Professional Documents
Culture Documents
It is recommended that the deck is viewed alongside the accompanying webinar recording located here: https://www1.gotomeeting.com/register/325602920
Remember. You can contact the NetScaler Master Class Team by email NetScalerMasterClass@Citrix.com
2012 Citrix
USA
Turkey
2012 Citrix
Russia
Denmark
Ireland
The Netherlands
Italy
2012 Citrix
France
Germany
2012 Citrix
United Kingdom
2012 Citrix
Security on NetScaler
NetScaler MasterClass August, 2012
ARP Response
2012 Citrix
Layer 3 Layer 2
2012 Citrix
DNS Security
2012 Citrix
2012 Citrix
ACLs
2012 Citrix
2012 Citrix
Client
Server
2012 Citrix
DDoS Policy
Client
DOS Q
SQ
Server
2012 Citrix
SSL Security
SSL Offloading
SSL HTTP
SSL
SSL
SSL Bridge
SSL_BRIDGE
SSL_BRIDGE
2012 Citrix
http://www.verisign.com/ssl/ssl-information-center/express-renew-ssl-certificate/ index.html You must submit a minimum 2048bit CSR to qualify for Express Renewal. 2012 Citrix
Man in the Middle Attack Prevented by cryptographically binding renegotiation handshakes to the enclosing TLS cryptographic parameters Transport Layer Security (TLS) Renegotiation Indication Extension 5746
2012 Citrix
Responder
First module any incoming request hits on NetScaler Can internally invoke Rate Limiting and Callout objects
GET /secure/index.asp Respondwith: 200 OK Redirect: 302 Found DROP RESET HTTP.REQ.URL.CONTAINS(secure)
2012 Citrix
DataStream - Responder
Allows NetScaler to respond to a MySQL or MS-SQL Request without any input from the back end servers.
#CitrixSummit
2012 Citrix
22
#CitrixSummit
2012 Citrix
23
Slowloris Attack
Idle timeout reached
Legitimate Client
Attack Client
Attack Client sends few bytes of Header before idle Client timeout keeping the connection always opened.
2012 Citrix
SlowPost Attack
Header POST Body Idle timeout reached Legitimate Client
Attack Client
2012 Citrix
Attack Client sends Header completely but POST body in few bytes before idle Client timeout keeping the connection always opened
Authentication
?
2012 Citrix
Authorisation
Two key elements WHO has access to WHAT. Two outcomes Allow & Deny Who = Authenticated User Authorisation Policies MUST be bound to Users or Groups
Accounting
Records who, when & 1.1" 200 105 "http://10.90.196.150/menu/neo" "Mozilla/ from where AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0 SYSLOG server (open standard format).
NetScalers own syslog server Syslog server outside the appliance 10.90.41.25 [30/Apr/2012:13:07:16 +0200] "GET /views HTTP/1.1" 304 - "-" "Mozilla/4.0 (Windows 7 6.1) Java/1 Command Center
There is also the NSLOG format which is NetScaler proprietary 10.90.41.25 [30/Apr/2012:13:07:17 +0200] "GET /views
29
2012 Citrix
10.90.41.25 [30/Apr/2012:13:07:17 +0200] "GET /nsip? HTTP/1.1" 200 103 "http://10.90.196.150/menu/neo" "M AppleWebKit/535.19 (KHTML, like Gecko)
Problem Solution
86% of the attacks are attacks to the applications WAF Protection No Apps protection
4th Gen Web App Firewall Fastest App Firewall (12 Gbps) Best Price-Performance
First to implement learning (Teros) First to implement positive security Fine-grained policy driven
Logical Deployment
Untrusted Network
Trusted Network
Internet
Network Firewall
Network Firewall
Application Infrastructure
Logical Deployment
2012 Citrix
Easy deployment, Quick PoC Checks request headers (URL, cookies, etc) and body (form fields) Integrates with scanning tools Wizard to ease configuration
2012 Citrix
Signatures
2012 Citrix
Signature Maintenance/Updates
Based on SNORT Partnership with SourceFire to provide signatures Can be updated without changing build Open format for signature files Signature versioning Automatic identification of new signatures
2012 Citrix
2012 Citrix
Protected website
2012 Citrix
Vulnerable Websites
Cross-Site Scripting: Inserting a malicious script that compromises the trust relationship between a user and a Web application, resulting in sending an attacker confidential information that can be used to steal that users identity.
2012 Citrix
SQL Injection Attacks: Sending SQL commands to a Web application that when passed to databases execute and allow hacker to gain access or change customer and sensitive information.
2012 Citrix
Application Firewall verifies that cookies have not been modified by client
2012 Citrix
2012 Citrix
For each user session AppFw ensures that: 1. Each field is returned 2. No fields were added by client 3. Read-only and hidden fields are unaltered 4. Data in drop-down list or radio button field conforms 5. Max length of form fields is adhered to
Blog.net
2
2012 Citrix
CSRF
Denial of Service
Financial Theft Prevention Credit Card Numbers Configurable Protections Customer-defined Data Objects
2012 Citrix
Check types are categories as HTML, Block, Log and Statistics can be enable
2012 Citrix
Auditing
2012 Citrix
2012 Citrix
2012 Citrix
Reporting
Dashboard of top AppFirewall information for quick security summary Ability to create custom reports for specific violations, client IPs, profiles etc.
2012 Citrix
2012 Citrix
Analyze App
Firewall configuration against PCIDSS requirements Executive summary of Application Firewall configuration
2012 Citrix
Demo - Prevent Web Application Attacks with Citrix NetScaler Application Firewall
AppFw and Cenzic Integration - http://support.citrix.com/article/CTX133285 AppFw and Qualys Integration - http://support.citrix.com/article/CTX133269
2012 Citrix
2012 Citrix
2012 Citrix
Improves security of Citrix NetScaler Integration with leading technology vendors improves security time to protect
Reduces Web App Firewall Proof of Concept (PoC) and time-to-deployment SIEM integration improves compliance, reporting, and monitoring in the Enterprise
VA / Scanning
access
a
t
Anti Virus
Certificate Mgmt
Secure Browsing
2012 Citrix
access
a
t
threat
Penetratio n Testing
App Visibility
Identity Mgmt
Intrusion Detection
Web vulnerability scan results from Cenzic Import into NetScaler Application Firewall
2012 Citrix
Quick protection against Cenzic Hailstorm identified application vulnerabilities. No additional configuration and learning is required
2012 Citrix
9. Transfer certificate and private key 10. Associate certificate with virtual server
2012 Citrix
2012 Citrix
Single Sign On
2012 Citrix
71
Solution Components
Citrix NetScaler front-ending web applications & sites Sourcefire 3D Sensor Sourcefire Defense Center
2012 Citrix
Click and choose which application rules to apply Choose whether to block or log Deploy
2012 Citrix
NetScaler VPX deployment as forward proxy load balancing outbound user traffic across multiple InterScan Web Security appliances.
2012 Citrix
NetScaler deployed as reverse proxy switching inbound file uploads across multiple Trend Micro Inter Scan Web appliances
2012 Citrix
NetScaler deployed as reverse proxy switching inbound file uploads across multiple Trend Micro Inter Scan Web appliances
ArcSight ESM integration available ArcSight and RSA in Citrix Ready program
Collateral at Citrix Cloud Solution Compliance Partners
2012 Citrix
2012 Citrix
2012 Citrix
86
2012 Citrix
88
2012 Citrix
AAA revisited
http://blogs.citrix.com/2012/07/30/aaa-what-it-means-to-you/
89
2012 Citrix
90
2012 Citrix
91
2012 Citrix
92
2012 Citrix
93
2012 Citrix
94
2012 Citrix
95
2012 Citrix
Competition
Impressive and relevant book on Application Security If you haven't thought about security yet - this is the book for you A great book for those new to web security
2012 Citrix
98
2012 Citrix
2012 Citrix
105