Citrix Application Delivery Management service

Security Insight

Web and web service applications that are exposed to the Internet have become increasingly vulnerable to attacks. To protect applications from attack, you need visibility into the nature and extent of past, present, and impending threats, real-time actionable data on attacks, and recommendations on countermeasures. Security Insight provides a single-pane solution to help you assess your application security status and take corrective actions to secure your applications.

Note

Security Insight is supported on Citrix Application Delivery Management (ADM) with all ADC appliances running on version 11.0 Build 65.31 and later.

How Security insight works

Security Insight is an intuitive dashboard-based security analytics solution that gives you full visibility into the threat environment associated with your applications. Security insight is included in Citrix ADM, and it periodically generates reports based on your Application Firewall and ADC system security configurations. The reports include the following information for each application:

  • Threat index. A single-digit rating system that indicates the criticality of attacks on the application, regardless of whether the application is protected by an ADC appliance. The more critical the attacks on an application, the higher the threat index for that application. Values range from 1 through 7.

    The threat index is based on attack information. The attack-related information, such as violation type, attack category, location, and client details, gives you insight into the attacks on the application. Violation information is sent to Citrix ADM only when a violation or attack occurs. Many breaches and vulnerabilities lead to a high threat index value.

  • Safety index. A single-digit rating system that indicates how securely you have configured the ADC instances to protect applications from external threats and vulnerabilities. The lower the security risks for an application, the higher the safety index. Values range from 1 through 7.

    The safety index considers both the application firewall configuration and the ADC system security configuration. For a high safety index value, both configurations must be strong. For example, if rigorous application firewall checks are in place but ADC system security measures, such as a strong password for the nsroot user, have not been adopted, applications are assigned a low safety index value.

  • Actionable information. The information that you need for lowering the threat index and increasing the safety index, which significantly improves application security. For example, you can review information about violations, existing and missing security configurations for application firewall and other security features, the rate at which the applications are being attacked.

Configure security insight

Note

Security Insight is supported on ADC instances with Premium license or ADC Advanced with AppFirewall license only.

To configure security insight on an ADC instance, first configure an application firewall profile and an application firewall policy, and then bind the application firewall policy globally.

Then, enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally. When you configure the collector, you must specify the IP address of the Citrix ADM service agent on which you want to monitor the reports.

Configure security insight on an ADC instance

  1. Run the following commands to configure an application firewall profile and policy, and bind the application firewall policy globally or to the load balancing virtual server.

     **add appfw profile** \<name\> \[**-defaults** ( basic or advanced )\]
    
     **set appfw profile** \<name\> \[**-startURLAction** \<startURLAction\> ...\]
    
     **add appfw policy** \<name\> \<rule\> \<profileName\>
    
     **bind appfw global** \<policyName\> \<priority\>
    
     or,
    
     **bind lb vserver** \<lb vserver\> **-policyName** \<policy\> **-priority** \<priority\>
    

    Sample:

    ```
    add appfw profile pr_appfw -defaults advanced
    set  appfw profile pr_appfw -startURLaction log stats learn
    add appfw policy pr_appfw_pol "HTTP.REQ.HEADER(\"Host\").EXISTS" pr_appfw
    bind appfw global pr_appfw_pol 1
    or,
    bind lb vserver outlook –policyName pr_appfw_pol –priority "20"
    ```
    
  2. Run the following commands to enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally or to the load balancing virtual server:

     **add appflow collector** \<name\> **-IPAddress** \<ipaddress\>
    
    **set appflow param** \[**-SecurityInsightRecordInterval** \<secs\>\] \[**-SecurityInsightTraffic** ( ENABLED or DISABLED )\]
    
     **add appflow action** \<name\> **-collectors** \<string\>
    
     **add appflow policy** \<name\> \<rule\> \<action\>
    
    **bind appflow global** \<policyName\> \<priority\> \[\<gotoPriorityExpression\>\] \[**-type** \<type\>\]
    
     or,
    
     **bind lb vserver** \<vserver\> **-policyName** \<policy\> **-priority** \<priority\>
    

    Sample:

    ```
    add appflow collector col -IPAddress 10.102.63.85
    set appflow param  -SecurityInsightRecordInterval 600 -SecurityInsightTraffic ENABLED
    add appflow action act1 -collectors col
    add appflow action af_action_Sap_10.102.63.85 -collectors col
    add appflow policy pol1 true act1
    add appflow policy af_policy_Sap_10.102.63.85 true af_action_Sap_10.102.63.85
    bind appflow global pol1 1 END -type REQ_DEFAULT
    or,
    bind lb vserver Sap –policyName af_action_Sap_10.102.63.85 –priority "20"
    ```
    

Enable security insight from Citrix ADM

  1. Navigate to Networks > Instances > Citrix ADC and select the instance type. For example, VPX.

  2. Select the instance and from the Select Action list, select Configure Analytics.

  3. On the Configure Analytics on virtual server window:

    1. Select the virtual servers that you want to enable security insight and click Enable Analytics.

      The Enable Analytics window is displayed.

    2. Select WAF Security Violations

    3. Under Advanced Options, select Logstream or IPFIX as Transport Mode

      Note

      For Citrix ADC 12.0 or earlier, IPFIX is the default option for Transport Mode. For Citrix ADC 12.0 or later, you can either select Logstream or IPFIX as Transport Mode.

      For more information about IPFIX and Logstream, see Logstream overview.

    4. The Expression is true by default

    5. Click OK

      Enable

      Note

      • If you select virtual servers that are not licensed, then Citrix ADM first licenses those virtual servers and then enables analytics

      • For admin partitions, only Web Insight is supported

After you click OK, Citrix ADM processes to enable analytics on the selected virtual servers.

Enable analytics

Note

When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. Citrix ADM analytics now supports virtual IP address based authorization. Your users can now see reports for all Insights for only the applications (virtual servers) that they are authorized to. For more information on groups and assigning users to the group, see Configuring Groups on Citrix ADM.

Configure geo locations for security insight reports

If you configure geo locations in Citrix ADM, Security Insight reports include the exact geographic locations from which client requests originate. To enable geo locations, specify a private IP block or range of IP addresses for every geographic location in your organization. Add that information in the Geo Database file, along with the city/state/country name and the latitude and longitude coordinates of each location. Contact your Citrix representative to obtain the Geo Database file, and then upload the file to the ADC instance.

To configure geo locations:

  1. Copy the Geo Database file, Citrix_Netscaler_InBuilt_GeoIP_DB.csv, to any location on the ADC appliance.

  2. Open the Geo Database file with a text editor, such as vi editor, and add an entry for every location in your organization.

    The entry must be in the following format:

    <start IP\>,<end IP\>,,<country\>,<state\>,,<city\>,,longitude,latitude

    For example,

    4.17.142.224,4.17.142.239,,US,New York,,Harrison,,73.7304,41.0568

  3. Run the following commands to enable geo-location logging and logging in the CEF format:

    • add locationFile <Complete path with DB file>
    • set appfw settings -geoLocationLogging ON
    • set appfw settings -CEFLogging ON

IP reputation

You can use NetScaler Insight Center to monitor and manage your incoming traffic’s IP Reputation. You can configure policies to add more IPs as malicious, and create a customized block list.

To learn about configuring and using IP Reputation, see IP Reputation.

Monitor IP reputation

The IP Reputation feature provides attack-related information about malicious IP addresses. For example, it reports IP Reputation Score, IP Reputation category, IP Reputation attack time, Device IP, and details about the Client IP address.

IP Reputation score indicates the risk associated with an IP address. The score has the following ranges:

IP Reputation score Level of Risk
1–20 High Risk
21–40 Suspicious
41–60 Moderate Risk
61–80 Low Risk
81–100 Trustworthy

To monitor IP Reputation:

  1. Navigate to Analytics > Security > Security Violations, and under WAF, select the application you want to monitor.

  2. The Threat Index and Safety Index scores are displayed. Click View Details.

  3. Under Application Firewall Configuration, you can view the IP reputation safety index score.

Thresholds

You can set and view thresholds on safety index and threat index of applications in Security Insight.

To set a threshold:

  1. Navigate to System > Analytics Settings > Thresholds, and select Add.

  2. Select the traffic type as Security in the Traffic Type field, and enter required information in the other appropriate fields such as Name, Duration, and entity.

  3. In the Rule section, use the Metric, Comparator, and Value fields to set a threshold.

    For example, “Threat Index” “>” “5”

  4. Click Create.

Security insight use cases

The following use cases describe how you can use security insight to assess the threat exposure of applications and improve security measures.

Obtain an overview of the threat environment

In this use case, you have a set of applications that are exposed to attacks, and you have configured Citrix ADM to monitor the threat environment. You must review the threat index, safety index, and the type and severity of any attacks that the applications might have experienced to focus first on the critical applications. The security insight dashboard provides a summary of the threats experienced by your applications over a time period of your choosing, and for a selected ADC device. It displays the list of applications, their threat and safety indexes, and the total number of attacks for the chosen time period.

To obtain a summary of the threat environment, log on to Citrix ADM, and then navigate to Analytics > Security > Security Violation and under WAF, the top five applications are displayed based on the total violations affected. To view all applications, you can click View All.

WAF applications

Determine the existing and missing security configuration for an application

After reviewing the threat exposure of an application, you want to determine what application security configurations are in place and what configurations are missing for that application. You can obtain this information by drilling down into the application summary.

The summary gives you information about the effectiveness of the following security configurations:

  • Application Firewall Configuration. Shows how many signature and security entities are not configured.
  • Citrix ADM System Security. Shows how many system security settings are not configured.

    Security configuration

On the Application Firewall Configuration node, review the security check and security violation information.

Application firewall configuration

Click the Citrix ADM System Security node and review the system security settings and Citrix recommendations to improve the application safety index.

Identify applications that require immediate attention

The applications that need immediate attention are the applications having a high threat index and a low safety index.

Determine the number of attacks in a given time

You might want to determine how many attacks occurred on a given application at a given point in time, or you might want to study the attack rate for a specific time period.

Under WAF, click any application to view the total WAF violations detected for the selected duration.

Select duration

Click Logs to view details for attacks based on severity and action taken. The logs page provides the following details:

  • Attack time

  • IP address of the client from which the attack happened

  • Severity

  • Category of violation

  • URL from which the attack originated, and other details.

Security Insight