NetScaler ingress controller

Configure web application firewall policies with the NetScaler Ingress Controller

NetScaler provides a Custom Resource Definition (CRD) called the WAF CRD for Kubernetes. You can use the WAF CRD to configure the web application firewall policies with the NetScaler Ingress Controller on the NetScaler VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the NetScaler Ingress Controller and NetScaler for enforcing web application firewall policies.

In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see Web application security.

With the WAF CRD, you can configure the firewall security policy to enforce the following types of security checks for Kubernetes native applications.

Common protections

  • Buffer overflow
  • Content type
  • Allow URL
  • Block URL
  • Cookie consistency
  • Credit card

HTML protections

  • CSRF (cross side request forgery) form tagging
  • Field formats
  • Form field consistency
  • File upload types
  • HTML cross-site scripting
  • HTML SQL injection

JSON protections

  • JSON denial of service
  • JSON SQL injection
  • JSON cross-site scripting

XML protections

  • XML web services interoperability
  • XML attachment
  • XML cross-site scripting
  • XML denial of service
  • XML format
  • XML message validation
  • XML SOAP fault filtering
  • XML SQL injection

Based on the type of security checks, you can specify the metadata and use the CRD attributes in the WAF CRD .yaml file to define the WAF policy.

WAF CRD definition

The WAF CRD is available in the NetScaler Ingress Controller GitHub repository at waf-crd.yaml. The WAF CRD provides attributes for the various options that are required to define the web application firewall policies on NetScaler.

WAF CRD attributes

The following table lists the various attributes provided in the WAF CRD:

CRD attribute Description
commonchecks Specifies a list of common security checks, which are applied irrespective of the content type.
block_urls Protects URLs.
buffer_overflow Protects buffer overflow.
content_type Protects content type.
htmlchecks Specifies a list of security checks to be applied for HTML content types.
cross_site_scripting Prevents cross site scripting attacks.
sql_injection Prevents SQL injection attacks.
form_field_consistency Prevents form tampering.
csrf Prevents cross side request forgery (CSRF) attacks.
cookie_consistency Prevents cookie tampering or session takeover.
field_format Validates the form submission.
fileupload_type Prevents malicious file uploads.
jsonchecks Specifies security checks for JSON content types.
xmlchecks Specifies security checks for XML content types.
wsi Protects web services interoperability.
redirect_url Redirects URL when block is enabled on protection.
servicenames Specifies the services to which the WAF policies are applied.
application_type Protects application types.
signatures Specifies the location of the external signature file.
html_error_object Specifies the location of the customized error page to respond when HTML or common violations are attempted.
xml_error_object Specifies the location of the customized error page to respond when XML violations are attempted.
json_error_object Specifies the location of the customized error page to respond when JSON violations are attempted.
ip_reputation Enables the IP reputation feature.
target Determines the traffic to be inspected by the WAF. If you do not specify the traffic targeted, all traffic is inspected by default.
paths Specifies the list of HTTP URLs to be inspected.
method Specifies the list of HTTP methods to be inspected.
header Specifies the list of HTTP headers to be inspected.

Deploy WAF CRD

Perform the following steps to deploy the WAF CRD:

  1. Download the CRD (waf-crd.yaml).

  2. Deploy the WAF CRD using the following command:

    kubectl create -f waf-crd.yaml  
    

    For example,

    root@master:~# kubectl create -f waf-crd.yaml
    customresourcedefinition.apiextensions.k8s.io/wafpolicies.citrix.com created
    <!--NeedCopy-->
    

How to write a WAF configuration

After you have deployed the WAF CRD provided by NetScaler in the Kubernetes cluster, you can define the web application firewall policy configuration in a .yaml file. In the .yaml file, use waf in the kind field. In the spec section add the WAF CRD attributes based on your requirements for the policy configuration.

After you deploy the .yaml file, the NetScaler Ingress Controller applies the WAF configuration on the Ingress NetScaler device.

The following are some examples for writing web appliction firewall policies.

Enable protection for cross-site scripting and SQL injection attacks**

Consider a scenario in which you want to define and specify a web application firewall policy in the NetScaler to enable protection for the cross-site scripting and SQL injection attacks. You can create a .yaml file called wafhtmlxsssql.yaml and use the appropriate CRD attributes to define the WAF policy as follows:

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafhtmlxsssql
spec:
    servicenames:
        - frontend
    application_type: HTML
    html_page_url: "http://x.x.x.x/crd/error_page.html"
    security_checks:
        html:
          cross_site_scripting: "on"
          sql_injection: "on"
<!--NeedCopy-->

Apply rules to allow only known content types

Consider a scenario in which you want to define a web application firewall policy that specifies rules to allow only known content types and block unknown content types. Create a .yaml file called waf-contenttype.yaml and use the appropriate CRD attributes to define the WAF policy as follows:

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafcontenttype
spec:
    servicenames:
        - frontend
    application_type: HTML
    html_error_object: "http://x.x.x.x/crd/error_page.html"
    security_checks:
        common:
          content_type: "on"
    relaxations:
        common:
          content_type:
            types:
                - custom_cnt_type
                - image/crd

<!--NeedCopy-->

Protect against known attacks

The following is an example of a WAF CRD configuration for applying external signatures. You can copy the latest WAF signatures from Signature Location to the local web server and provide the location of the copied file as signature_url.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafhtmlsigxsssql
spec:
    servicenames:
        - frontend
    application_type: HTML
    signatures: "http://x.x.x.x/crd/sig.xml"
    html_error_object: "http://x.x.x.x/crd/error_page.html"
    security_checks:
        html:
          cross_site_scripting: "on"
          sql_injection: "on"

<!--NeedCopy-->

Protect from header buffer overflow attacks and block multiple headers

The following is an example of a WAF CRD configuration for protecting buffer overflow.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafhdrbufferoverflow
spec:
    servicenames:
        - frontend
    application_type: HTML
    html_error_object: "http://x.x.x.x/crd/error_page.html"
    security_checks:
        common:
          buffer_overflow: "on"
          multiple_headers:
            action: ["block", "log"]
    settings:
        common:
          buffer_overflow:
            max_cookie_len: 409
            max_header_len: 4096
            max_url_len: 1024

<!--NeedCopy-->

Prevent repeated attempts to access random URLs on a web site

The following is an example of a WAF CRD configuration for providing URL filter rules. You can add URLs to permit under allow_url and URLs to deny under block_url. The URL can be a regular expression also.


apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafurlchecks
spec:
    servicenames:
        - frontend
    application_type: HTML
    html_error_object: "http://x.x.x.x/crd/error_page.html"
    target:
        path:
            - /
    security_checks:
        common:
          allow_url: "on"
          block_url: "on"
    relaxations:
        common:
          allow_url:
            urls:
                - payment.php
                - cover.php
    enforcements:
        common:
          block_url:
            urls:
                - "^[^?]*(passwd|passwords?)([.][^/?]*)?([?].*)?$"
                - "^[^?]*(htaccess|access_log)([.][^/?]*)?([~])?([?].*)?$"
<!--NeedCopy-->

Prevent leakage of sensitive data

Data breaches involve leakage of sensitive data such as credit card and social security number (SSN). You can add custom regexes for the sensitive data in the Enforcements safe objects section.

The following is an example of a WAF CRD configuration for preventing leakage of sensitive data.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafdataleak
spec:
    servicenames:
        - frontend
    application_type: HTML
    html_error_object: "http://x.x.x.x/crd/error_page.html"
    security_checks:
        common:
          credit_card: "on"
    settings:
        common:
          credit_card:
            card_type: ["visa","amex"]
            max_allowed: 1
            card_xout: "on"
            secure_logging: "on"
    enforcements:
        common:
          safe_object:
            - rule:
                name: aadhar
                expression: "[1-9]{4,4}\s[1-9]{4,4}\s[1-9]{4,4}"
                max_match_len: 19
                action: ["log","block"]
<!--NeedCopy-->

Protect HTML forms from CSRF and form attacks

The following is an example of a WAF CRD configuration for protecting HTML forms from CSRF and form attacks.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafforms
spec:
    servicenames:
        - frontend
    application_type: HTML
    html_error_object: "http://x.x.x.x/crd/error_page.html"
    security_checks:
        html:
          cross_site_scripting: "on"
          sql_injection: "on"
          form_field_consistency:
            action: ["log","block"]
          csrf: "on"

<!--NeedCopy-->

Protect forms and headers

The following is an example of a WAF CRD configuration for protecting both forms and headers.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafhdrforms
spec:
    servicenames:
        - frontend
    application_type: HTML
    html_page_url: "http://x.x.x.x/crd/error_page.html"
    security_checks:
        common:
          buffer_overflow: "on"
          multiple_headers:
            action: ["block", "log"]
        html:
          cross_site_scripting: "on"
          sql_injection: "on"
          form_field_consistency:
            action: ["log","block"]
          csrf: "on"
    settings:
        common:
          buffer_overflow:
            max_cookie_len: 409
            max_header_len: 4096
            max_url_len: 1024
    ip_reputation: on


<!--NeedCopy-->

Enable basic WAF security checks

The basic security checks are required to protect any application with minimal effect on performance. It does not require any sessionization. The following is an example of a WAF CRD configuration for enabling basic WAF security checks.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafbasic
spec:
    servicenames:
        - frontend
    security_checks:
        common:
          allow_url: "on"
          block_url: "on
          buffer_overflow: "on"
          multiple_headers:
            action: ["block", "log"]
        html:
          cross_site_scripting: "on"
          field_format: "on"
          sql_injection: "on"
          fileupload_type: "on"
        json:
          dos: "on"
          sql_injection: "on"
          cross_site_scripting: "on"
        xml:
          dos: "on"
          wsi: "on"
          attachment: "on"
          format: "on"
    relaxations:
        common:
          allow_url:
            urls:
                - "^[^?]+[.](html?|shtml|js|gif|jpg|jpeg|png|swf|pif|pdf|css|csv)$"
                - "^[^?]+[.](cgi|aspx?|jsp|php|pl)([?].*)?$"

<!--NeedCopy-->

Enable advanced WAF security check

Advanced security checks such as cookie consistency, allow URL closure, field consistency, and CSRF are resource-intensive (CPU and memory) as they require WAF sessionization. For example, when a form is protected by the WAF, form field information in the response is retained in the system memory. When the client submits the form in the next request, it is checked for inconsistencies before the information is sent to the web server. This process is known as sessionization. The following is an example of a WAF CRD configuration for enabling WAF advanced security checks.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafadvanced
spec:
    servicenames:
        - frontend
    security_checks:
        common:
          allow_url: "on"
          block_url: "on"
          buffer_overflow: "on"
          content_type: "on"
          cookie_consistency: "on"
          multiple_headers:
            action: ["log"]
        html:
          cross_site_scripting: "on"
          field_format: "on"
          sql_injection: "on"
          form_field_consistency: "on"
          csrf: "on"
          fileupload_type: "on"
        json:
          dos: "on"
          sql_injection: "on"
          cross_site_scripting: "on"
        xml:
          dos: "on"
          wsi: "on"
          validation: "on"
          attachment: "on"
          format: "on"
    settings:
        common:
          allow_url:
            closure: "on"
<!--NeedCopy-->

Enable IP reputation

The following is an example of a WAF CRD configuration for enabling IP reputation to reject requests that come from IP addresses with bad reputation.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafiprep
spec:
    application_type: html
    servicenames:
        - frontend
    ip_reputation: "on"

<!--NeedCopy-->

Enable IP reputation to reject requests of a particular category

The following is an example of a WAF CRD configuration for enabling IP reputation to reject requests from particular threat categories.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafiprepcategory
spec:
    application_type: html
    servicenames:
        - frontend
    ip_reputation:
        action: block
        threat-categories:
            - SPAM_SOURCES
            - WINDOWS_EXPLOITS
            - WEB_ATTACKS
            - BOTNETS
            - SCANNERS
            - DOS
            - REPUTATION
            - PHISHING
            - PROXY
            - NETWORK
            - CLOUD_PROVIDERS
            - MOBILE_THREATS

<!--NeedCopy-->

Protect JSON applications from denial of service attacks

The following is an example of a WAF CRD configuration for protecting the JSON applications from denial of service attacks.

metadata:
    name: wafjsondos
spec:
    servicenames:
        - frontend
    application_type: JSON
    json_error_object: "http://x.x.x.x/crd/error_page.json"
    security_checks:
        json:
          dos: "on"
    settings:
        json:
          dos:
            container:
              max_depth: 2
            document:
              max_len: 20000000
            array:
              max_len: 5
            key:
              max_count: 10000
              max_len: 12
            string:
              max_len: 1000000


<!--NeedCopy-->

Protect RESTful APIs

The following is an example of a WAF CRD configuration for protecting RESTful APIs from SQL injection, cross-site scripting, and denial of service attacks. Here, the back-end application or service is purely based on RESTful APIs.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafjson
spec:
    servicenames:
        - frontend
    application_type: JSON
    json_error_object: "http://x.x.x.x/crd/error_page.json"
    security_checks:
        json:
          dos: "on"
          sql_injection:
            action: ["block"]
          cross_site_scripting: "on"
    settings:
        json:
          dos:
            container:
              max_depth: 5
            document:
              max_len: 20000000
            array:
              max_len: 10000
            key:
              max_count: 10000
              max_len: 128
            string:
              max_len: 1000000

<!--NeedCopy-->

Protect XML applications from denial of service attacks

The following is an example of a WAF CRD configuration for protecting the XML applications from denial of service attacks.

apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafxmldos
spec:
    servicenames:
        - frontend
    application_type: XML
    xml_error_object: "http://x.x.x.x/crd/error_page.xml"
    security_checks:
        xml:
          dos: "on"
    settings:
        xml:
          dos:
            attribute:
                max_attributes: 1024
                max_name_len: 128
                max_value_len: 128
            element:
                max_elements: 1024
                max_children: 128
                max_depth: 128
            file:
                max_size: 2123
                min_size: 9
            entity:
                max_expansions: 512
                max_expansions_depth: 9
            namespace:
                max_namespaces: 16
                max_uri_len: 256
            soaparray:
                max_size: 1111
            cdata:
                max_size: 65

<!--NeedCopy-->

Protect XML applications from security attacks

This example provides a WAF CRD configuration for protecting XML applications from the following security attacks:

  • SQL injection
  • Cross-site scripting
  • Validation (schema or message)
  • Format
  • Denial of service
  • Web service interoperability (WSI)
apiVersion: citrix.com/v1
kind: waf
metadata:
    name: wafxml
spec:
    servicenames:
        - frontend
    application_type: XML
    xml_error_object: "http://x.x.x.x/crd/error_page.json"
    security_checks:
        xml:
          dos: "on"
          sql_injection: "on"
          cross_site_scripting: "off"
          wsi:
            action: ["block"]
          validation: "on"
          attachment: "on"
          format:
            action: ["block"]
    settings:
        xml:
          dos:
            attribute:
                max_attributes: 1024
                max_name_len: 128
                max_value_len: 128
            element:
                max_elements: 1024
                max_children: 128
                max_depth: 128
            file:
                max_size: 2123
                min_size: 9
            entity:
                max_expansions: 512
                max_expansions_depth: 9
            namespace:
                max_namespaces: 16
                max_uri_len: 256
            soaparray:
                max_size: 1111
            cdata:
                max_size: 65
          wsi:
            checks: ["R1000","R1003"]
          validation:
            soap_envelope: "on"
            validate_response: "on"
          attachment:
            url:
                max_size: 1111
            content_type:
                value: "crd_test"

<!--NeedCopy-->
Configure web application firewall policies with the NetScaler Ingress Controller