Configuring the App Firewall
You can configure the NetScaler App Firewall by using any of the following methods:
- App Firewall Wizard. A dialog box consisting of a series of screens that step you through the configuration process.
- NetScaler App Interface AppExpert Template. A NetScaler AppExpert template (a set of configuration settings) that are designed to provide appropriate protection for web sites. This AppExpert template contains appropriate App Firewall configuration settings for protecting many web sites.
- NetScaler GUI. The NetScaler web-based configuration interface.
- NetScaler Command Line Interface. The NetScaler command line configuration interface.
Citrix recommends that you use the App Firewall Wizard. Most users will find it the easiest method to configure the App Firewall, and it is designed to prevent mistakes. If you have a new NetScaler or VPX that you will use primarily to protect web sites, you may find the Web Interface AppExpert template a better option because it provides a good default configuration, not just for the App Firewall, but for the entire appliance. Both the GUI and the command line interface are intended for experienced users, primarily to modify an existing configuration or use advanced options.
The App Firewall wizard
The App Firewall wizard is a dialog box that consists of several screens that prompt you to configure each part of a simple configuration. The App Firewall then creates the appropriate configuration elements from the information that you give it. This is the simplest and, for most purposes, the best way to configure the App Firewall.
To use the wizard, connect to the GUI with the browser of your choice. When the connection is established, verify that the App Firewall is enabled, and then run the App Firewall wizard, which prompts you for configuration information. You do not have to provide all of the requested information the first time you use the wizard. Instead, you can accept default settings, perform a few relatively straightforward configuration tasks to enable important features, and then allow the App Firewall to collect important information to help you complete the configuration.
For example, when the wizard prompts you to specify a rule for selecting the traffic to be processed, you can accept the default, which selects all traffic. When it presents you with a list of signatures, you can enable the appropriate categories of signatures and turn on the collection of statistics for those signatures. For this initial configuration, you can skip the advanced protections (security checks). The wizard automatically creates the appropriate policy, signatures object, and profile (collectively, the security configuration), and binds the policy to global. The App Firewall then begins filtering connections to your protected websites, logging any connections that match one or more of the signatures that you enabled and collecting statistics about the connections that each signature matches. After the App Firewall processes some traffic, you can run the wizard again and examine the logs and statistics to see if any of the signatures that you have enabled are matching legitimate traffic. After determining which signatures are identifying the traffic that you want to block, you can enable blocking for those signatures. If your website or web service is not complex, does not use SQL, and does not have access to sensitive private information, this basic security configuration will probably provide adequate protection.
You may need additional protection if, for example, your website is dynamic. Content that uses scripts may need protection against cross-site scripting attacks. Web content that uses SQL—such as shopping carts, many blogs, and most content management systems—may need protection against SQL injection attacks. Websites and web services that collect sensitive private information such as social security numbers or credit card numbers may require protection against unintentional exposure of that information. Certain types of web-server or XML-server software may require protection from types of attacks tailored to that software. Another consideration is that specific elements of your websites or web services may require different protection than do other elements. Examining the App Firewall logs and statistics can help you identify the additional protections that you might need.
After deciding which advanced protections are needed for your websites and web services, you can run the wizard again to configure those protections. Certain security checks require that you enter exceptions (relaxations) to prevent the check from blocking legitimate traffic. You can do so manually, but it is usually easier to enable the adaptive learning feature and allow it to recommend the necessary relaxation. You can use the wizard as many times as necessary to enhance your basic security configuration and/or create additional security configurations.
The wizard automates some tasks that you would have to perform manually if you did not use the wizard. It automatically creates a policy, a signatures object, and a profile, and assigns them the name that you provided when you were prompted for the name of your configuration. The wizard also adds your advanced-protection settings to the profile, binds the signatures object to the profile, associates the profile with the policy, and puts the policy into effect by binding it to Global.
A few tasks cannot be performed in the wizard. You cannot use the wizard to bind a policy to a bind point other than Global. If you want the profile to apply to only a specific part of your configuration, you must manually configure the binding. You cannot configure the engine settings or certain other global configuration options in the wizard. While you can configure any of the advanced protection settings in the wizard, if you want to modify a specific setting in a single security check, it may be easier to do so on the manual configuration screens in the GUI.
For more information on using the App Firewall Wizard, see “The App Firewall Wizard.”
NetScaler app interface appExpert template
AppExpert templates are a different and simpler approach to configuring and managing complex enterprise applications. The AppExpert display in the GUI consists of a table. Applications are listed in the left-most column, with the NetScaler features that are applicable to that application appearing each in its own column to the right. (In the AppExpert interface, those features that are associated with an application are called application units.) In the AppExpert interface, you configure the interesting traffic for each application, and turn on rules for compression, caching, rewrite, filtering, responder and the App Firewall, instead of having to configure each feature individually.
The Web interface AppExpert template contains rules for the following App Firewall signatures and security checks:
- “Deny URL check.” Detects connections to content that is known to pose a security risk, or to any other URLs that you designate.
- “Buffer Overflow check.” Detects attempts to cause a buffer overflow on a protected web server.
- “Cookie Consistency check.” Detects malicious modifications to cookies set by a protected web site.
- “Form Field Consistency check.” Detects modifications to the structure of a web form on a protected web site.
- “CSRF Form Tagging check.” Detects cross-site request forgery attacks.
- “Field Formats check.” Detects inappropriate information uploaded in web forms on a protected web site.
- “HTML SQL Injection check.” Detects attempts to inject unauthorized SQL code.
- “HTML Cross-Site Scripting check.” Detects cross-site scripting attacks.
For information on installing and using an AppExpert Template, see “AppExpert Applications and Templates.”
The NetScaler GUI
The GUI is a web-based interface that provides access to all configuration options for the App Firewall feature, including advanced configuration and management options that are not available from any other configuration tool or interface. Specifically, many advanced Signatures options can be configured only in the GUI. You can review recommendations generated by the learning feature only in the GUI. You can bind policies to a bind point other than Global only in the GUI.
The NetScaler command line interface
The NetScaler command line interface is a modified UNIX shell based on the FreeBSD bash shell. To configure the App Firewall from the command line interface, you type commands at the prompt and press the Enter key, just as you do with any other Unix shell. You can configure most parameters and options for the App Firewall by using the NetScaler command line. Exceptions are the signatures feature, many of whose options can be configured only by using the GUI or the App Firewall wizard, and the learning feature, whose recommendations can only be reviewed in the GUI.
For instructions on configuring the App Firewall by using the NetScaler command line, see “Manual Configuration By Using the Command Line Interface.”