PoC Guide: Web Application Firewall Deployment

Overview

This proof of concept (PoC) guide is designed to help you quickly deploy Citrix Web App Firewall (WAF) either standalone or as a part of an existing ADC deployment to protect web applications and services. This guide covers some of the basics of Citrix WAF, deployment best practices, and next steps for your WAF projects. This guide will NOT cover every protection available nor will it cover all web technologies available today.

These instructions cover cloning an application or server that is already being proxied by an ADC appliance allowing administrators to build policies and rules without disrupting existing traffic. This is not the only way to deploy a PoC for Web Application Firewall, but it is easier than other methods.

Conceptual Architecture

A Web Application Firewall operates at Layer 7, the application layer, unlike traditional network firewalls that operate at Layer 3 or Layer 4. It understands web and application protocols like HTTP, XML, SQL, and HTML.

The Citrix WAF provides both positive and negative security models for the widest protection possible. Thenegative security modelemploys vulnerability signatures to prevent known attacks. It also allows for rapid initial deployment and provides a mechanism for “Virtual Patching” of applications by importing the results from third party assessment tools.

Thepositive security modeldefines the traffic patterns and user behaviors that are allowed and blocks everything else. Dynamic profiling is used by the WAF engine to build rule sets for the behavior that is acceptable.

Prerequisites

This guide assumes the following is already configured on your Citrix ADC or standalone Citrix WAF:

1. A basic understanding of networking concepts and managing the Citrix ADC
2. The ADC appliance is already deployed and accessible on the network
3. A suitable license has been applied - either standalone WAF or for ADC, aPremiumlicense is required
4. An NSIP has been assigned, and is accessible for management
5. A SNIP has been assigned and can communicate with one or more services that are protected

6. Aninternal onlyIP address and DNS entry for another VIP (the service may already be load balanced by the ADC, ensure that a separate IP and DNS are available)

   Note:

   Using a different DNS name and URL to access an application MAY require adding configuration to the application to make it aware of the new name

7. A Basic understanding of the architecture and structure of the application or service that you are protecting.For example, if the site processes credit card information determines if credit card protections are enabled, or if the application uses an SQL database for storage determines if SQLi protections are used
8. A basic understanding of web protocols and technologies such as HTTP, HTML, regular expressions, JavaScript and more, depending on the application that is being protected
9. 第四层的基本理解load balancing and configuration on the Citrix ADC
10. A dedicated syslog server - while local syslogs are available, having a dedicated syslog server configured is recommended. Alternatively, Citrix ADM with Security Insight provides detailed analytics into the WAF engine and application security

WAF Proof of Concept Considerations

More than likely, the web service or application that we want to protect is already being proxied by the ADC for load balancing or other traffic management. During the WAF PoC deployment we do NOT want to disrupt the application functionality or availability for existing users. To accomplish this, a duplicate virtual server is made with the only difference being that the duplicate virtual server has WAF policies bound to it.

This method also gives users the ability to test the application to ensure that it is functioning correctly and to build WAF rules for acceptable traffic.

Sizing the ADC deployment needs to be considered before enabling Web Application Firewall as it can introduce significant resource consumption. The best way to estimate sizing is to use the web server to analyze and estimate the request sizes, response sizes, and number of forms. Citrix ADC can be used to gather basic web sizing metrics, but only if the application is already being proxied:

show httpband-typeRESPONSE show httpband-typeREQUEST <!--NeedCopy-->

Certain protections requiresignificantlymore resources than others, thus referred to asAdvancedprotections. Advanced protections consume more resources because they are remembering Form Fields, URLs, Cookies, and other data in the web transaction. The WAF engine validates that the data does not change between transactions to ensure that requests and responses are not tampered with and as such consume more appliance memory. Some advanced protections supportSessionlesschecking as noted in the configuration - sessionless protection requires more CPU resources rather than memory.

As an example, an appliance withAdvancedpolicies is able to process approximately one tenth as much traffic as an identical appliance with onlyBasicprotections. Refer to the Citrix ADC data sheets for the supported WAF throughput capabilities for each different appliance.

Recommended Protections

These security checks can usually be enabled in the WAF profile. Most of these checksrequire learned rulesto be applied before enabling blocking; do NOT enableBLOCKby default, without deploying learned rules first.

Note:

This list is NOT exhaustive. Some protections are not compatible with some applications and some protections do not add any benefit to other applications.

• Cookie Consistency
  • Allows session cookies from the application to be encrypted or proxied by the WAF engine
  • Cookie Consistency prevents a malicious actor from tampering with cookies

  • Cookie Consistency is anAdvancedprotection

    Note:

    Do NOT enable this setting when users are actively using the application, as any non-encrypted session cookies sent will not be allowed

  • More information in Citrix Prod Docs
• Buffer Overflow
  • Prevents attacks against insecure OS or web server software that can behave unpredictably when receiving data that is larger than it can handle
  • Buffer Overflow detects if the URL, cookies, or headers are longer than the specified maximum size
  • More information in Citrix Prod Docs
• Form Field Consistency Check
  • Validates that web forms returned by users have not been modified before being sent to the server
  • Form Field Consistency is anAdvancedprotection with sessionless support
  • More information in Citrix Prod Docs
• SQL Injection
  • 块或转换SQL特别keywords and characters from the POST body, header, and cookies
  • Only applicable if the web application uses an SQL database
  • More information in Citrix Prod Docs
• Cross-Site Scripting Check (XSS)
  • Checks the headers and POST bodies of requests for cross-site script attacks
  • WAF can either block the request completely or transform the offending scripts to prevent them from running
  • More information in Citrix Prod Docs
• Deny URL
  • Blocks connections to URLs that are commonly accessed by hackers and malicious code or scripts
  • Custom Deny URL Rules can be added in theRelaxation Rules > Deny URLUI, by clickingEditthenAdd
  • More information in Citrix Prod Docs
• Start URL (URL Closure)
  • Prevents direct access to random URLs on a site (forceful browsing) through bookmarks, external links, page jumping, or manually entering URLs
  • Start URL is anAdvancedprotection with sessionless support; learned rulesMUSTbe deployed before blocking based on Start URL
  • More information in Citrix Prod Docs

Initial WAF Configuration

There are two options when configuring WAF protection:

• Option 1:Use the Web App Firewall configuration Wizard to create a WAF profile and WAF policy
  • The wizard guides you through building an initial signature set and other security checks and settings as follows:
    • In the web UI, navigate to:Security > Citrix Web App Firewall

    

    • Choose a name for the WAF profile and the profile type (Web, XML, or JSON depending on the type of application you are protecting)

    

    • Specify the expression that determines which traffic is processed by the WAF engine

    

    • Select the signatures that apply protections for known vulnerabilities - there are options to use an existing signature set or create a new set. To choose which signatures to apply to this protection profile, there are two editor options offering basic or advanced capabilities.

    • There are navigation options on both editors to select the signatures then enable, block, log, or stats. Watch out for multiple pages of signatures and ensure that all are selected. The Basic editor is easier to get started with, while the advanced editor offers more capabilities

    Note:

    Ensure that the signatures are marked as ENABLED prior to moving on to the next step

    

    

    • Choose the Deep Protections that are applicable to the application. It is recommended to start by enabling logging, stats, and learning; do NOT enable blocking initially as many protections require some number of learned rules

    

    IMPORTANT:

    If the WAF wizard is used to create a profile and policy, it does become bound GLOBALLY! If the filtering expression is left as default (true) then ALL traffic is processed by the WAF engine, likely leading to applications misbehaving. The recommended action is to unbind the policy from theDefault Globalbind point and instead bind to the LB virtual server that is created later. To unbind a WAF policy from the Global bind point, do the following:

    • Navigate toSecurity > Citrix Web App Firewall > Policies > Firewall
    • ChoosePolicy Manager, then chooseDefault Global
    • Highlight the WAF policy listed, and chooseUnbind

  

• Option 2:Alternatively, WAF protection can be applied to an application or site by manually creating a WAF profile, WAF policy, and applying a signature set
  1. Create a signature set for the application
     1. Navigate toSecurity > Citrix Web App Firewall > Signatures
     2. Highlight theDefault Signaturesthen pressAddto create a copy of the default signature set
     3. Select the appropriate signatures depending on the application or site being protected and ensure that the signatures are set toENABLED
  2. Create a Web App Firewall Profile
     1. Navigate toSecurity > Citrix Web App Firewall > Profiles
     2. Give the profile a descriptive name then select Web, XML, or JSON depending on the type of application you are protecting
     3. SelectBasicto apply the basic default settings
     4. Once created, highlight the new Profile, and pressEdit
     5. OpenSecurity Checksand deselectBLOCKon all items
     6. Open配置文件设置
        • Select the previously created Signature Set in theBound Signaturessetting
        • If the back-end application server supportschunked requests, enableStreamingto improve performance
        • Modify any additional settings based on the application or website being protected
  3. Create a Web App Firewall Policy
     1. Navigate toSecurity > Citrix Web App Firewall > Policies > Firewall
     2. PressAddto create a new policy
     3. Give the policy a descriptive name and select the WAF Profile created earlier
     4. Create a traffic expression that determines which traffic is processed by the WAF engine

Regardless of the method used, a basic Web App Firewall configuration is now available to be bound. The final step is to update the signature file.

• 导航到Security > Citrix Web应用防火墙>年代ignatures
• Highlight the newly created signature set and pressSelect Action > Auto Update Settings

• EnableSignatures Auto Updateand ensure that the update URL is populated

  Note:

  Signature update requires that the ADC can resolve DNS names and access the public internet from the NSIP

• Once auto-update is configured, ADC checks for updates once per hour. The signatures can be updated manually as well and a manual update needs to be run once after the WAF profile and policy are created

To verify if the ADC appliance is able to reach the signature updates, the following command is run from theCLI(exit to shell):

shell curl-Ihttps://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml <!--NeedCopy-->

The system should return anHTTP/1.1 200 OK

The most recent signature update documentation is available onCitrix Prod Docs- updates via RSS are also available.

默认情况下,公共事件格式(CEF)日志是not enabled, with the WAF using native logging format. Additionally, the WAF enginge can include GeoLocation information for requests. For ease of troubleshooting, it is recommended to enable CEF logging and GeoLocation by navigating toSecurity > Citrix Web App Firewall > Change Engine Settings. Check the boxes forCEF LoggingandGeo-Location Logging. Alternatively, these settings can be enabled in via the CLI as follows:

setappfw settings GeoLocationLogging ON CEFLogging ON <!--NeedCopy-->

Clone Virtual Server Configuration

Once the Web App Firewall Profile and Policy have been created, it needs to be bound to the load balancing virtual server. If the application or service is not already configured on the ADC, it needs to be configured from scratch. If the application is already configured, it needs to be cloned.

To quickly clone an existing virtual server, do the following:

• Navigate toTraffic Management > Load Balancing > Virtual Servers

• Highlight the existing virtual server and pressAddto create a new virtual server with similar settings
  • Give the new virtual server a new name and different IP address
  • Ensure that the port and protocol are correct then pressOK
  • Bind services or service groups then pressContinue
  • Modify the load balancing method, persistence, and any other Traffic settings needed to match the existing virtual server
  • If this virtual server is an HTTPS virtual server, ensure that an appropriate certificate is bound and a secure Cipher Suite is bound

Next, the WAF policy needs to be bound to this new virtual server:

• Navigate toTraffic Management > Load Balancing > Virtual Servers
• Highlight the newly created virtual server and pressEdit
• In the rightAdvanced Settingscolumn, choosePolicies
• Press the+ (plus)icon to add a policy
  • Choose anApp Firewallpolicy with a type ofRequest
  • The default binding details can be left alone

User Acceptance Testing and Initial Troubleshooting

At this point, users can begin testing the application using the new URL, accessing the web application with WAF policies bound. Depending on the complexity of the application, multiple users across different business units need to use the application to generate an acceptable amount of traffic. This traffic is used by the learning engine to see all parts of the application and to ensure there are no false positive blocks that prevent application functionality.

During initial testing, information pertaining to the offending request can be difficult to find, but there a few settings that assist with this. The first is to set a custom HTML Error Object that presents diagnostic information whenever a request is blocked. If an error object is not set, a user is often be presented with a blank page that does not provide any information.

Note:

这是重新commended to be removed or changed once the WAF protected application is exposed to a non-testing audience.

• Set theHTML Error Objectto present diagnostic information
  • Go to theWAF Profile, then expand配置文件设置
  • Select the HTML Error Object and click the add button (or plus) to create a new object
  • In the ‘Import HTML Error Page’ chooseText
  • Give the error object a name and paste the following code:

Your request has been blocked by a security policy
Access has been blocked - if you feel this is in error, please contact the site administrators quoting the following:
NS事务ID: $ {NS_TRANSACTION_ID}
AppFW Session ID: ${NS_APPFW_SESSION_ID}
Violation Category: ${NS_APPFW_VIOLATION_CATEGORY}
Violation Details: ${NS_APPFW_VIOLATION_LOG}

nsconmsg-dstats |grepappfw <!--NeedCopy-->

setappfw settings-malformedReqActionlog stats <!--NeedCopy-->

/var/nslog/asl/appfwprofile.db <!--NeedCopy-->

/var/log/ns.log <!--NeedCopy-->