. Select the protocol of the application server.

• As an option, users can enable and configure the Advanced Load Balancer Settings.

• Optionally, users can also set up an authentication server for authenticating traffic for the load balancing virtual server.

• Click “+” in the server IPs and Ports section to create application servers and the ports that they can be accessed on.

• Users can also create FQDN names for application servers.

• Users can also specify the details of the SSL certificate.

• Users can also create monitors in the target NetScaler ADC instance.

• To configure the application firewall on the virtual server, enable WAF Settings.

Ensure that the application firewall policy rule is true if users want to apply the application firewall settings to all traffic on that VIP. Otherwise, specify the NetScaler ADC policy rule to select a subset of requests to which to apply the application firewall settings. Next, select the type of profile that has to be applied - HTML or XML.

• Optionally, users can configure detailed application firewall profile settings by enabling the application firewall Profile Settings check box.

• Optionally, if users want to configure application firewall signatures, enter the name of the signature object that is created on the NetScaler ADC instance where the virtual server is to be deployed.

• Next, users can also configure any other application firewall profile settings such as, StartURL settings, DenyURL settings and others.

For more information on application firewall and configuration settings, see Application Firewall.

• In the Target Instances section, select the NetScaler ADC instance on which to deploy the load balancing virtual server with the application firewall.

• Users can also enable IP Reputation check to identify the IP address that is sending unwanted requests. Users can use the IP reputation list to preemptively reject requests that are coming from the IP with the bad reputation.

When the configuration is successfully created, the StyleBook creates the required load balancing virtual server, application server, services, service groups, application firewall labels, application firewall policies, and binds them to the load balancing virtual server.

The following figure shows the objects created in each server:

• To see the ConfigPack created on NetScaler ADM, navigate to Applications > Configurations.

Security Insight Analytics

Web and web service applications that are exposed to the Internet have become increasingly vulnerable to attacks. To protect applications from attack, users need visibility into the nature and extent of past, present, and impending threats, real-time actionable data on attacks, and recommendations on countermeasures. Security Insight provides a single-pane solution to help users assess user application security status and take corrective actions to secure user applications.

How Security Insight Works

Security Insight is an intuitive dashboard-based security analytics solution that gives users full visibility into the threat environment associated with user applications. Security insight is included in NetScaler ADM, and it periodically generates reports based on the user Application Firewall and ADC system security configurations. The reports include the following information for each application:

• Threat index. A single-digit rating system that indicates the criticality of attacks on the application, regardless of whether the application is protected by an ADC appliance. The more critical the attacks on an application, the higher the threat index for that application. Values range from 1 through 7.

The threat index is based on attack information. The attack-related information, such as violation type, attack category, location, and client details, gives users insight into the attacks on the application. Violation information is sent to NetScaler ADM only when a violation or attack occurs. Many breaches and vulnerabilities lead to a high threat index value.

• Safety index. A single-digit rating system that indicates how securely users have configured the ADC instances to protect applications from external threats and vulnerabilities. The lower the security risks for an application, the higher the safety index. Values range from 1 through 7.

The safety index considers both the application firewall configuration and the ADC system security configuration. For a high safety index value, both configurations must be strong. For example, if rigorous application firewall checks are in place but ADC system security measures, such as a strong password for the nsroot user, have not been adopted, applications are assigned a low safety index value.

• Actionable Information. Information that users need for lowering the threat index and increasing the safety index, which significantly improves application security. For example, users can review information about violations, existing and missing security configurations for the application firewall and other security features, the rate at which the applications are being attacked, and so on.

Configuring Security Insight

To configure security insight on an ADC instance, first configure an application firewall profile and an application firewall policy, and then bind the application firewall policy globally.

Then, enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally. When users configure the collector, they must specify the IP address of the NetScaler ADM service agent on which they want to monitor the reports.

Configure Security Insight on an ADC Instance

• Run the following commands to configure an application firewall profile and policy, and bind the application firewall policy globally or to the load balancing virtual server.

add appfw profile <name> [-defaults ( basic or advanced )]

set appfw profile <name> [-startURLAction <startURLAction> ...]

add appfw policy <name> <rule> <profileName>

bind appfw global <policyName> <priority>

or,

bind lb vserver <lb vserver> -policyName <policy> -priority <priority>

Sample:

add appfw profile pr_appfw -defaults advancedset appfw profile pr_appfw -startURLaction log stats learnadd appfw policy pr_appfw_pol "HTTP.REQ.HEADER("Host").EXISTS" pr_appfwbind appfw global pr_appfw_pol 1or,bind lb vserver outlook –policyName pr_appfw_pol –priority "20"

• Run the following commands to enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally or to the load balancing virtual server:

add appflow collector <name> -IPAddress <ipaddress>

set appflow param [-SecurityInsightRecordInterval <secs>] [-SecurityInsightTraffic ( ENABLED or DISABLED )]

add appflow action <name> -collectors <string>

add appflow policy <name> <rule> <action>

bind appflow global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>]

or,

bind lb vserver <vserver> -policyName <policy> -priority <priority>

Sample:

add appflow collector col -IPAddress 10.102.63.85set appflow param -SecurityInsightRecordInterval 600 -SecurityInsightTraffic ENABLEDadd appflow action act1 -collectors coladd appflow action af_action_Sap_10.102.63.85 -collectors coladd appflow policy pol1 true act1add appflow policy af_policy_Sap_10.102.63.85 true af_action_Sap_10.102.63.85bind appflow global pol1 1 END -type REQ_DEFAULTor,bind lb vserver Sap –policyName af_action_Sap_10.102.63.85 –priority "20"

Enable Security Insight from NetScaler ADM

1. Navigate to Networks > Instances > NetScaler ADC and select the instance type. For example, VPX.

2. Select the instance and from the Select Action list, select Configure Analytics.

3. On the Configure Analytics on virtual server window:

   • Select the virtual servers that you want to enable security insight and click Enable Analytics.

   The Enable Analytics window is displayed.

   • Select Security Insight

   • Under Advanced Options, select Logstream or IPFIX as the Transport Mode

   • The Expression is true by default

   • Click OK

• If users select virtual servers that are not licensed, then NetScaler ADM first licenses those virtual servers and then enables analytics
• For admin partitions, only Web Insight is supported

After users click OK, NetScaler ADM processes to enable analytics on the selected virtual servers.

Thresholds

Users can set and view thresholds on the safety index and threat index of applications in Security Insight.

To set a threshold

• Navigate to System > Analytics Settings > Thresholds, and select Add.

• Select the traffic type as Security in the Traffic Type field, and enter required information in the other appropriate fields such as Name, Duration, and entity.

• In the Rule section, use the Metric, Comparator, and Value fields to set a threshold. For example, “Threat Index” “>” “5”

• Click Create.

To view the threshold breaches

• Navigate to Analytics > Security Insight > Devices, and select the ADC instance.

• In the Application section, users can view the number of threshold breaches that have occurred for each virtual server in the Threshold Breach column.

Security Insight Use Case

The following use cases describe how users can use security insight to assess the threat exposure of applications and improve security measures.

Obtain an Overview of the Threat Environment

In this use case, users have a set of applications that are exposed to attacks, and they have configured NetScaler ADM to monitor the threat environment. Users need to frequently review the threat index, safety index, and the type and severity of any attacks that the applications might have experienced, so that they can focus first on the applications that need the most attention. The security insight dashboard provides a summary of the threats experienced by the user applications over a time period of user choosing, and for a selected ADC device. It displays the list of applications, their threat and safety indexes, and the total number of attacks for the chosen time period.

For example, users might be monitoring Microsoft Outlook, Microsoft Lync, SharePoint, and an SAP application, and users might want to review a summary of the threat environment for these applications.

To obtain a summary of the threat environment, log on to NetScaler ADM, and then navigate to Analytics > Security Insight.

Key information is displayed for each application. The default time period is 1 hour.

To view information for a different time period, from the list at the top-left, select a time period.

To view a summary for a different ADC instance, under Devices, click the IP address of the ADC instance. To sort the application list by a given column, click the column header.

Determine the Threat Exposure of an Application

After reviewing a summary of the threat environment on the Security Insight dashboard to identify the applications that have a high threat index and a low safety index, users want to determine their threat exposure before deciding how to secure them. That is, users want to determine the type and severity of the attacks that have degraded their index values. Users can determine the threat exposure of an application by reviewing the application summary.

In this example, Microsoft Outlook has a threat index value of 6, and users want to know what factors are contributing to this high threat index.

To determine the threat exposure of Microsoft Outlook, on the Security Insight dashboard, click Outlook. The application summary includes a map that identifies the geographic location of the server.

Click Threat Index > Security Check Violations and review the violation information that appears.

Click Signature Violations and review the violation information that appears.

Determine Existing and Missing Security Configurations for an Application

After reviewing the threat exposure of an application, users want to determine what application security configurations are in place and what configurations are missing for that application. Users can obtain this information by drilling down into the application’s safety index summary.

The safety index summary gives users information about the effectiveness of the following security configurations:

• Application Firewall Configuration. Shows how many signature and security entities are not configured.

• NetScaler ADM System Security. Shows how many system security settings are not configured.

In the previous use case, users reviewed the threat exposure of Microsoft Outlook, which has a threat index value of 6. Now, users want to know what security configurations are in place for Outlook and what configurations can be added to improve its threat index.

On the Security Insight dashboard, click Outlook, and then click the Safety Index tab. Review the information provided in the Safety Index Summary area.

On the Application Firewall Configuration node, click Outlook_Profile and review the security check and signature violation information in the pie charts.

Review the configuration status of each protection type in the application firewall summary table. To sort the table on a column, click the column header.

Click the NetScaler ADM System Security node and review the system security settings and NetScaler recommendations to improve the application safety index.

Identify Applications That Require Immediate Attention

The applications that need immediate attention are those having a high threat index and a low safety index.

In this example, both Microsoft Outlook and Microsoft Lync have a high threat index value of 6, but Lync has the lower of the two safety indexes. Therefore, users might have to focus their attention on Lync before improving the threat environment for Outlook.

Determine the Number of Attacks in a Given Period of Time

Users might want to determine how many attacks occurred on a given application at a given point in time, or they might want to study the attack rate for a specific time period.

On the Security Insight page, click any application and in the Application Summary, click the number of violations. The Total Violations page displays the attacks in a graphical manner for one hour, one day, one week, and one month.

The Application Summary table provides the details about the attacks. Some of them are as follows:

• Attack time

• IP address of the client from which the attack happened

• Severity

• Category of violation

• URL from which the attack originated, and other details.

While users can always view the time of attack in an hourly report as seen in the image, now they can view the attack time range for aggregated reports even for daily or weekly reports. If users select “1 Day” from the time-period list, the Security Insight report displays all attacks that are aggregated and the attack time is displayed in a one-hour range. If users choose “1 Week” or “1 Month,” all attacks are aggregated and the attack time is displayed in a one-day range.

Obtain Detailed Information about Security Breaches

Users might want to view a list of the attacks on an application and gain insights into the type and severity of attacks, actions taken by the ADC instance, resources requested, and the source of the attacks.

For example, users might want to determine how many attacks on Microsoft Lync were blocked, what resources were requested, and the IP addresses of the sources.

On the Security Insight dashboard, click Lync > Total Violations. In the table, click the filter icon in the Action Taken column header, and then select Blocked.

For information about the resources that were requested, review the URL column. For information about the sources of the attacks, review the Client IP column.

View Log Expression Details

NetScaler ADC instances use log expressions configured with the Application Firewall profile to take action for the attacks on an application in the user enterprise. In Security Insight, users can view the values returned for the log expressions used by the ADC instance. These values include, request header, request body and so on. In addition to the log expression values, users can also view the log expression name and the comment for the log expression defined in the Application Firewall profile that the ADC instance used to take action for the attack.

Prerequisites

Ensure that users:

• Configure log expressions in the Application Firewall profile. For more information, see Application Firewall.

• Enable log expression-based Security Insights settings in NetScaler ADM. Do the following:

  • Navigate to Analytics > Settings, and click Enable Features for Analytics.

  • In the Enable Features for Analytics page, select Enable Security Insight under the Log Expression Based Security Insight Setting section and click OK.

For example, users might want to view the values of the log expression returned by the ADC instance for the action it took for an attack on Microsoft Lync in the user enterprise.

On the Security Insight dashboard, navigate to Lync > Total Violations. In the Application Summary table, click the URL to view the complete details of the violation in the Violation Information page including the log expression name, comment, and the values returned by the ADC instance for the action.

Determine the Safety Index before Deploying the Configuration

Security breaches occur after users deploy the security configuration on an ADC instance, but users might want to assess the effectiveness of the security configuration before they deploy it.

For example, users might want to assess the safety index of the configuration for the SAP application on the ADC instance with IP address 10.102.60.27.

On the Security Insight dashboard, under Devices, click the IP address of the ADC instance that users configured. Users can see that both the threat index and the total number of attacks are 0. The threat index is a direct reflection of the number and type of attacks on the application. Zero attacks indicate that the application is not under any threat.

Click Sap > Safety Index > SAP_Profile and assess the safety index information that appears.

In the application firewall summary, users can view the configuration status of different protection settings. If a setting is set to log or if a setting is not configured, the application is assigned a lower safety index.

Security Violations

View Application Security Violation Details

Web applications that are exposed to the internet have become drastically more vulnerable to attacks. NetScaler ADM enables users to visualize actionable violation details to protect applications from attacks. Navigate to Security > Security Violations for a single-pane solution to:

• Access the application security violations based on their categories such as Network, Bot, and WAF

• Take corrective actions to secure the applications

To view the security violations in NetScaler ADM, ensure:

• Users have a premium license for the NetScaler ADC instance (for WAF and BOT violations).

• Users have applied a license on the load balancing or content switching virtual servers (for WAF and BOT). For more information, see Manage Licensing on Virtual Servers.

• Users enable more settings. For more information, see the procedure available at the Setting up section in the NetScaler product documentation: Setting up.

Violation Categories**

NetScaler ADM enables users to view the following violations:

** - Users must configure the account takeover setting in NetScaler ADM. See the prerequisite mentioned in Account Takeover: Account Takeover.

Apart from these violations, users can also view the following Security Insight and Bot Insight violations under the WAF and Bot categories respectively:

Continued in Part 3