NetScaler-培训PPT.ppt

1、Click to edit Master title style,#,2012 Citrix|Confidential Do Not Distribute,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,Click to edit Master title style,#,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,Citrix NetScaler Appl

2、ication Firewall,培训,Agenda,Citrix WAF,简述,顺网拓扑架构简介,业务上线流程,Application Firewall,技术概述,2,网页应用程序防火墙,Network,Operating,Systems,Database,Servers,Operating,Systems,Application,Servers,Operating,Systems,Web,Servers,Network Firewall,IDS,IPS,Database Servers,Customer Info,Business Data,Transaction Info,私密资料,客制

3、化网页程序,客制化套装应用程序,自行开发或第三方程式,特征码,HTTP/HTTPS,我看得懂,文档,WAF,我看不懂,不让你过,正常,访问,我看不懂,放行,依据网页程序内容逻辑，,制定合法规则，检测进出联机内容,3,正向防护,白名单,预设行为：阻挡,符合规则：放行,效益：,防范已知,/,未知攻击,防护,产品：,网络防火墙,网页应用程序防火墙,其他：,不易误判,(,除非设定错误,),需时间学习,/,设定,反向防护,黑名单,预设行为：放行,符合特征：阻挡,效益：,防范已知攻击,防护,产品：,防病毒软件,/,防毒墙,入侵侦没系统,(IPS),其他：,容易误判,容易绕过,防护逻辑,4,2025/1/4

4、WAF vs IPS vs Network Firewall,WAF,IPS,Network Firewall,防护,逻辑,白名单为主，,黑名单为辅,黑名单,白名单,网页检查模式,用户会话,双向行为检查,封包特征码,X,网页请求内容检查,有限,X,网页响应内容检查,X,X,加密网页内容检测,X,X,防范敏感数据泄漏,X,X,敏感页面重改写,X,X,5,WAF,运作机制 双向保护,用户请求,服务器回应,Internet/Intranet,WAF,请求检查,输入正确性,检测,安全转发,Protected AP,用户请求,安全转发,服务器回应,内容响应,防护处理,NetScaler,网页,应用防火

5、墙采用混合安全模型,正面表列,自我学习应用程序,负面表列,特征码侦测,Negative,Positive,Hybrid,混合模型,防护,已知,和,未知,的安全威胁,7,DDos,SSL/VPN,SSL,WAF,XML FW,AAA,SSO,Reporting,NetScaler MPX and VPX,Citrix NetScaler,融合多种应用安全,Internet,Web App Users,允许合法流量通过,响应内容检测,应用程序攻击阻挡,应用程序基础建设,网络防火墙,防御,Zero day,攻击,双向检测：进阶式攻击防御,SSL,加密联机支持,ICSA,Common Criteria

6、认证,8,Agenda,Citrix WAF,简述,顺网拓扑架构及,Netscaler,架构概述,业务上线流程,Application Firewall,技术概述,9,现网拓扑,10,NetScaler Architecture Overview,NetScaler-owned IP Addresses,The NetScaler system uses different types of IP addresses for management and proxying connections to the server,These IP addresses are:,NetScaler

7、IP(NSIP)addresses,Subnet IP(SNIP)addresses,Virtual IP(VIP)addresses,NetScaler IP Address,The NetScaler IP address(NSIP)is the primary address for management and general system access,The default IP address and netmask is 192.168.100.1/16(255.255.0.0),修改该,IP,地址，设备需要重启,Subnet IP Address,The subnet IP(

8、SNIP)address is used in connection management and server monitoring,A SNIP address provides the NetScaler system with an Address Resolution Protocol(ARP)presence in subnets to which the system may not be directly connected,A NetScaler system should have a SNIP address configured for every directly c

9、onnected subnet,Virtual IP Address,VIP addresses are used for client-to-NetScaler-system communication,When the VIP address is a public IP address,it usually corresponds to the DNS entry for a domain,A VIP address is automatically created when a virtual server is added,Entity Management,High Availab

10、ility Functionality,上线后全网配置调整,NS,上对外发布一个,VIP,，,F5,的,VIP,作为,NS VIP,的,Service.,防火墙将原先的到,F5 VS,的映射改为到,NS VS,的映射。,由于服务器端需要看到客户端的真实,IP,地址，现在的架构是在,F5,上通过插入一个,HTTP X-Forwarded-For,报头（报头里面记录了客户端,IP,地址），服务器端解这个报头来获得客户端真实,IP,。,NS,部署后，添加这个报头的工作由,NS,完成，即将,F5,上配置的这个功能取消，将这个功能在,NS,上配置，在,NS,上配置的报头名称不变，这样后台服务器就不需要做

11、任何修改。,18,Hardware Components,Hardware components of the NetScaler system include:,Network interfaces,LCD,Serial interface,File system,RAM drive,(/),Flash memory(/flash),Hard disk(/var),Hardware Components,NetScaler Architecture Overview,Agenda,Citrix WAF,简述,顺网拓扑架构及,Netscaler,架构概述,业务上线流程,Application

12、Firewall,技术概述,22,操作流程,通过,GUI,方式登录设备进行配置（客户端需要,JRE,环境）,NSIP/SNIP,都可以对设备进行配置管理,通过,SSH,登录设备进行命令行下查看配置等操作,23,上线流程,创建,Service,（,F5 VS,地址）,创建对外发布的,VS,地址并关联相应,Service,创建,WAF Policy,将,WAF Policy,与相对应的,VS,关联,24,Agenda,Citrix WAF,简述,顺网拓扑架构及,Netscaler,架构概述,业务上线流程,Application Firewall,技术概述,25,WAF,技术介绍,INTERNAL,

13、Data Flow Process,NetScaler,Web Applications,Database,1.Client Request,Request,Inspections,3.Client Request,4.,Server Response,5.,Response,Inspections,6.,Server Response,URLs,XSS,SQL Injection,Field Consistency,Buffer Overflow,Credit Cards,SAFE Object,Full ADC Integration,Profiles,Enable,Basic or Ad

14、vanced,defaults,Consists of Security Settings,Policies,Directs traffic to profiles,Matches on request or response parameters,Policy,创建后，即可以设置为全局生效，即所以流量都通过该,policy,进行检查；或者关联到一个,VS,上单独生效,Customizable Profiles and Policy,Complete Web App Protection with Learning,Positive Security,Application Firewall

15、Advanced profile,When configure application firewall(appfw),1,st,thing to do is create a profile.And there is Basic and Advanced profile,what is the difference?,With advanced profile,“sessionization”or session tracking will be enabled.The security checks required sessionization are:,URL Closure,Cook

16、ie Consistency,Form Field Consistency,Application Firewall sessionization,What is sessionization?,It means Appfw has to track all requests and responses from a client as long as the browser remains open within the session timeout period(that is track each session),The session is marked by session co

17、okie,the default cookie name is citrix_ns_id,Default session timeout is 900 seconds(15 minutes),AppFw why sessionization is needed?,Example 1 buffer overflow protection,As an example,assume the Appfw is configured with buffer overflow such that maximum allowed URL length is 10 characters,User A send

18、s a request of“GET/admin/utility/reset.htm HTTP/1.1”to the Appfw,User A,GET/admin/utility/reset.htm HTTP/1.1,Appfw blocked this request as the URL is longer than 10 characters,User A,GET/admin/utility/reset.htm HTTP/1.1,Blocked,User B sends a“GET/test/system/reload.htm HTTP/1.1”request,User B,GET/te

19、st/system/reload.htm HTTP/1.1,Appfw blocked this request from User B as the URL is longer than 10 characters,User B,GET/test/system/reload.htm HTTP/1.1,Blocked,Appfw does not need to care who sends the request,as long as the URL is longer than 10 characters,it will block it,AppFw why sessionization

20、is needed?,Example 2 URL Closure,As an example,assume the Appfw is configured with startURL and URL Closure protection,the startURL allowed is,home1.htm,User A,User A access the home1.htm page via the Appfw,GET/home1.htm HTTP/1.1,Appfw allow this request because home1.htm is on the StartURL list,and

21、 Appfw forward the response from the backend server to the client,HTTP/1.1 200 OK,Set-Cookie:citrix_ns_id=xyz123,User A see the web page,HTTP/1.1 200 OK,User A then click on link 1,which is hyperlink to link1.htm,GET/link1.htm HTTP/1.1,Cookie:citrix_ns_id=xyz123,link1.htm is not on the StartURL list

22、However,Appfw still allow this request because from the session cookie,Appfw knows User A has access home1.htm before and link1.htm is a hyperlink there,GET/link1.htm HTTP/1.1,Cookie:citrix_ns_id=xyz123,Appfw forward the response from the backend server back to the client and client access the link

23、1.htm successfully,HTTP/1.1 200 OK,User B,Now,User B sends a request.However,this user browse to the link1.htm directly,GET/link1.htm HTTP/1.1,User B,Since link1.htm is not on the StartURL list.In addition,User B has not browsed any web page with link1.htm as hyperlink,such a request is blocked by t

24、he appfw,GET/link1.htm HTTP/1.1,Blocked,In this example,we can observe that feature like URL Closure required the Appfw to“record”some sort of activities for each user/session in order to determine to allow or block the request.In the other words,the sessions history is a factor to determine allow/b

25、lock,Appfw-sessionization,We have to pay the price for sessionization that is Memory.Since we need to store information for each session,more memory is required,There is something interesting here,except from the number of user,there are some other factors that affect how much memory is required,App

26、fw URL Closure example,Web page 1,Web page 2,For URL Closure,which of the above page will consume more memory when a user access the page as startURL?,Appfw Memory usage,Of course“web page 2”will takes more memory because it has much more hyperlink,when appfw stores information on which link the use

27、r can access,it needs to store more information,URL Closure:More hyperlink,more memory is required,Form Field Consistency:More form/larger form more memory is required,(,Usually most memory consuming is URL Closure because web page with a lot of links are common but web page with a lot of forms is l

28、ess common),Easy Deployment Mode,Protects against,SQL Injection,Cross Site Scripting,Cross site Request Forgery(Referrer header),Forceful Browsing(Start/Deny URLs),Buffer Overflow,Form Field Formatting,No sessionization required,Learning aided deployment,Basic Defaults Positive Security Model,SQL In

29、jection attacks,How this might be done:,User enters data into a form on a web page,The application sends this as part of an SQL query to the back end database,Item Number:,Item Lookup,Enter Desired Item Number,SUBMIT,1234 or 1=1,select item-detail WHERE itemnum=,1234,or 1=1,SUBMIT,Cross-site Scripti

30、ng(XSS)Attacks,Attacking trust relationships,Cross-Site Scripting:,Inserting a malicious script that compromises the trust relationship between a user and a Web application,resulting in sending an attacker confidential information that can be used to steal that users identity.,Innocent user download

31、s script and executes,2,Hacker posts,to vulnerable Web application,1,3,Script captures credential info and sends to hacker,Cross Site Request Forgery Attacks,Protection actions,Verify Referrer headers,Tag each form with unique token and verify on form submission.,.,E makes request to application usi

32、ng users session credentials,3,2,User visits in another browser window,User logs in and creates session with web application,1,Attacking trust relationships,CSRF:Referrer Header Protection,b,auth=good,Referer:,X,Forceful Browsing,Forceful Browsing Attack,Manipulating request URLs to gain access to c

33、ontent you are not entitled to see.,Brute-force penetration of the infrastructure,Paris Hiltons Sidekick hacked,hacker Nicolas Jacobsen pled guilty to a single charge of intentionally accessing a protected computer and recklessly causing damage.Jacobsen was arrested by US authorities last October,bu

34、t had had access to T-Mobiles servers for more than a year.He reportedly amused himself by accessing US Secret Service email,and raiding other Sidekick users accounts,.,I got hacked,Buffer Overflow Protection,Hacker,Buffer,Overflow,Attack,Application,Platform,OS,Gain application,Privileges,Gain plat

35、form,privileges,Gain root,server access,Prevent hackers from gaining unauthorized system privileges,Application Firewall limits input parameter sizes for:,URLs,Headers,Cookies,Application Server,Internet,Advanced Defaults,Session based enables additional protections,Cookie,Form Field Consistency,URL

36、 Closure protection,Tag Based Cross Site Request Forgery,Includes all basic protections,Session-based Protection with Advanced Defaults,Cookie Poisoning defense:,Prevents identity theft and session hijacking,Client returns cookie to server,Web server sends client cookie,Application Firewall verifies

37、 that cookies have not been modified by client,Cookie Attack Protection Encrypt Cookies,Encrypt only session cookies(non-persistent)or all application cookies.,AES-192 encryption.,1,2,Cookie Attack Protection Proxy Cookies,Replace all server cookies with a single App Firewall session cookie,Cookie A

38、ttack Protection Flag Cookies,HTTP Only Make cookie unavailable to JavaScript,Secure Cookie submitted only for HTTPS URLs,All Both attributes are added to the Set-Cookie header,CSRF:Form Tagging Protection,b,auth=good,X,HTML Form Field Protection,Client completes and returns form,Application sends f

39、orm to client,Protect applications by blocking malicious and illegal input parameters,For each user session AppFw ensures that:,Each field is returned,No fields were added by client,Read-only and hidden fields are unaltered,Data in drop-down list or radio button field conforms,Max length of form fie

40、lds is adhered to,Additional Security Measures,Click to Rule Application Firewall,Application Firewall relaxation rules can now be deployed from the logs,The logs must be in CEF log format,Convenient option to relax a rule blocking a legitimate request,Citrix Confidential-Do Not Distribute,Log using

41、 CEF-based logs,Mar 15 16:48:14 10.90.196.150 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=10.90.33.39,spt=52737,method=GET request=10.90.196.152/msg=Disallow Illegal URL.cn1=69 cn2=3999 cs1=Application_Firewall_Profile cs2=PPE2 cs3=edw9DRH/XRTNya64AIYNZM1sgfUA020 cs4=ALERT cs5=2012 act=

42、blocked,Easy,integration with numerous vendors that support CEF format,Common Event Format Logging Support,Business Object Protection Modules,Financial Theft Prevention,Prevent the inadvertent disclosure of customer or corporate data,Configurable Protections,Credit Card Numbers,Customer-defined Data

43、 Objects,Mastercard,5168701720999598,5487106695039822,5374247346295037,5229226821960783,5120772245608565,5418244166026814,5214846392378060,5593219822414122,5302495774841718,5141463445796112,VISA,4532804852500010,4328380488186126,4532740912246923,4716318594729561,4916022347049263,4929693453925879,491

44、6392627322353,4485495924283904,4532203936162055,4916164014266109,Mastercard,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,VISA,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXX

45、X,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXX,Server:Msg 547,Level 16,State 1,Procedure error_demo_sp,Line 2 UPDATE statement conflicted with COLUMN FOREIGN KEY constraint fk7_acc_cur.The conflict occurred in database bos_som

46、mar,table currencies,column curcode.The statement has been terminated.,57,Signatures,Set up Application Protection in 3 easy steps,Set actions,Signature Maintenance/Updates,Based on SNORT,Partnership with SourceFire to provide signatures,Can be updated without changing build,Open format for signatur

47、e files,Signature versioning,Automatic identification of“new”signatures,Integration with Vulnerability Assessment Tools,Protected website,Run periodic scans,Import,v,ulnerability,file into NetScaler,Citrix Confidential-Do Not Distribute,Management and Reporting,Manageability and Ease of Use-Learning

48、Rule Recommendation Engine in learning mode,Manageability and Ease of Use Rule Visualizer,Application Visualizer-,Manage Configuration Drift,View/Resolve Config Drifts,View Overlay and Detailed Stats,Reporting,Dashboard of top Application Firewall information for quick security summary,Ability to c

49、reate custom reports for specific violations,client IPs,profiles etc.,Citrix Confidential-Do Not Distribute,Visibility and Reporting with Splunk for NetScaler,Splunk App for NetScaler,Available at SplunkBase,Study:FreshDirect,App Firewall configuration against PCI-DSS requirements,Executive summary of Application Firewall configuration,Full PCI v1.2 Compliance Report,