Citrix ADC VPX on AWS Deployment Guide

Overview

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments.

作为无可争议的领导人的服务和应用程序delivery, Citrix ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, Citrix ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. Citrix ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.

Citrix ADC VPX

The Citrix ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms.

This deployment guide focuses on Citrix ADC VPX on Amazon Web Services.

Amazon Web Services

Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services offer tools such as compute power, database storage, and content delivery services.

AWS offers the following essential services:

• AWS Compute Services

• Migration Services

• Storage

• Database Services

• Management Tools

• Security Services

• Analytics

• Networking

• Messaging

• Developer Tools

• Mobile Services

AWS Terminology

Here is a brief description of key terms used in this document that users must be familiar with:

• Elastic Network Interface (ENI) – A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC).

• Elastic IP (EIP) address – A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change.

• Subnet – A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs.

• Virtual Private Cloud (VPC) – A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define.

Here is a brief description of other terms used in this document that users should be familiar with:

• Amazon Machine Image (AMI) – A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.

• Elastic Block Store – Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.

• 如果mple Storage Service (S3) – Storage for the Internet. It is designed to make web-scale computing easier for developers.

• Elastic Compute Cloud (EC2) – A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

• Elastic Kubernetes Service (EKS) – Amazon EKS is a managed service that makes it easy for users to run Kubernetes on AWS without needing to stand up or maintain their own Kubernetes control plane. … Amazon EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure high availability. Amazon EKS is a managed service that makes it easy for users to run Kubernetes on AWS without needing to install and operate their own Kubernetes clusters.

• 应用程序负载平衡(铝青铜)——亚马逊铝青铜歌剧院ates at layer 7 of the OSI stack so it’s employed when users want to route or select traffic based on elements of the HTTP or HTTPS connection, whether host-based or path-based. The ALB connection is context-aware and can have direct requests based on any single variable. Applications are load balanced based on their peculiar behavior not solely on server (operating system or virtualization layer) information.

• Elastic Load Balancing (ALB/ELB/NLB) – Amazon ELB Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. This increases the fault tolerance of user applications.

• Network Load Balancing (NLB) – Amazon NLB operates at layer 4 of the OSI stack and below and is not designed to consider anything at the application layer such as content type, cookie data, custom headers, user location, or application behavior. It is context-less, caring only about the network-layer information contained within the packets it is directing. It distributes traffic based on network variables such as IP address and destination ports.

• Instance type – Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications.

• Identity and Access Management (IAM) – An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup.

• Internet Gateway – Connects a network to the Internet. Users can route traffic for IP addresses outside their VPC to the Internet gateway.

• Key pair – A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key.

• Route table – A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.

• Auto Scale Groups – A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks.

• CloudFormation – A service for writing or changing templates that creates and deletes related AWS resources together as a unit.

• Web Application Firewall (WAF) – WAF is defined as a security solution protecting the web application layer in the OSI network model. A WAF does not depend on the application it is protecting. This document focuses on the exposition and evaluation of the security methods and functions provided specifically by Citrix WAF.

• 机器人,机器人被定义为一个独立装置,掠夺ram, or piece of software on a network (especially the internet) that can interact with computer systems or users to run commands, reply to messages, or perform routine tasks. A bot is a software program on the internet that performs repetitive tasks. Some bots can be good, while others can have a huge negative impact on a website or application.

Sample Citrix WAF on AWS Architecture

The preceding image shows a virtual private cloud (VPC) withdefault parametersthat builds a Citrix WAF environment in the AWS Cloud.

In a production deployment, the following parameters are set up for the Citrix WAF environment:

• This architecture assumes the use of an AWS CloudFormation Template and an AWS Quick Start Guide, which can be found here:GitHub/AWS-Quickstart/Quickstart-Citrix-ADC-VPX。

• A VPC that spans two Availability Zones, configured with two public and four private subnets, according to AWS best practices, to provide you with your own virtual network on AWS with a /16 Classless Inter-Domain Routing (CIDR) block (a network with 65,536 private IP addresses). *

• Two instances of Citrix WAF (Primary and Secondary), one in each Availability Zone.

• Three security groups, one for each network interface (Management, Client, Server), that acts as virtual firewalls to control the traffic for their associated instances.

• Three subnets, for each instance- one for management, one for client, and one for back-end server.

• Aninternet gatewayattached to the VPC, and a Public Subnets route table which is associated with public subnets so as to allow access to the internet. This gateway is used by the WAF host to send and receive traffic. For more information on Internet Gateways, see:Internet Gateways。*

• 5 Route tables-one public route table associated with client subnets of both primary and secondary WAF. The remaining 4 route tables link to each of the 4 private subnets (management and server-side subnets of primary and secondary WAF). *

• AWS Lambda in WAF takes care of the following:

  • Configuring two WAF in each availability zone of HA mode

  • Creating a sample WAF Profile and thus pushing this configuration with respect to WAF

• AWS Identity and Access Management (IAM) to securely control access to AWS services and resources for your users. By default, the CloudFormation Template (CFT) creates the required IAM role. However, users can provide their own IAM role for Citrix ADC instances.

• 在public subnets, two managed Network Address Translation (NAT) gateways to allow outbound internet access for resources in public subnets.

Note:

The CFT WAF template that deploys the Citrix WAF into an existing VPC skips the components marked by asterisks and prompts users for their existing VPC configuration.

Backend servers are not deployed by the CFT.

Logical Flow of Citrix WAF on AWS

Logical Flow

The Web Application Firewall can be installed as either a Layer 3 network device or a Layer 2 network bridge between customer servers and customer users, usually behind the customer company’s router or firewall. It must be installed in a location where it can intercept traffic between the web servers that users want to protect and the hub or switch through which users access those web servers. Users then configure the network to send requests to the Web Application Firewall instead of directly to their web servers, and responses to the Web Application Firewall instead of directly to their users. The Web Application Firewall filters that traffic before forwarding it to its final destination, using both its internal rule set and the user additions and modifications. It blocks or renders harmless any activity that it detects as harmful, and then forwards the remaining traffic to the web server. The preceding image provides an overview of the filtering process.

Note:

The diagram omits the application of a policy to incoming traffic. It illustrates a security configuration in which the policy is to process all requests. Also, in this configuration, a signatures object has been configured and associated with the profile, and security checks have been configured in the profile.

As the diagram shows, when a user requests a URL on a protected website, the Web Application Firewall first examines the request to ensure that it does not match a signature. If the request matches a signature, the Web Application Firewall either displays the error object (a webpage that is located on the Web Application Firewall appliance and which users can configure by using the imports feature) or forwards the request to the designated error URL (the error page).

If a request passes signature inspection, the Web Application Firewall applies the request security checks that have been enabled. The request security checks verify that the request is appropriate for the user website or web service and does not contain material that might pose a threat. For example, security checks examine the request for signs indicating that it might be of an unexpected type, request unexpected content, or contain unexpected and possibly malicious web form data, SQL commands, or scripts. If the request fails a security check, the Web Application Firewall either sanitizes the request and then sends it back to the Citrix ADC appliance (or Citrix ADC virtual appliance), or displays the error object. If the request passes the security checks, it is sent back to the Citrix ADC appliance, which completes any other processing and forwards the request to the protected web server.

When the website or web service sends a response to the user, the Web Application Firewall applies the response security checks that have been enabled. The response security checks examine the response for leaks of sensitive private information, signs of website defacement, or other content that should not be present. If the response fails a security check, the Web Application Firewall either removes the content that should not be present or blocks the response. If the response passes the security checks, it is sent back to the Citrix ADC appliance, which forwards it to the user.

Cost and Licensing

用户are responsible for the cost of the AWS services used while running AWS deployments. The AWS CloudFormation templates that can be used for this deployment include configuration parameters that users can customize as necessary. Some of those settings, such as instance type, affect the cost of deployment. For cost estimates, users should refer to the pricing pages for each AWS service they are using. Prices are subject to change.

A Citrix ADC WAF on AWS requires a license. To license Citrix WAF, users must place the license key in an S3 bucket and specify its location when they launch the deployment.

Note:

When users elect the Bring your own license (BYOL) licensing model, they should ensure that they have an AppFlow feature enabled. For more information on BYOL licensing, see:AWS Marketplace/Citrix ADC VPX - Customer Licensed。

The following licensing options are available for Citrix ADC WAF running on AWS. Users can choose an AMI (Amazon Machine Image) based on a single factor such as throughput.

• License model: Pay as You Go (PAYG, for the production licenses) or Bring Your Own License (BYOL, for the Customer Licensed AMI - Citrix ADC Pooled Capacity). For more information on Citrix ADC Pooled Capacity, see:Citrix ADC Pooled Capacity。

  • For BYOL, there are 3 licensing modes:

    • Configure Citrix ADC Pooled Capacity:Configure Citrix ADC Pooled Capacity

    • Citrix ADC VPX Check-in and Check-out Licensing (CICO):Citrix ADC VPX Check-in and Check-out Licensing

    Tip:

    If users elect CICO Licensing with VPX-200, VPX-1000, VPX-3000, VPX-5000, or VPX-8000 application platform type, they should ensure that they have the same throughput license present in their ADM licensing server.

    • Citrix ADC virtual CPU Licensing:Citrix ADC virtual CPU Licensing

Note:

If users want to dynamically modify the bandwidth of a VPX instance, they should elect a BYOL option, for exampleCitrix ADC pooled capacitywhere they can allocate the licenses from Citrix ADM, or they can check out the licenses from Citrix ADC instances according to the minimum and maximum capacity of the instance on demand and without a restart. A restart is required only if users want to change the license edition.

• Throughput: 200 Mbps or 1 Gbps

• Bundle: Premium

Deployment Options

This deployment guide provides two deployment options:

• The first option is to deploy using a Quick Start Guide format and the following options:

  • Deploy Citrix WAF into a new VPC (end-to-end deployment)。This option builds a new AWS environment consisting of the VPC, subnets, security groups, and other infrastructure components, and then deploys Citrix WAF into this new VPC.

  • Deploy Citrix WAF into an existing VPC。This option provisions Citrix WAF in the user existing AWS infrastructure.

• The second option is to deploy using WAF StyleBooks using Citrix ADM

Deployment Steps using a Quick Start Guide

Step 1: Sign in to the User AWS Account

• 如果gn in to the user account at AWS:AWSwith an IAM (Identity and Access Management) user role that has the necessary permissions to create an Amazon Account (if necessary) or sign in to an Amazon Account.

• Use the region selector in the navigation bar to choose the AWS Region where users want to deploy High Availability across AWS Availability Zones.

• Ensure that the user AWS account is configured correctly, refer to the Technical Requirements section of this document for more information.

Step 2: Subscribe to the Citrix WAF AMI

• This deployment requires a subscription to the AMI for Citrix WAF in the AWS Marketplace.

• 如果gn in to the user AWS account.

• Open the page for the Citrix WAF offering by choosing one of the links in the following table.

  • When users launch the Quick Start Guide in to deploy Citrix WAF in Step 3 below, they use theCitrix WAF Image巴勒斯坦权力机构rameter to select the bundle and throughput option that matches their AMI subscription. The following list shows the AMI options and corresponding parameter settings. The VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory.

Note:

To retrieve the AMI ID, refer to the Citrix Products on AWS Marketplace page on GitHub:Citrix Products on AWS Marketplace。

• AWS Marketplace AMI

  • Citrix Web Application Firewall (WAF) - 200 Mbps:Citrix Web App Firewall (WAF) - 200 Mbps

  • Citrix Web Application Firewall (WAF) - 1000 Mbps:Citrix Web App Firewall (WAF) - 1000 Mbps

• On the AMI page, chooseContinue to Subscribe。

• Review the terms and conditions for software usage, and then chooseAccept Terms。

Note:

用户receive a confirmation page, and an email confirmation is sent to the account owner. For detailed subscription instructions, see Getting Started in the AWS Marketplace Documentation:Getting Started。

• When the subscription process is complete, exit out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace—users will deploy the AMI with the Quick Start Guide.

Step 3: Launch the Quick Start Guide to Deploy the AMI

• 如果gn in to the user AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see deployment options earlier in this guide.

  • Citrix VPX部署到一个新的VPC AWS使用一个of the AWS CloudFormation Templates located here:

    • Citrix/Citrix-ADC-AWS-CloudFormation/Templates/High-Availability/Across-Availability-Zone

    • Citrix/Citrix-ADC-AWS-CloudFormation/Templates/High-Availability/Same-Availability-Zone

  • Deploy Citrix WAF into a new or existing VPC on AWS using the AWS Quickstart template located here:AWS-Quickstart/Quickstart-Citrix-ADC- WAF

Important:

If users are deploying Citrix WAF into an existing VPC, they must ensure that their VPC spans across two Availability Zones, with one public and two private subnets in each Availability Zone for the workload instances, and that the subnets are not shared. This deployment guide does not support shared subnets, see Working with Shared VPCs:Working with Shared VPCs。These subnets require NAT Gateways in their route tables to allow the instances to download packages and software without exposing them to the internet. For more information about NAT Gateways, see:NAT Gateways。Configure the subnets so there is no overlapping of subnets.

Also, users should ensure that the domain name option in the DHCP options is configured as explained in the Amazon VPC documentation found here: DHCP Options Sets:DHCP Options Sets。用户are prompted for their VPC settings when they launch the Quick Start Guide.

• Each deployment takes about 15 minutes to complete.

• Check the AWS Region that is displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Citrix WAF will be built. The template is launched in the US East (Ohio) Region by default.

Note:

This deployment includes Citrix WAF, which isn’t currently supported in all AWS Regions. For a current list of supported Regions, see the AWS Service Endpoints:AWS Service Endpoints。

• On theSelect Template巴勒斯坦权力机构ge, keep the default setting for the template URL, and then choose Next.

• On theSpecify Details巴勒斯坦权力机构ge, specify the stack name as per user convenience. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary.

• 在following table, parameters are listed by category and described separately for the deployment option:

• Parameters for deploying Citrix WAF into a new or existing VPC (Deployment Option 1)

• When users finish reviewing and customizing the parameters, they should choose Next.

Parameters for Deploying Citrix WAF into a new VPC

VPC Network Configuration

For reference information on this deployment refer to the CFT template here:AWS-Quickstart/Quickstart-Citrix-ADC-WAF/Templates。

Bastion host configuration

Citrix WAF Configuration

Pooled Licensing configuration

• Configure Citrix ADC Pooled Capacity:Configure Citrix ADC Pooled Capacity
• Citrix ADC VPX Check-in and Check-out Licensing (CICO):Citrix ADC VPX Check-in and Check-out Licensing

• Citrix ADC virtual CPU Licensing:Citrix ADC virtual CPU Licensing
  	License Bandwidth in Mbps	0 Mbps	Only if the licensing mode is Pooled-Licensing, then this field comes into the picture. It allocates an initial bandwidth of the license in Mbps to be allocated after BYOL ADCs are created. It should be a multiple of 10 Mbps.
  	License Edition	Premium	License Edition for Pooled Capacity Licensing Mode isPremium
  	Appliance Platform Type	Optional	Choose the required Appliance Platform Type,onlyif users opt for CICO licensing mode. Users get the options listed: VPX-200, VPX-1000, VPX-3000, VPX-5000, VPX-8000
  	License Edition	Premium	License Edition for vCPU based Licensing isPremium。

AWS Quick Start Guide Configuration

Note:

We recommend that users keep the default settings for the following two parameters, unless they are customizing the Quick Start Guide templates for their own deployment projects. Changing the settings of these parameters will automatically update code references to point to a new Quick Start Guide location. For more details, see the AWS Quick Start Guide Contributor’s Guide located here:AWS Quick Starts/Option 1 - Adopt a Quick Start。

• On theOptions巴勒斯坦权力机构ge, users can specify a Resource Tag or key-value pair for resources in your stack and set advanced options. For more information on Resource Tags, see:Resource Tag。For more information on setting AWS CloudFormation Stack Options, see:Setting AWS CloudFormation Stack Options。When users are done, they should chooseNext。

• On theReview巴勒斯坦权力机构ge, review and confirm the template settings. UnderCapabilities, select the two check boxes to acknowledge that the template creates IAM resources and that it might require the capability to auto-expand macros.

• ChooseCreateto deploy the stack.

• Monitor the status of the stack. When the status isCREATE_COMPLETE, the Citrix WAF instance is ready.

• Use the URLs displayed in theOutputstab for the stack to view the resources that were created.

Step 4: Test the Deployment

We refer to the instances in this deployment asprimaryandsecondary。Each instance has different IP addresses associated with it. When the Quick Start has been deployed successfully, traffic goes through the primary Citrix WAF instance configured in Availability Zone 1. During failover conditions, when the primary instance does not respond to client requests, the secondary WAF instance takes over.

The Elastic IP address of the virtual IP address of the primary instance migrates to the secondary instance, which takes over as the new primary instance.

在failover process, Citrix WAF does the following:

• Citrix WAF checks the virtual servers that have IP sets attached to them.

• Citrix WAF finds the IP address that has an associated public IP address from the two IP addresses that the virtual server is listening on. One that is directly attached to the virtual server, and one that is attached through the IP set.

• Citrix WAF reassociates the public Elastic IP address to the private IP address that belongs to the new primary virtual IP address.

验证部署,执行以下:

• Connect to the primary instance

For example, with a proxy server, jump host (a Linux/Windows/FW instance running in AWS, or the bastion host), or another device reachable to that VPC or a Direct Connect if dealing with on-prem connectivity.

• Perform a trigger action to force failover and check whether the secondary instance takes over.

Tip:

To further validate the configuration with respect to Citrix WAF, run the following command after connecting to thePrimary Citrix WAF instance:

Sh appfw profile QS-Profile

Connect to Citrix WAF HA Pair using Bastion Host

If users are opting for Sandbox deployment (for example, as part of CFT, users opt for configuring a Bastion Host), a Linux bastion host deployed in a public subnet will be configured to access the WAF interfaces.

在AWS CloudFormation console, which is accessed by signing in here:如果gn in, choose the master stack, and on theOutputstab, find the value ofLinuxBastionHostEIP1。

• PrivateManagementPrivateNSIPandPrimaryADCInstanceIDkey’s value to be used in the later steps to SSH into the ADC.

• ChooseServices。

• On theComputetab, selectEC2。

  • UnderResources, chooseRunning Instances。

  • On theDescriptiontab of the primary WAF instance, note theIPv4 public IPaddress. Users need that IP address to construct the SSH command.

• To store the key in the user keychain, run the commandssh-add -K [your-key-pair].pem

On Linux, users might need to omit the -K flag.

• Log in to the bastion host using the following command, using the value forLinuxBastionHostEIP1that users noted in step 1.

ssh -A ubuntu@[LinuxBastionHostEIP1]

• From the bastion host, users can connect to the primary WAF instance by using SSH.

ssh nsroot@[Primary Management Private NSIP]

Password: [Primary ADC Instance ID]

Now users are connected to the primary Citrix WAF instance. To see the available commands, users can run the help command. To view the current HA configuration, users can run the show HA node command.

Citrix Application Delivery Management

Citrix Application Delivery Management Service (Citrix ADM) provides an easy and scalable solution to manage Citrix ADC deployments that include Citrix ADC MPX, Citrix ADC VPX, Citrix Gateway, Citrix Secure Web Gateway, Citrix ADC SDX, Citrix ADC CPX, and Citrix SD-WAN appliances that are deployed on-premises or on the cloud.

用户can use this cloud solution to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified, and centralized cloud-based console. Citrix ADM Service provides all the capabilities required to quickly set up, deploy, and manage application delivery in Citrix ADC deployments and with rich analytics of application health, performance, and security.

Citrix ADM Service provides the following benefits:

• Agile– Easy to operate, update, and consume. The service model of Citrix ADM Service is available over the cloud, making it easy to operate, update, and use the features provided by Citrix ADM Service. The frequency of updates, combined with the automated update feature, quickly enhances user Citrix ADC deployment.

• Faster time to value– Quicker business goals achievement. Unlike with the traditional on-premises deployment, users can use their Citrix ADM Service with a few clicks. Users not only save the installation and configuration time, but also avoid wasting time and resources on potential errors.

• Multi-Site Management– Single Pane of Glass for instances across Multi-Site data centers. With the Citrix ADM Service, users can manage and monitor Citrix ADCs that are in various types of deployments. Users have one-stop management for Citrix ADCs deployed on-premises and in the cloud.

• Operational Efficiency– Optimized and automated way to achieve higher operational productivity. With the Citrix ADM Service, user operational costs are reduced by saving user time, money, and resources on maintaining and upgrading the traditional hardware deployments.

How Citrix ADM Service Works

Citrix ADM Service is available as a service on the Citrix Cloud. After users sign up for Citrix Cloud and start using the service, install agents in the user network environment or initiate the built-in agent in the instances. Then, add the instances users want to manage to the service.

An agent enables communication between the Citrix ADM Service and the managed instances in the user data center. The agent collects data from the managed instances in the user network and sends it to the Citrix ADM Service.

When users add an instance to the Citrix ADM Service, it implicitly adds itself as a trap destination and collects an inventory of the instance.

The service collects instance details such as:

• Host name

• Software version

• Running and saved configuration

• Certificates

• Entities configured on the instance, and so on.

Citrix ADM Service periodically polls managed instances to collect information.

The following image illustrates the communication between the service, the agents, and the instances:

Documentation Guide

The Citrix ADM Service documentation includes information about how to get started with the service, a list of features supported on the service, and configuration specific to this service solution.

Deploying Citrix ADC VPX Instances on AWS using Citrix ADM

When customers move their applications to the cloud, the components that are part of their application increase, become more distributed, and need to be dynamically managed.

在AWS和Citrix ADC VPX实例,用户可以amlessly extend their L4-L7 network stack to AWS. With Citrix ADC VPX, AWS becomes a natural extension of their on-premises IT infrastructure. Customers can use Citrix ADC VPX on AWS to combine the elasticity and flexibility of the cloud, with the same optimization, security, and control features that support the most demanding websites and applications in the world.

With Citrix Application Delivery Management (ADM) monitoring their Citrix ADC instances, users gain visibility into the health, performance, and security of their applications. They can automate the setup, deployment, and management of their application delivery infrastructure across hybrid multi-cloud environments.

Architecture Diagram

以下概述如何Ci形象trix ADM connects with AWS to provision Citrix ADC VPX instances in AWS.

Configuration Tasks

Perform the following tasks on AWS before provisioning Citrix ADC VPX instances in Citrix ADM:

• Create subnets

• Create security groups

• Create an IAM role and define a policy

执行以下任务provi Citrix ADMsion the instances on AWS:

• Create site

• Provision Citrix ADC VPX instance on AWS

To Create Subnets

在VPC创建三个子网。三个子网that are required to provision Citrix ADC VPX instances in a VPC - are management, client, and server. Specify an IPv4 CIDR block from the range that is defined in the VPC for each of the subnets. Specify the availability zone in which the subnet is to reside. Create all the three subnets in the same availability zone. The following image illustrates the three subnets created in the customer region and their connectivity to the client system.

For more information on VPC and subnets, see VPCs and Subnets.

To Create Security Groups

Create a security group to control inbound and outbound traffic in the Citrix ADC VPX instance. A security group acts as a virtual firewall for a user instance. Create security groups at the instance level, and not at the subnet level. It is possible to assign each instance in a subnet in the user VPC to a different set of security groups. Add rules for each security group to control the inbound traffic that is passing through the client subnet to instances. Users can also add a separate set of rules that control the outbound traffic that passes through the server subnet to the application servers. Although users can use the default security group for their instances, they might want to create their own groups. Create three security groups - one for each subnet. Create rules for both incoming and outgoing traffic that users want to control. Users can add as many rules as they want.

For more information on security groups, see:Security Groups for your VPC。

To Create an IAM Role and Define a Policy

Create an IAM role so that customers can establish a trust relationship between their users and the Citrix trusted AWS account and create a policy with Citrix permissions.

1. In AWS, clickServices。在left side navigation pane, selectIAM>Roles, and clickCreate role。

2. 用户are connecting their AWS account with the AWS account in Citrix ADM. So, selectAnother AWS accountto allow Citrix ADM to perform actions in the AWS account.

Type in the 12-digit Citrix ADM AWS account ID. The Citrix ID is 835822366011. Users can also find the Citrix ID in Citrix ADM when they create the cloud access profile.

1. EnableRequire external IDto connect to a third-party account. Users can increase the security of their roles by requiring an optional external identifier. Type an ID that can be a combination of any characters.

2. ClickPermissions。

3. InAttach permissions policies巴勒斯坦权力机构ge, clickCreate policy。

4. 用户can create and edit a policy in the visual editor or by using JSON.

The list of permissions from Citrix is provided in the following box:

{“版本”:“2012-10-17”,“声明”:[{“代用t": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImageAttribute", "ec2:DescribeInstanceAttribute", "ec2:DescribeRegions", "ec2:DescribeDhcpOptions", "ec2:DescribeSecurityGroups", "ec2:DescribeHosts", "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeAddresses", "ec2:DescribeKeyPairs", "ec2:DescribeTags", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DescribeVolumeAttribute", "ec2:CreateTags", "ec2:DeleteTags", "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:ResetInstanceAttribute", "ec2:RunScheduledInstances", "ec2:ReportInstanceStatus", "ec2:StartInstances", "ec2:RunInstances", "ec2:StopInstances", "ec2:UnmonitorInstances", "ec2:MonitorInstances", "ec2:RebootInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:CreateNetworkInterface", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ResetNetworkInterfaceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:AssociateAddress", "ec2:AllocateAddress", "ec2:ReleaseAddress", "ec2:DisassociateAddress", "ec2:GetConsoleOutput" ], "Resource": "*" } ] } 

1. Copy and paste the list of permissions in the JSON tab and clickReview policy。

2. 在Review policy巴勒斯坦权力机构ge, type a name for the policy, enter a description, and clickCreate policy。

To Create a Site in Citrix ADM

Create a site in Citrix ADM and add the details of the VPC associated with the AWS role.

1. In Citrix ADM, navigate toNetworks>如果tes。

2. ClickAdd。

3. Select the service type as AWS and enableUse existing VPC as a site。

4. Select the cloud access profile.

5. If the cloud access profile does not exist in the field, clickAddto create a profile.

   • 在创建云访问配置文件巴勒斯坦权力机构ge, type the name of the profile with which users want to access AWS.

   • Type the ARN associated with the role that users have created in AWS.

   • Type the external ID that users provided while creating an Identity and Access Management (IAM) role in AWS. See step 4 in “To create an IAM role and define a policy” task. Ensure that the IAM role name specified in AWS starts withCitrix-ADM-and it correctly appears in the Role ARN.

The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with your IAM role in AWS are imported in Citrix ADM.

1. Type a name for the site.

2. ClickCreate。

To Provision Citrix ADC VPX on AWS

Use the site that users created earlier to provision the Citrix ADC VPX instances on AWS. Provide Citrix ADM service agent details to provision those instances that are bound to that agent.

1. In Citrix ADM, navigate toNetworks>Instances>Citrix ADC。

2. 在VPXtab, clickProvision。

This option displays theProvision Citrix ADC VPX on Cloud巴勒斯坦权力机构ge.

1. SelectAmazon Web Services (AWS)and clickNext。

2. InBasic Parameters,

   • Select theType of Instancefrom the list.

     • Standalone: This option provisions a standalone Citrix ADC VPX instance on AWS.

     • HA: This option provisions the high availability Citrix ADC VPX instances on AWS.

     To provision the Citrix ADC VPX instances in the same zone, select the如果ngle Zoneoption underZone Type。

     To provision the Citrix ADC VPX instances across multiple zones, select theMulti Zoneoption underZone type。在云参数tab, make sure to specify the network details for each zone that is created on AWS.

   • Specify the name of the Citrix ADC VPX instance.

   • In如果te, select the site that you created earlier.

   • InAgent,选择创建的代理来管理Citrix ADC VPX instance.

   • InCloud Access Profile, select the cloud access profile created during site creation.

   • InDevice Profile, select the profile to provide authentication.

   Citrix ADM uses the device profile when it requires to log on to the Citrix ADC VPX instance.

   • ClickNext。

3. In云参数,

   • Select theCitrix IAM Rolecreated in AWS. An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

   • 在Productfield, select the Citrix ADC product version that users want to provision.

   • Select the EC2 instance type from theInstance Typelist.

   • Select theVersionof Citrix ADC that users want to provision. Select bothMajorandMinorversion of Citrix ADC.

   • InSecurity Groups, select the Management, Client, and Server security groups that users created in their virtual network.

   • InIPs in server Subnet per Node, select the number of IP addresses in server subnet per node for the security group.

   • InSubnets, select the Management, Client, and Server subnets for each zone that are created in AWS. Users can also select the region from theAvailability Zonelist.

   • ClickFinish。

The Citrix ADC VPX instance is now provisioned on AWS.

Note:

Citrix ADM doesn’t support deprovisioning of Citrix ADC instances from AWS.

To View the Citrix ADC VPX Provisioned in AWS

1. From the AWS home page, navigate toServicesand clickEC2。

2. On theResources巴勒斯坦权力机构ge, clickRunning Instances。

3. 用户can view the Citrix ADC VPX provisioned in AWS.

The name of the Citrix ADC VPX instance is the same name users provided while provisioning the instance in Citrix ADM.

To View the Citrix ADC VPX Provisioned in Citrix ADM

1. In Citrix ADM, navigate toNetworks>Instances>Citrix ADC。

2. SelectCitrix ADC VPXtab.

3. The Citrix ADC VPX instance provisioned in AWS is listed here.

Citrix ADC WAF and OWASP Top 10 – 2017

The Open Web Application Security Project:OWASPreleased the OWASP Top 10 for 2017 for web application security. This list documents the most common web application vulnerabilities and is a great starting point to evaluate web security. Here we detail how to configure the Citrix ADC Web Application Firewall (WAF) to mitigate these flaws. WAF is available as an integrated module in the Citrix ADC (Premium Edition) as well as a complete range of appliances.

The full OWASP Top 10 document is available atOWASP Top Ten。

A1:2017- Injection

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into running unintended commands or accessing data without proper authorization.

ADC WAF Protections

• SQL Injection prevention feature protects against common injection attacks. Custom injection patterns can be uploaded to protect against any type of injection attack including XPath and LDAP. This is applicable for both HTML and XML payloads.

• The auto update signature feature keeps the injection signatures up to date.

• Field format protection feature allows the administrator to restrict any user parameter to a regular expression. For instance, you can enforce that a zip-code field contains integers only or even 5-digit integers.

• Form field consistency: Validate each submitted user form against the user session form signature to ensure the validity of all form elements.

• Buffer overflow checks ensure that the URL, headers, and cookies are in the right limits blocking any attempts to inject large scripts or code.

A2:2017 – Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

ADC WAF Protections

• Citrix ADC AAA module performs user authentication and provides Single Sign-On functionality to back end applications. This is integrated into the Citrix ADC AppExpert policy engine to allow custom policies based on user and group information.

• Using SSL offloading and URL transformation capabilities, the firewall can also help sites to use secure transport layer protocols to prevent stealing of session tokens by network sniffing.

• Cookie Proxying and Cookie Encryption can be employed to completely mitigate cookie stealing.

A3:2017 - Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such poorly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

ADC WAF Protections

• Application Firewall protects applications from leaking sensitive data like credit card details.

• Sensitive data can be configured as Safe objects in Safe Commerce protection to avoid exposure.

• Any sensitive data in cookies can be protected by Cookie Proxying and Cookie Encryption.

A4:2017 XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

ADC WAF Protections

• In addition to detecting and blocking common application threats that can be adapted for attacking XML-based applications (that is, cross-site scripting, command injection, and so forth).

• ADC Application Firewall includes a rich set of XML-specific security protections. These include schema validation to thoroughly verify SOAP messages and XML payloads, and a powerful XML attachment check to block attachments containing malicious executables or viruses.

• Automatic traffic inspection methods block XPath injection attacks on URLs and forms aimed at gaining access.

• ADC Application Firewall also thwarts various DoS attacks, including external entity references, recursive expansion, excessive nesting, and malicious messages containing either long or a large number of attributes and elements.

A5:2017 Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, and so on.

ADC WAF Protections

• Citrix ADC AAA feature that supports authentication, authorization, and auditing for all application traffic allows a site administrator to manage access controls with the ADC appliance.

• The Authorization security feature within the Citrix ADC AAA module of the ADC appliance enables the appliance to verify, which content on a protected server it should allow each user to access.

• Form field consistency: If object references are stored as hidden fields in forms, then using form field consistency you can validate that these fields are not tampered on subsequent requests.

• Cookie Proxying and Cookie consistency: Object references that are stored in cookie values can be validated with these protections.

• Start URL check with URL closure: Allows user access to a predefined allow list of URLs. URL closure builds a list of all URLs seen in valid responses during the user session and automatically allows access to them during that session.

A6:2017 - Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or improvised configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.

ADC WAF Protections

• The PCI-DSS report generated by the Application Firewall, documents the security settings on the Firewall device.

• Reports from the scanning tools are converted to ADC WAF Signatures to handle security misconfigurations.

• ADC WAF supports Cenzic, IBM AppScan (Enterprise and Standard), Qualys, TrendMicro, WhiteHat, and custom vulnerability scan reports.

A7:2017 - Cross Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing webpage with user-supplied data using a browser API that can create HTML or JavaScript. Cross-site scripting allows attackers to run scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.

ADC WAF Protections

• Cross-site scripting protection protects against common XSS attacks. Custom XSS patterns can be uploaded to modify the default list of allowed tags and attributes. The ADC WAF uses an allow list of allowed HTML attributes and tags to detect XSS attacks. This is applicable for both HTML and XML payloads.

• ADC WAF blocks all the attacks listed in the OWASP XSS Filter Evaluation Cheat Sheet.

• Field format check prevents an attacker from sending inappropriate web form data which can be a potential XSS attack.

• Form field consistency.

A8:2017 - Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

ADC WAF Protections

• JSON载荷检验与自定义签名。

• XML security: protects against XML denial of service (xDoS), XML SQL and Xpath injection and cross site scripting, format checks, WS-I basic profile compliance, XML attachments check.

• Field Format checks in addition to Cookie Consistency and Field Consistency can be used.

A9:2017 - Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

ADC WAF Protections

• Citrix recommends having the third-party components up to date.

• Vulnerability scan reports that are converted to ADC Signatures can be used to virtually patch these components.

• Application Firewall templates that are available for these vulnerable components can be used.

• Custom Signatures can be bound with the firewall to protect these components.

A10:2017 - Insufficient Logging & Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show that the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

ADC WAF Protections

• When the log action is enabled for security checks or signatures, the resulting log messages provide information about the requests and responses that the application firewall has observed while protecting your websites and applications.

• The application firewall offers the convenience of using the built-in ADC database for identifying the locations corresponding to the IP addresses from which malicious requests are originating.

• Default format (PI) expressions give the flexibility to customize the information included in the logs with the option to add the specific data to capture in the application firewall generated log messages.

• The application firewall supports CEF logs.

Application Security Protection

Citrix ADM

Citrix Application Delivery Management Service (Citrix ADM) provides a scalable solution to manage Citrix ADC deployments that include Citrix ADC MPX, Citrix ADC VPX, Citrix Gateway, Citrix Secure Web Gateway, Citrix ADC SDX, Citrix ADC CPX, and Citrix SD-WAN appliances that are deployed on-premises or on the cloud.

Citrix ADM Application Analytics and Management Features

The following features are key to the ADM role in App Security.

Application Analytics and Management

The Application Analytics and Management feature of Citrix ADM strengthens the application-centric approach to help users address various application delivery challenges. This approach gives users visibility into the health scores of applications, helps users determine the security risks, and helps users detect anomalies in the application traffic flows and take corrective actions. The most important among these roles for App Security is Application Security Analytics:

• Application security analytics:Application Security Analytics。The App Security Dashboard provides a holistic view of the security status of user applications. For example, it shows key security metrics such as security violations, signature violations, threat indexes. The App Security dashboard also displays attack related information such as SYN attacks, small window attacks, and DNS flood attacks for the discovered Citrix ADC instances.

StyleBooks

StyleBooks simplify the task of managing complex Citrix ADC configurations for user applications. A StyleBook is a template that users can use to create and manage Citrix ADC configurations. Here users are primarily concerned with the StyleBook used to deploy the Web Application Firewall. For more information on StyleBooks, see:StyleBooks。

Analytics

Provides an easy and scalable way to look into the various insights of the Citrix ADC instances’ data to describe, predict, and improve application performance. Users can use one or more analytics features simultaneously. Most important among these roles for App Security are:

• Security Insight:Security Insight。Provides a single-pane solution to help users assess user application security status and take corrective actions to secure user applications.

• Bot Insight

• For more information on analytics, see Analytics:Analytics。

Other features that are important to ADM functionality are:

Event Management

Events represent occurrences of events or errors on a managed Citrix ADC instance. For example, when there is a system failure or change in configuration, an event is generated and recorded on Citrix ADM. Following are the related features that users can configure or view by using Citrix ADM:

• Creating event rules:Create Event Rules

• View and export syslog messages:View and Export Syslog Messages

For more information on event management, see:Events。

Instance Management

Enables users to manage the Citrix ADC, Citrix Gateway, Citrix Secure Web Gateway, and Citrix SD-WAN instances. For more information on instance management, see:Adding Instances。

License Management

Allows users to manage Citrix ADC licenses by configuring Citrix ADM as a license manager.

• Citrix ADC pooled capacity:Pooled Capacity。A common license pool from which a user Citrix ADC instance can check out one instance license and only as much bandwidth as it needs. When the instance no longer requires these resources, it checks them back in to the common pool, making the resources available to other instances that need them.

• Citrix ADC VPX check-in and check-out licensing:Citrix ADC VPX Check-in and Check-out Licensing。Citrix ADM allocates licenses to Citrix ADC VPX instances on demand. A Citrix ADC VPX instance can check out the license from the Citrix ADM when a Citrix ADC VPX instance is provisioned, or check back in its license to Citrix ADM when an instance is removed or destroyed.

• For more information on license management, see:Pooled Capacity。

Configuration Management

Citrix ADM允许用户创建配置乔bs that help them perform configuration tasks, such as creating entities, configuring features, replication of configuration changes, system upgrades, and other maintenance activities with ease on multiple instances. Configuration jobs and templates simplify the most repetitive administrative tasks to a single task on Citrix ADM. For more information on configuration management, see Configuration jobs:Configuration Jobs。

Configuration Audit

Enables users to monitor and identify anomalies in the configurations across user instances.

• Configuration advice:Get Configuration Advice on Network Configuration。Allows users to identify any configuration anomaly.

• Audit template:Create Audit Templates。Allows users to monitor the changes across a specific configuration.

• For more information on configuration audit, see:Configuration Audit。

如果gnatures provide the following deployment options to help users to optimize the protection of user applications:

• Negative Security Model: With the negative security model, users employ a rich set of preconfigured signature rules to apply the power of pattern matching to detect attacks and protect against application vulnerabilities. Users block only what they don’t want and allow the rest. Users can add their own signature rules, based on the specific security needs of user applications, to design their own customized security solutions.

• Hybrid security Model: In addition to using signatures, users can use positive security checks to create a configuration ideally suited for user applications. Use signatures to block what users don’t want, and use positive security checks to enforce what is allowed.

保护用户应用程序通过使用签名,users must configure one or more profiles to use their signatures object. In a hybrid security configuration, the SQL injection and cross-site scripting patterns, and the SQL transformation rules, in the user signatures object are used not only by the signature rules, but also by the positive security checks configured in the Web Application Firewall profile that is using the signatures object.

Web应用程序防火墙检查流量to user protected websites and web services to detect traffic that matches a signature. A match is triggered only when every pattern in the rule matches the traffic. When a match occurs, the specified actions for the rule are invoked. Users can display an error page or error object when a request is blocked. Log messages can help users to identify attacks being launched against user applications. If users enable statistics, the Web Application Firewall maintains data about requests that match a Web Application Firewall signature or security check.

If the traffic matches both a signature and a positive security check, the more restrictive of the two actions are enforced. For example, if a request matches a signature rule for which the block action is disabled, but the request also matches an SQL Injection positive security check for which the action is block, the request is blocked. In this case, the signature violation might be logged as [not blocked], although the request is blocked by the SQL injection check.

Customization: If necessary, users can add their own rules to a signatures object. Users can also customize the SQL/XSS patterns. The option to add their own signature rules, based on the specific security needs of user applications, gives users the flexibility to design their own customized security solutions. Users block only what they don’t want and allow the rest. A specific fast-match pattern in a specified location can significantly reduce processing overhead to optimize performance. Users can add, modify, or remove SQL injection and cross-site scripting patterns. Built-in RegEx and expression editors help users configure user patterns and verify their accuracy.

Use Cases

Compared to alternative solutions that require each service to be deployed as a separate virtual appliance, Citrix ADC on AWS combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, flexible licensing, and other essential application delivery capabilities in a single VPX instance, conveniently available via the AWS Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises Citrix ADC deployments. The net result is that Citrix ADC on AWS enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers.

Citrix Web Application Firewall (WAF)

Citrix Web Application Firewall (WAF) is an enterprise grade solution offering state of the art protections for modern applications. Citrix WAF mitigates threats against public-facing assets, including websites, web applications, and APIs. Citrix WAF includes IP reputation-based filtering, Bot mitigation, OWASP Top 10 application threats protections, Layer 7 DDoS protection and more. Also included are options to enforce authentication, strong SSL/TLS ciphers, TLS 1.3, rate limiting and rewrite policies. Using both basic and advanced WAF protections, Citrix WAF provides comprehensive protection for your applications with unparalleled ease of use. Getting up and running is a matter of minutes. Further, using an automated learning model, called dynamic profiling, Citrix WAF saves users precious time. By automatically learning how a protected application works, Citrix WAF adapts to the application even as developers deploy and alter the applications. Citrix WAF helps with compliance for all major regulatory standards and bodies, including PCI-DSS, HIPAA, and more. With our CloudFormation templates, it has never been easier to get up and running quickly. With auto scaling, users can rest assured that their applications remain protected even as their traffic scales up.

Web Application Firewall Deployment Strategy

The first step to deploying the web application firewall is to evaluate which applications or specific data need maximum security protection, which ones are less vulnerable, and the ones for which security inspection can safely be bypassed. This helps users in coming up with an optimal configuration, and in designing appropriate policies and bind points to segregate the traffic. For example, users might want to configure a policy to bypass security inspection of requests for static web content, such as images, MP3 files, and movies, and configure another policy to apply advanced security checks to requests for dynamic content. Users can use multiple policies and profiles to protect different contents of the same application.

The next step is to baseline the deployment. Start by creating a virtual server and run test traffic through it to get an idea of the rate and amount of traffic flowing through the user system.

Then, deploy the Web Application Firewall. Use Citrix ADM and the Web Application Firewall StyleBook to configure the Web Application Firewall. See the StyleBook section below in this guide for details.

After the Web Application Firewall is deployed and configured with the Web Application Firewall StyleBook, a useful next step would be to implement the Citrix ADC WAF and OWASP Top 10.

Finally, three of the Web Application Firewall protections are especially effective against common types of Web attacks, and are therefore more commonly used than any of the others. Thus, they should be implemented in the initial deployment. They are:

• HTML Cross-Site Scripting。Examines requests and responses for scripts that attempt to access or modify content on a different website than the one on which the script is located. When this check finds such a script, it either renders the script harmless before forwarding the request or response to its destination, or it blocks the connection.

• HTML SQL Injection。Examines requests that contain form field data for attempts to inject SQL commands into a SQL database. When this check detects injected SQL code, it either blocks the request or renders the injected SQL code harmless before forwarding the request to the Web server.

Note:

If both of the following conditions apply to the user configuration, users should make certain that your Web Application Firewall is correctly configured:

• If users enable the HTML Cross-Site Scripting check or the HTML SQL Injection check (or both), and

• User protected websites accept file uploads or contain Web forms that can contain large POST body data.

For more information about configuring the Web Application Firewall to handle this case, see Configuring the Application Firewall:Configuring the Web App Firewall。

• Buffer Overflow。Examines requests to detect attempts to cause a buffer overflow on the Web server.

Configuring the Web Application Firewall (WAF)

The following steps assume that the WAF is already enabled and functioning correctly.

Citrix recommends that users configure WAF using the Web Application Firewall StyleBook. Most users find it the easiest method to configure the Web Application Firewall, and it is designed to prevent mistakes. Both the GUI and the command line interface are intended for experienced users, primarily to modify an existing configuration or use advanced options.

SQL Injection

The Application Firewall HTML SQL Injection check provides special defenses against the injection of unauthorized SQL code that might break user Application security.Citrix Web Application Firewall examines the request payload for injected SQL code in three locations: 1) POST body, 2) headers, and 3) cookies.

A default set of keywords and special characters provides known keywords and special characters that are commonly used to launch SQL attacks. Users can also add new patterns, and they can edit the default set to customize the SQL check inspection.

There are several parameters that can be configured for SQL injection processing. Users can check forSQL wildcard characters。用户can change theSQL Injection typeand select one of the 4 options (SQLKeyword, SQLSplChar, SQLSplCharANDKeyword, SQLSplCharORKeyword) to indicate how to evaluate the SQL keywords and SQL special characters when processing the payload. TheSQL Comments Handling parametergives users an option to specify the type of comments that need to be inspected or exempted during SQL Injection detection.

用户can deploy relaxations to avoid false positives. The learning engine can provide recommendations for configuring relaxation rules.

The following options are available for configuring an optimized SQL Injection protection for the user application:

Block— If users enableblock, the block action is triggered only if the input matches the SQL injection type specification. For example, ifSQLSplCharANDKeywordis configured as the SQL injection type, a request is not blocked if it contains no key words, even if SQL special characters are detected in the input. Such a request is blocked if the SQL injection type is set to eitherSQLSplChar, orSQLSplCharORKeyword。

Log— If users enable the log feature, the SQL Injection check generates log messages indicating the actions that it takes. Ifblockis disabled, a separate log message is generated for each input field in which the SQL violation was detected. However, only one message is generated when the request is blocked. Similarly, 1 log message per request is generated for the transform operation, even when SQL special characters are transformed in multiple fields. Users can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack.

Stats— If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that the user application is under attack. If legitimate requests are getting blocked, users might have to revisit the configuration to see if they need to configure new relaxation rules or modify the existing ones.

Learn— If users are not sure which SQL relaxation rules might be ideally suited for their applications, they can use the learn feature to generate recommendations based on the learned data. The Web Application Firewall learning engine monitors the traffic and provides SQL learning recommendations based on the observed values. To get optimal benefit without compromising performance, users might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning.

Transform SQL special characters—The Web Application Firewall considers three characters, Single straight quote (‘), Backslash (), and Semicolon (;) as special characters for SQL security check processing. The SQL Transformation feature modifies the SQL Injection code in an HTML request to ensure that the request is rendered harmless. The modified HTML request is then sent to the server. All default transformation rules are specified in the /netscaler/default_custom_settings.xml file.

• The transform operation renders the SQL code inactive by making the following changes to the request:

• 如果ngle straight quote (‘) to double straight quote (“).

• Backslash () to double backslash ().

• Semicolon (;) is dropped completely.

These three characters (special strings) are necessary to issue commands to a SQL server. Unless a SQL command is prefaced with a special string, most SQL servers ignore that command. Therefore, the changes that the Web Application Firewall performs when transformation is enabled prevent an attacker from injecting active SQL. After these changes are made, the request can safely be forwarded to the user protected website. When web forms on the user protected website can legitimately contain SQL special strings, but the web forms do not rely on the special strings to operate correctly, users can disable blocking and enable transformation to prevent blocking of legitimate web form data without reducing the protection that the Web Application Firewall provides to the user protected websites.

The transform operation works independently of the SQL Injection Type setting. If transform is enabled and the SQL Injection type is specified as a SQL keyword, SQL special characters are transformed even if the request does not contain any keywords.

Tip:

用户通常使转换或车辆cking, but not both. If the block action is enabled, it takes precedence over the transform action. If users have blocking enabled, enabling transformation is redundant.

Check for SQL Wildcard Characters—Wild card characters can be used to broaden the selections of a SQL (SQL-SELECT) statement. These wild card operators can be used withLIKEandNOT LIKEoperators to compare a value to similar values. The percent (%), and underscore (_) characters are frequently used as wild cards. The percent sign is analogous to the asterisk (*) wildcard character used with MS-DOS and to match zero, one, or multiple characters in a field. The underscore is similar to the MS-DOS question mark (?) wildcard character. It matches a single number or character in an expression.

For example, users can use the following query to do a string search to find all customers whose names contain the D character.

SELECT * from customer WHERE name like “%D%”:

The following example combines the operators to find any salary values that have 0 in the second and third place.

SELECT * from customer WHERE salary like ‘_00%’:

Different DBMS vendors have extended the wildcard characters by adding extra operators. The Citrix Web Application Firewall can protect against attacks that are launched by injecting these wildcard characters. The 5 default Wildcard characters are percent (%), underscore (_), caret (^), opening bracket ([), and closing bracket (]). This protection applies to both HTML and XML profiles.

The default wildcard chars are a list of literals specified in the*Default Signatures:

• %

• _

• ^

• [

• ]

Wildcard characters in an attack can be PCRE, like [^A-F]. The Web Application Firewall also supports PCRE wildcards, but the literal wildcard chars shown here are sufficient to block most attacks.

Note:

The SQL wildcard character check is different from the SQL special character check. This option must be used with caution to avoid false positives.

Check Request Containing SQL Injection Type—The Web Application Firewall provides 4 options to implement the desired level of strictness for SQL Injection inspection, based on the individual need of the application. The request is checked against the injection type specification for detecting SQL violations. The 4 SQL injection type options are:

• SQL Special Character and Keyword—Both a SQL keyword and a SQL special character must be present in the input to trigger a SQL violation. This least restrictive setting is also the default setting.

• SQL Special Character—At least one of the special characters must be present in the input to trigger a SQL violation.

• SQL关键字指定SQL的一个关键words must be present in the input to trigger a SQL violation. Do not select this option without due consideration. To avoid false positives, make sure that none of the keywords are expected in the inputs.

• SQL Special Character or Keyword—Either the key word or the special character string must be present in the input to trigger the security check violation.

Tip:

If users configure the Web Application Firewall to check for inputs that contain a SQL special character, the Web Application Firewall skips web form fields that do not contain any special characters. Since most SQL servers do not process SQL commands that are not preceded by a special character, enabling this option can significantly reduce the load on the Web Application Firewall and speed up processing without placing the user protected websites at risk.

SQL comments handling— By default, the Web Application Firewall checks all SQL comments for injected SQL commands. Many SQL servers ignore anything in a comment, however, even if preceded by an SQL special character. For faster processing, if your SQL server ignores comments, you can configure the Web Application Firewall to skip comments when examining requests for injected SQL. The SQL comments handling options are:

• ANSI— Skip ANSI-format SQL comments, which are normally used by UNIX-based SQL databases. For example:

  • /– (Two Hyphens) - This is a comment that begins with two hyphens and ends with end of line.

  • {} - Braces (Braces enclose the comment. The { precedes the comment, and the } follows it. Braces can delimit single- or multiple-line comments, but comments cannot be nested)

  • /*/: C style comments (Does not allow nested comments). Please note /! */

  • MySQL Server supports some variants of C-style comments. These enable users to write code that includes MySQL extensions, but is still portable, by using comments of the following form: [/*! MySQL-specific code */]

  • 。#: Mysql comments : This is a comment that begins with the # character and ends with an end of the line

• Nested— Skip nested SQL comments, which are normally used by Microsoft SQL Server. For example; – (Two Hyphens), and /**/ (Allows nested comments)

• ANSI/Nested— Skip comments that adhere to both the ANSI and nested SQL comment standards. Comments that match only the ANSI standard, or only the nested standard, are still checked for injected SQL.

• Check all Comments— Check the entire request for injected SQL without skipping anything. This is the default setting.

Tip:

In most cases, users should not choose the Nested or the ANSI/Nested option unless their back-end database runs on Microsoft SQL Server. Most other types of SQL server software do not recognize nested comments. If nested comments appear in a request directed to another type of SQL server, they might indicate an attempt to breach security on that server.

Check Request headers— Enable this option if, in addition to examining the input in the form fields, users want to examine the request headers for HTML SQL Injection attacks. If users use the GUI, they can enable this parameter in theAdvanced Settings->Profile Settings巴勒斯坦权力机构ne of the Web Application Firewall profile.

Note:

If users enable the Check Request header flag, they might have to configure a relaxation rule for theUser-Agentheader. Presence of the SQL keywordlikeand a SQL special character semi-colon (;) might trigger false positive and block requests that contain this header.Warning:If users enable both request header checking and transformation, any SQL special characters found in headers are also transformed. The Accept, Accept-Charset, Accept-Encoding, Accept-Language, Expect, and User-Agent headers normally contain semicolons (;). Enabling both Request header checking and transformation simultaneously might cause errors.

InspectQueryContentTypes— Configure this option if users want to examine the request query portion for SQL Injection attacks for the specific content-types. If users use the GUI, they can configure this parameter in theAdvanced Settings->Profile Settings巴勒斯坦权力机构ne of the Application Firewall profile.

Cross-Site Scripting

The HTML Cross-Site Scripting (cross-site scripting) check examines both the headers and the POST bodies of user requests for possible cross-site scripting attacks. If it finds a cross-site script, it either modifies (transforms) the request to render the attack harmless, or blocks the request.

Note:

The HTML Cross-Site Scripting (cross-site scripting) check works only for content type, content length, and so forth. It does not work for cookie. Also ensure to have the ‘checkRequestHeaders’ option enabled in the user Web Application Firewall profile.

To prevent misuse of the scripts on user protected websites to breach security on user websites, the HTML Cross-Site Scripting check blocks scripts that violate the same origin rule, which states that scripts should not access or modify content on any server but the server on which they are located. Any script that violates the same origin rule is called a cross-site script, and the practice of using scripts to access or modify content on another server is called cross-site scripting. The reason cross-site scripting is a security issue is that a web server that allows cross-site scripting can be attacked with a script that is not on that web server, but on a different web server, such as one owned and controlled by the attacker.

Unfortunately, many companies have a large installed base of JavaScript-enhanced web content that violates the same origin rule. If users enable the HTML Cross-Site Scripting check on such a site, they have to generate the appropriate exceptions so that the check does not block legitimate activity.

The Web Application Firewall offers various action options for implementing HTML Cross-Site Scripting protection. In addition to theBlock,Log,StatsandLearnactions, users also have the option toTransform cross-site scriptsto render an attack harmless by entity encoding the script tags in the submitted request. Users can configure Check complete URLs for the cross-site scripting parameter to specify if they want to inspect not just the query parameters but the entire URL to detect a cross-site scripting attack. Users can configure theInspectQueryContentTypes巴勒斯坦权力机构rameter to inspect the request query portion for a cross-site scripting attack for the specific content-types.

用户can deploy relaxations to avoid false positives. The Web Application Firewall learning engine can provide recommendations for configuring relaxation rules.

The following options are available for configuring an optimized HTML Cross-Site Scripting protection for the user application:

• Block— If users enableblock, the block action is triggered if the cross-site scripting tags are detected in the request.

• Log— If users enable the log feature, the HTML Cross-Site Scripting check generates log messages indicating the actions that it takes. Ifblockis disabled, a separate log message is generated for each header or form field in which the cross-site scripting violation was detected. However, only one message is generated when the request is blocked. Similarly, 1 log message per request is generated for the transform operation, even when cross-site scripting tags are transformed in multiple fields. Users can monitor the logs to determine whether responses to legitimate requests are getting blocked. A large increase in the number of log messages can indicate attempts to launch an attack.

• Stats— If enabled, the stats feature gathers statistics about violations and logs. An unexpected surge in the stats counter might indicate that the user application is under attack. If legitimate requests are getting blocked, users might have to revisit the configuration to see if they must configure new relaxation rules or modify the existing ones.

• Learn——如果用户不确定米格放松规则ht be ideally suited for their application, they can use the learn feature to generate HTML Cross-Site Scripting rule recommendations based on the learned data. The Web Application Firewall learning engine monitors the traffic and provides learning recommendations based on the observed values. To get optimal benefit without compromising performance, users might want to enable the learn option for a short time to get a representative sample of the rules, and then deploy the rules and disable learning.

• Transform cross-site scripts— If enabled, the Web Application Firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:

  • Left angle bracket (<) to HTML character entity equivalent (<)

  • Right angle bracket (>) to HTML character entity equivalent (>)

This ensures that browsers do not interpret unsafe html tags, such as