Web and web service applications that are exposed to the Internet have become increasingly vulnerable to attacks. To protect applications from attack, you need visibility into the nature and extent of past, present, and impending threats, real-time actionable data on attacks, and recommendations on countermeasures. Security Insight provides a single-pane solution to help you assess your application security status and take corrective actions to secure your applications.
This document includes the following information:
For Security Insight to work, make sure that the NetScaler Insight Center release and build is the same as that of the NetScaler appliance.
How Security Insight Works
Security Insight is an intuitive dashboard-based security analytics solution that gives you full visibility into the threat environment associated with your applications. Security Insight is included in NetScaler Insight Center, and it periodically generates reports based on your Application Firewall and NetScaler system security configurations. The reports include the following information for each application:
- Threat Index. A single-digit rating system that indicates the criticality of attacks on the application, regardless of whether or not the application is protected by a NetScaler appliance. The more critical the attacks on an application, the higher the threat index for that application. Values range from 1 through 7.
The threat index is based on attack information. The attack-related information, such as violation type, attack category, location, and client details, gives you insight into the attacks on the application. Violation information is sent to NetScaler Insight Center only when a violation or attack occurs. A large number of breaches and vulnerabilities lead to a high threat index value.
- Safety Index. A single-digit rating system that indicates how securely you have configured the NetScaler devices to protect applications from external threats and vulnerabilities. The lower the security risks for an application, the higher the safety index. Values range from 1 through 7.
The safety index takes into consideration both the application firewall configuration and the NetScaler system security configuration. For a high safety index value, both configurations must be strong. For example, if rigorous application firewall checks are in place but NetScaler system security measures, such as a strong password for the nsroot user, have not been adopted, applications are assigned a low safety index value.
- Actionable Information. Information that you need for lowering the threat index and increasing the safety index, which significantly improves application security. For example, you can review information about violations, existing and missing security configurations for application firewall and other security features, the rate at which the applications are being attacked, and so on.
Configuring Security Insight
Security Insight is supported on NetScaler instances with NetScaler Platinum license or NetScaler Enterprise with AppFirewall license only.
To configure Security Insight on a NetScaler device, first configure an application firewall profile and an application firewall policy, and then bind the application firewall policy globally.
Then, enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally. When you configure the collector, you must specify the IP address of the NetScaler Insight Center server on which you want to monitor the reports.
To configure security insight on a NetScaler device
1. Run the following commands to configure an application firewall profile and policy, and bind the application firewall policy globally or to the load balancing virtual server.
add appfw profile <name> [-defaults ( basic | advanced )]
set appfw profile <name> [-startURLAction <startURLAction> ...]
add appfw policy <name> <rule> <profileName>
bind appfw global <policyName> <priority>
bind lb vserver <lb vserver> -policyName <policy> -priority <priority>
add appfw profile pr_appfw -defaults advanced
set appfw profile pr_appfw -startURLaction log stats learn
add appfw policy pr_appfw_pol "HTTP.REQ.HEADER(\"Host\").EXISTS"pr_appfw
bind appfw global pr_appfw_pol 1
bind lb vserver outlook –policyName pr_appfw_pol –priority "20"
2. Run the following commands to enable the AppFlow feature, configure an AppFlow collector, action, and policy, and bind the policy globally or to the load balancing virtual server:
add appflow collector <name> -IPAddress <ipaddress>
set appflow param [-SecurityInsightRecordInterval <secs>] [-SecurityInsightTraffic ( ENABLED | DISABLED )]
add appflow action <name> -collectors <string>
add appflow policy <name> <rule> <action>
bind appflow global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>]
bind lb vserver <vserver> -policyName <policy> -priority <priority>
add appflow collector col -IPAddress 10.102.63.85
set appflow param -SecurityInsightRecordInterval 60 -SecurityInsightTraffic ENABLED
add appflow action act1 -collectors col
add appflow action af_action_Sap_10.102.63.85 -collectors col
add appflow policy pol1 true act1
add appflow policy af_policy_Sap_10.102.63.85 true af_action_Sap_10.102.63.85
bind appflow global pol1 1 END -type REQ_DEFAULT
bind lb vserver Sap –policyName af_action_Sap_10.102.63.85 –priority "20"
Configuring Geo Locations for Security Insight Reports
If you configure geo locations in NetScaler Insight Center, Security Insight reports include the exact geographic locations from which client requests originate. To enable geo locations, specify a private IP block or range of IP addresses for every geographic location in your organization. Put that information in the Geo Database file, along with the city/state/country name and the latitude and longitude coordinates of each location. Contact your Citrix representative to obtain the Geo Database file, and then upload the file to the NetScaler device.
To configure geo locations
- Copy the Geo Database file, Citrix_Netscaler_InBuilt_GeoIP_DB.csv, to any location on the NetScaler appliance.
- Open the Geo Database file with a text editor, such as vi editor, and add an entry for every location in your organization.
The entry must be in the following format:
< IP address of traffic originator>,<IP address of traffic originator>>,,<name of the location> ,,,,,< coordinates>,-< coordinates>
18.104.22.168,22.214.171.124,,IN,"State of Gujarat",Rajkot,,,70.7833,22.3000
- Run the following commands to enable geo-location logging and logging in the CEF format:
· add locationFile <Complete path with DB file>
· set appfw settings -geoLocationLogging ON
· set appfw settings -CEFLogging ON
Use Cases: Bringing Visibility to Application Security
The following use cases describe how you can use security insight to assess the threat exposure of applications and improve security measures.
Obtain an Overview of the Threat Environment
In this use case, you have a set of applications that are exposed to attacks, and you have configured NetScaler Insight Center to monitor the threat environment. You need to frequently review the threat index, safety index, and the type and severity of any attacks that the applications might have experienced, so that you can focus first on the applications that need the most attention. The security insight dashboard provides a summary of the threats experienced by your applications over a time period of your choosing, and for a selected NetScaler device. It displays the list of applications, their threat and safety indexes, and the total number of attacks for the chosen time period.
For example, you might be monitoring Microsoft Outlook, Microsoft Lync, SharePoint, and a SAP application, and you might want to review a summary of the threat environment for these applications.
To obtain a summary of the threat environment, log on to NetScaler Insight Center, and then click the Security Insight tab.
Key information is displayed for each application. The default time period is 1 hour.
To view information for a different time period, from the drop-down at the top-left, select a time period.
To view a summary for a different NetScaler device, under Devices, click the IP address of the NetScaler device. To sort the application list by a given column, click the column header.
Determine the Threat Exposure of an Application
After reviewing a summary of the threat environment on the Security Insight dashboard to identify the applications that have a high threat index and a low safety index, you want to determine their threat exposure before deciding how to secure them. That is, you want to determine the type and severity of the attacks that have degraded their index values. You can determine the threat exposure of an application by reviewing the application summary.
In this example, Microsoft Outlook has a threat index value of 6, and you want to know what factors are contributing to this high threat index.
To determine the threat exposure of Microsoft Outlook, on the Security Insight dashboard, click Outlook. The application summary includes a map that identifies the geographic location of the server.
Click Threat Index > Security Check Violations and review the violation information that appears.
Click Signature Violations and review the violation information that appears.
Determine Existing and Missing Security Configuration for an Application
After reviewing the threat exposure of an application, you want to determine what application security configurations are in place and what configurations are missing for that application. You can obtain this information by drilling down into the application’s safety index summary.
The safety index summary gives you information about the effectiveness of the following security configurations:
- Application Firewall. Shows how many signature and security entities are not configured.
- NetScaler System Security. Shows how many system security settings are not configured.
In the previous use case, you reviewed the threat exposure of Microsoft Outlook, which has a threat index value of 6. Now, you want to know what security configurations are in place for Outlook and what configurations can be added to improve its threat index.
On the Security Insight dashboard, click Outlook, and then click the Safety Index tab. Review the information provided in the Safety Index Summary area.
On the Application Firewall Configuration node, click Outlook_Profile and review the security check and signature violation information in the pie charts.
Review the configuration status of each protection type in the application firewall summary table. To sort the table on a column, click the column header.
Click the NetScaler System Security node and review the system security settings and Citrix recommendations to improve the application safety index.
Identify Applications That Require Immediate Attention
The applications that need immediate attention are those having a high threat index and a low safety index.
In this example, both Microsoft Outlook and Microsoft Lync have a high threat index value of 6, but Lync has the lower of the two safety indexes. Therefore, you might have to focus your attention on Lync before improving the threat environment for Outlook.
Determine the Number of Attacks in a Given Period of Time
You might want to determine how many attacks occurred on a given application at a given point in time, or you might want to study the attack rate for a specific time period.
For example, you might want to view the number of attacks on Microsoft Lync in the past week. On the Security Insight dashboard, click Lync > Total Violations. By default, the graph is plotted for the last one hour.
To plot the graph of violations for the past week, from the time period list, select 1 Week. In this example, you see a surge in attacks from February 1.
Obtain Detailed Information about Security Breaches
You might want to view a list of the attacks on an application and gain insights into the type and severity of attacks, actions taken by the NetScaler device, resources requested, and the source of the attacks.
For example, you might want to determine how many attacks on Microsoft Lync were blocked, what resources were requested, and the IP addresses of the sources.
On the Security Insight dashboard, click Lync > Total Violations. In the table, click the filter icon in the Action Taken column header, and then select Blocked.
For information about the resources that were requested, review the URL column. For information about the sources of the attacks, review the Client IP column.
Determine the Safety Index before Deploying the Configuration
Security breaches occur after you deploy the security configuration on a NetScaler device, but you might want to assess the effectiveness of the security configuration before you deploy it.
For example, you might want to assess the safety index of the configuration for the SAP application on the NetScaler device with IP address 10.102.60.27.
On the Security Insight dashboard, under Devices, click the IP address of the NetScaler device that you configured. You can see that both the threat index and the total number of attacks are 0. Threat index is a direct reflection of the number and type of attacks on the application. Zero attacks indicate that the application is not under any threat.
Click Sap > Safety Index > SAP_Profile and assess the safety index information that appears.
In the application firewall summary, you can view the configuration status of different protection settings. If a setting is set to log or if a setting is not configured, the application is assigned a lower safety index.