WAF and Websockets

[Felipe Ruiz1709162764]

So, I have set up a gateway vserver for integration with citrix MDM (XenMobile) and it is being protected by WAF policies.

Mobile device's users utilize SecureHub to access internal and external websites. There's a website failing because it uses websockets.

 

I know that I can enable Websockets on an HTTP profile and bind it to the gateway vserver, however I am worried about the security implications of doing so due to the note in the GUI saying: "If enabled, once a connection is upgraded to wss, Citrix ADC does not process layer 7 traffic on that connection". So my concern is: does that mean that WAF policies won't be enforced? Will all the traffic bypass the waf?

Is there any WAF featuree desinged specifically for webosockets security?

[Johannes Norz]

I don't know you application. Usually, there is nothing like 5 packets HTTP, 3 packets WebSockets, 3 packets HTTP, 10 packets WebSockets, ... Instead, applications work with HTTP, but, at a certain point, switch to WebSockets.

 

No matter, how your application works: If you allow WebSockets, it will check all HTTP traffic, but let WebSocket traffic pass through without inspecting, as it's not HTTP. No WAF, no matter, which vendor, will inspect WebSockets, simply, as it's not HTTP and does not follow HTTP standards. It's binary data. The only thing, a WAF can do, is check, if it is websockets, as a client has to request WebSockets by using certain headers:

Upgrade: websocket

Connection: Upgrade

Sec-WebSocket-Key: asdgsdfgsfdfdhdfghj==

Origin: https://abc.de

Sec-WebSocket-Protocol: chat, superchat

Sec-WebSocket-Version: ..

 

The server will reply with something like that:

HTTP/2.0 101 Switching Protocols

Upgrade: websocket

Connection: Upgrade

Sec-WebSocket-Accept: HzslP6dgtkur+xOo=

Sec-WebSocket-Protocol: superchat

 

You see, the client has to request, the server has to agree. It's WebSocket if these 2 packets are seen. That's what the WAF will check for. If they miss (because it's a tampered stream) the WAF will drop packets. I would not consider this to be big risk. Plus, if subsequent packages contain HTML, they will be treated as HTML.

 

Cheers

 

Johannes Norz

CTA, CCE-AppDS, CCI

https://norz.at

 

 

[CarlStalhood]

WebSockets opens a generic TCP connection that does not conform or require HTTP traffic, thus it's not possible to inspect it. 

[Felipe Ruiz1709162764]

Thanks Carl, I understand that. But what if the users sends a mix of http and wss in the same connection, will waf still work for the http packets or will any packet from that connection (both http and wss) be bypassed?

[CarlStalhood]

I don't think the connection contains both types of protocols. If HTTP is transmitted over the WebSockets TCP connection, then ADC is probably not looking for it.

 

https://sookocheff.com/post/networking/how-do-websockets-work/

[Felipe Ruiz1709162764]

The use case is: user's have mobile devices controlled by XenMobile and the connections are established via a Citrix Gateway vserver. From this devices, using SecureHub they access several websites, some internal and some external, but only one of those websites uses websockets. So from the gateway point of view, a single user connection may tunnel http and wss requests at the same time.