Web and web service applications that are exposed to the Internet have become increasingly vulnerable to attacks. To protect applications from attack, you need visibility into the nature and extent of past, present, and impending threats, real-time actionable data on attacks, and recommendations on countermeasures. Security Insight provides a single-pane solution to help you assess your application security status and take corrective actions to secure your applications.
Security Insight is supported on Citrix Application Delivery Management (ADM) with Citrix ADC appliances running on version 11.0 Build 65.31 and later.
How Security Insight works
Security Insight is an intuitive dashboard-based security analytics solution that gives you full visibility into the threat environment associated with your applications. Security insight is included in Citrix ADM, and it periodically generates reports based on your Application Firewall and Citrix ADC system security configurations. The reports include the following information for each application:
Threat index. A single-digit rating system that indicates the criticality of attacks on the application, regardless if the application is protected or not protected by a Citrix ADC appliance. The more critical the attacks on an application, the higher the threat index for that application. Values range from 1 through 7.
The threat index is based on attack information. The attack-related information, such as violation type, attack category, location, and client details, gives you insight into the attacks on the application. Violation information is sent to Citrix ADM only when a violation or attack occurs. Many breaches and vulnerabilities lead to a high threat index value.
Safety index. A single-digit rating system that indicates how securely you have configured the Citrix ADC instances to protect applications from external threats and vulnerabilities. The lower the security risks for an application, the higher the safety index. Values range from 1 through 7.
The safety index considers both the application firewall configuration and the Citrix ADC system security configuration. For a high safety index value, both configurations must be strong. For example, if rigorous application firewall checks are in place but Citrix ADC system security measures, such as a strong password for the
nsrootuser, have not been adopted, applications are assigned a low safety index value.
Actionable Information. The information that you need for lowering the threat index and increasing the safety index, which significantly improves application security. For example, you can review information about violations, existing and missing security configurations for application firewall and other security features, the rate at which the applications are being attacked, and so on.
Configure Security Insight
Citrix ADM supports Security Insight from all Citrix ADC instances that have application firewall configured on them.
To configure security insight on an ADC instance, first configure an application firewall profile and an application firewall policy. Though you can then bind the application firewall policy globally, Citrix recommends that the policy is bound to the virtual server.
To view the analytics on Citrix ADM, enable the AppFlow feature on the instance, configure an AppFlow collector, action, and policy, and bind the policy globally. Here also though you can then bind the application firewall policy globally, Citrix recommends that the policy is bound to the virtual server. Citrix also recommends that you use Citrix ADM to deploy AppFlow configurations on the ADC instances. When you configure the collector, you must specify the IP address of the Citrix ADM server on which you want to monitor the reports.
To configure security insight on a Citrix ADC instance:
Run the following commands to configure an application firewall profile and policy, and bind the application firewall policy globally or to the load balancing virtual server.
add appfw profile <name> [-defaults ( basic advanced )]
set appfw profile <name> [-startURLAction <startURLAction> …]
add appfw policy <name> <rule> <profileName>
bind appfw global <policyName> <priority>
bind lb vserver <lb vserver> -policyName <policy> -priority <priority>
add appfw profile pr_appfw -defaults advanced set appfw profile pr_appfw -startURLaction log stats learn add appfw policy pr_appfw_pol "HTTP.REQ.HEADER(\"Host\").EXISTS" pr_appfw bind appfw global pr_appfw_pol 1 or, bind lb vserver outlook –policyName pr_appfw_pol –priority “20”
Run the following commands to enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally or to the load balancing virtual server:
add appflow collector <name> -IPAddress <ipaddress>
set appflow param [-SecurityInsightRecordInterval <secs>] [-SecurityInsightTraffic ( ENABLED DISABLED )]
add appflow action <name> -collectors <string>
add appflow policy <name> <rule> <action>
bind appflow global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>]
bind lb vserver <vserver> -policyName <policy> -priority <priority>
add appflow collector col -IPAddress 10.102.63.85 set appflow param -SecurityInsightRecordInterval 600 -SecurityInsightTraffic ENABLED add appflow action act1 -collectors col add appflow action af_action_Sap_10.102.63.85 -collectors col add appflow policy pol1 true act1 add appflow policy af_policy_Sap_10.102.63.85 true af_action_Sap_10.102.63.85 bind appflow global pol1 1 END -type REQ_DEFAULT or, bind lb vserver Sap –policyName af_action_Sap_10.102.63.85 –priority “20”
To enable Security Insight from Citrix ADM:
If your Citrix ADM is 13.0 Build 41.x:
Navigate to Networks > Instances > Citrix ADC, and select the instance type. For example, VPX.
Select the instance and from Select Action list, click Configure Analytics.
On the Configure Analytics on Virtual Server(s) page, select the virtual server and click Enable Analytics.
On the Enable Analytics window:
Select Security Insight
Select Logstream as Transport Mode
For Citrix ADC 12.0 or earlier, IPFIX is the default option for Transport Mode. For Citrix ADC 12.0 or later, you can either select Logstream or IPFIX as Transport Mode.
For more information about IPFIX and Logstream, see Logstream overview.
The Expression is true by default
If you select virtual servers that are not licensed, then Citrix ADM first licenses those virtual servers and then enables analytics
For admin partitions, only Web Insight is supported
For virtual servers such as Cache Redirection, Authentication, and GSLB, you cannot enable analytics. An error message is displayed.
After you click OK, Citrix ADM processes to enable analytics on the selected virtual servers.
If your Citrix ADM is 13.0 Build 36.27:
Navigate to Networks > Instances, and select the Citrix ADC instance you want to enable AppFlow.
From the Select Action list, select Configure Analytics.
Select the virtual servers, and click Enable AppFlow.
In the Enable AppFlow field, type true, and select Security Insight.
When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. Citrix ADM analytics now supports virtual IP address based authorization. Your users can now see reports for all Insights for only the applications (virtual servers) that they are authorized to. For more information on groups and assigning users to the group, see Configure Groups.
View geo locations for Security Insight reports
Security Insight reports include the exact geographic locations from which client requests originate. You can view the geographic locations in Citrix ADM. The geo database file that is inbuilt in Citrix ADC contains most of the public IP addresses. The file is available at the location /var/netscaler/inbuilt_db in Citrix ADC.
To enable geo locations:
Run the following commands to enable geo-location logging and logging in the CEF format:
add locationFile <Complete path with the DB filename>
set appfw settings -geoLocationLogging ON
set appfw settings -CEFLogging ON
If any IP address is not available in the geo database file, you can add the IP address for the geographic location. Along with the IP address, you can also add city/state/country name and the latitude and longitude coordinates of each location.
Open the geo database file with a text editor, such as vi editor, and add an entry for every location.
The entry must be in the following format:
\<start IP\>,\<end IP\>,,\<country\>,\<state\>,,\<city\>,,longitude,latitude
You can use NetScaler Insight Center to monitor and manage your incoming traffic’s IP Reputation. You can configure policies to add more IPs as malicious, and create a customized block list.
To know about configuring and using IP Reputation, see IP Reputation.
Monitor IP reputation
The IP Reputation feature provides attack-related information about malicious IP addresses. For example, it reports IP Reputation Score, IP Reputation category, IP Reputation attack time, Device IP, and details about the Client IP address.
IP Reputation score indicates risk associated with an IP address. The score has the following are the ranges:
|IP Reputation score||Level of Risk|
To monitor IP Reputation:
Navigate to Analytics > Security Insight, and select the application you want to monitor.
In the Threat Index tab, select IP Reputation.
Select a severity to display more details of the attacks that were at that level. You can click the bar graph or in the table under the graph.
Select the time period for which you want to view the details. You can use the time slider to further customize the selected period. Then, click Go.
To customize the display, click the settings button.
You can set and view thresholds on safety index and threat index of applications in Security Insight.
To set a threshold:
Navigate to Analytics > Settings > Thresholds, and select Add.
Select the traffic type as Security in the Traffic Type field, and enter required information in the other appropriate fields such as Name, Duration, and entity.
In the Configure Rule section, use the Metric, Comparator, and Value fields to set a threshold.
For example, “Threat Index” “>” “5”
In the Notification Settings, select the notification type.
To view the threshold breaches:
Navigate to Analytics > Security Insight > Devices, and select the Citrix ADC instance.
In the Application section, you can view the number of threshold breaches occurred for each virtual server in the Threshold Breach column.
Security Insight use cases
The following use cases describe how you can use security insight to assess the threat exposure of applications and improve security measures.
Obtain an overview of the threat environment
In this use case, you have a set of applications that are exposed to attacks, and you have configured Citrix ADM to monitor the threat environment. You need to frequently review the threat index, safety index, and the type and severity of any attacks that the applications might have experienced, so that you can focus first on the applications that need the most attention. The security insight dashboard provides a summary of the threats experienced by your applications over a time period of your choosing, and for a selected Citrix ADC device. It displays the list of applications, their threat and safety indexes, and the total number of attacks for the chosen time period.
For example, you might be monitoring Microsoft Outlook, Microsoft Lync, SharePoint, and an SAP application, and you might want to review a summary of the threat environment for these applications.
To obtain a summary of the threat environment, log on to Citrix ADM, and then navigate to Analytics > Security Insight.
Key information is displayed for each application. The default time period is 1 hour.
To view information for a different time period, from the list at the top-left, select a time period.
To view a summary for a different Citrix ADC instance, under Devices, click the IP address of the Citrix ADC instance. To sort the application list by a given column, click the column header.
Determine the threat exposure of an application
To identify the applications that have a high threat index and a low safety index on the Security Insight dashboard, you want to determine the threat exposure before deciding to secure them. That is, you want to determine the type and severity of the attacks that have degraded their index values. You can determine the threat exposure of an application by reviewing the application summary.
In this example, Microsoft Outlook has a threat index value of 6, and you want to know what factors are contributing to this high threat index.
To determine the threat exposure of Microsoft Outlook, on the Security Insight dashboard, click Outlook. The application summary includes a map that identifies the geographic location of the server.
Click Threat Index > Security Check Violations and review the violation information that appears.
Click Signature Violations and review the violation information that appears.
Determine existing and missing security configuration for an application
After reviewing the threat exposure of an application, you want to determine what application security configurations are in place and what configurations are missing for that application. You can obtain this information by drilling down into the application’s safety index summary.
The safety index summary gives you information about the effectiveness of the following security configurations:
- Application Firewall Configuration. Shows how many signature and security entities are not configured.
- NetScaler System Security. Shows how many system security settings are not configured.
In the previous use case, you reviewed the threat exposure of Microsoft Outlook, which has a threat index value of 6. Now, you want to know what security configurations are in place for Outlook and what configurations can be added to improve its threat index.
On the Security Insight dashboard, click Outlook, and then click the Safety Index tab. Review the information provided in the Safety Index Summary area.
On the Application Firewall Configuration node, click Outlook_Profile and review the security check and signature violation information in the pie charts.
Review the configuration status of each protection type in the application firewall summary table. To sort the table on a column, click the column header.
Click the NetScaler System Security node and review the system security settings and Citrix recommendations to improve the application safety index.
Identify applications that require immediate attention
The applications that need immediate attention are those having a high threat index and a low safety index.
In this example, both Microsoft Outlook and Microsoft Lync have a high threat index value of 6, but Lync has the lower of the two safety indexes. Therefore, you might have to focus your attention on Lync before improving the threat environment for Outlook.
Determine the number of attacks in a given time
You might want to determine how many attacks occurred on a given application at a given point in time, or you might want to study the attack rate for a specific time period.
On Security Insight page, click any application and in the Application Summary, click the number of violations. The Total Violations page displays the attacks in a graphical manner for one hour, one day, one week, and one month.
The Application Summary table provides the details about the attacks. Some of them are as follows:
IP address of the client from which the attack happened
Category of violation
URL from which the attack originated, and other details.
While you can always view the time of attack in an hourly report as seen in the image, now you can view attack time range for aggregated reports even for daily or weekly report. If you select “1 Day” from the time-period list, the Security Insight report displays all attacks that are aggregated and the attack time is displayed in one-hour range. If you choose “1 Week” or “1 Month,” all attacks are aggregated and the attack time is displayed in one-day range.
Obtain detailed information about security breaches
You might want to view a list of the attacks on an application and gain insights into the type and severity of attacks, actions taken by the Citrix ADC instance, resources requested, and the source of the attacks.
For example, you might want to determine how many attacks on Microsoft Lync were blocked, what resources were requested, and the IP addresses of the sources.
On the Security Insight dashboard, click Lync > Total Violations. In the table, click the filter icon in the Action Taken column header, and then select Blocked.
For information about the resources that were requested, review the URL column. For information about the sources of the attacks, review the Client IP column.
View log expression details
Citrix ADC instances use log expressions configured with the Application Firewall profile to take action for the attacks on an application in your enterprise. In Security Insight, you can view the values returned for the log expressions used by the Citrix ADC instance. These values include request header, request body, and so on. Apart from the log expression values, you can also view the log expression name and the comment for the log expression defined in the Application Firewall profile that the Citrix ADC instance used to take action for the attack.
Ensure that you:
Configure log expressions in the Application Firewall profile. For more information, see Application Firewall.
Enable log expression based Security Insights setting in Citrix ADM. Do the following:
Navigate to Analytics > Settings, and click Enable Features for Analytics.
In the Enable Feature for Analytics page, select Enable Security Insight under the Log Expression Based Security Insight Setting section and click OK.
For example, you might want to view the values of the log expression returned by the Citrix ADC instance for the action it took for an attack on the Microsoft Lync in your enterprise.
On the Security Insight dashboard, navigate to Lync > Total Violations. In the Application Summary table, click the URL to view the complete details of the violation in the Violation Information page including the log expression name, comment, and the values returned by the Citrix ADC instance for the action.
Highlight violation patterns for Web Application Firewall (WAF)
You can now get details of attacks such as HTTP headers and HTTP payload to troubleshoot or analyze the attacks. To get details of attacks, you must update the “VerboseLogLevel” in Application Firewall profile, using the following command:
Set appfw profile <profile_name> -VerboseLogLevel (pattern|patternPayload|patternPayloadHdr)
pattern- Only violation pattern is logged
patternPayload- Violation pattern + 150 bytes of field element value prior to attack pattern are logged
patternPayloadHdr- Violation pattern + 150 bytes of field element value prior to attack pattern + HTTP request headers are logged
Based on the “VerboseLogLevel” configuration, Citrix ADM displays the detailed log expression records.
The following image is an example that highlights the attack pattern for GET request:
The following image is an example that highlights the attack pattern for POST request:
In these two examples:
FIELDNAME refers to the corresponding field name for the attack pattern.
PAYLOAD_OFFSET refers to the attack offset in the actual payload.
ATTACK_PATTERN highlights the attack pattern and includes 150 bytes of prefix payload in the value.
For more information on configuring verbose log level in Citrix ADC, see Ease of troubleshooting with Web Application Firewall logs.
Determine the safety index before deploying the configuration
Security breaches occur after you deploy the security configuration on a Citrix ADC instance, but you might want to assess the effectiveness of the security configuration before you deploy it.
For example, you might want to assess the safety index of the configuration for the SAP application on the Citrix ADC instance with IP address 10.102.60.27.
On the Security Insight dashboard, under Devices, click the IP address of the Citrix ADC instance that you configured. You can see that both the threat index and the total number of attacks are 0. Threat index is a direct reflection of the number and type of attacks on the application. Zero attacks indicate that the application is not under any threat.
Click Sap > Safety Index > SAP_Profile and assess the safety index information that appears.
In the application firewall summary, you can view the configuration status of different protection settings. If a setting is set to log or if a setting is not configured, the application is assigned a lower safety index.