PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies
Overview
Many Citrix ADC appliances host VPN and Citrix Gateway deployments that also provide security protections to other web applications. This PoC guide is designed to help protect VPN and Gateway virtual servers using tools already available on the Citrix ADC appliance. This guide covers protecting the portal login page with Bot security and protecting the credential form submission with WAF capabilities. Also, advanced authentication policies add context to user logons and enable multifactor authentication.
The flow of this configuration diagrammed as follows:
Configuration Options
本指南不提供独家的公关列表otections, nor is it the only way to configure them. For example, deploying both IP Reputation and rate limiting using a responder policy on a Gateway virtual server is common. This configuration is a supported method of deployment. It has a different outcome of dropping or resetting connections before the gateway login page is rendered.
Also, the WAF profile doesn’t have every protection enabled to prevent complex configuration, custom tuning, and potential issues. Further configuration to the WAF profile is possible, see the links in the references section for guidance.
Note:
CAPTCHA isn’t the most secure option for an extra factor, it’s only used for simplicity in explanation. Other MFA options such as TOTP or PUSH are better options - see the references section for links to help in deploying these options.
Prerequisites
This guide assumes a working knowledge of Citrix WAF deployment, Bot Security deployment, and Advanced Authentication Policies (nFactor). It makes assumptions that a gateway or authentication virtual server is already installed and configured. The following are requirements for the configuration:
- Advanced Authentication Policies require release 12.1 build 57.18 or later
- Web Application Firewall protections require release 12.1 build 57.18 or later
- Bot Security protections require release 13.0 build 71.40 or later
- Most of the features in this guide require apremium license
- An existing server or service listening on port 80
- An existing Gateway or authentication virtual server, with an existing advanced authentication configuration (advanced authentication or nFactor flow)
- Enable the following features:Citrix Web App Firewall, Citrix Bot Management, and Reputation
Bot Protection
Bot Signatures
FromSecurity > Citrix Bot Management > Signatures, select the Default Bot Signatures and click theClonebutton. Apply a descriptive name, then click create.
Create a Bot Management Profile and Policy
FromSecurity > Citrix Bot Management > Profiles, select Add to create a new Bot Management Profile. Give the profile a descriptive name and select the previously created signature set.
Select the profile to edit the advanced settings.
AddIP Reputationfrom the right column and check the box to enable it.
Next, choose ‘Add’ under categories, selectIPfor the Type, check the box for Enabled and set the action to Drop. Last, check the box for ‘Log’ and set the log message to something descriptive.
SelectDevice Fingerprintfrom the right column, ensure that the ‘Enabled’ check box isNOTchecked and click Update.
The last setting for the Bot Profile is to enable rate limiting, selectRate Limitfrom the right column and check the box for enabled. Click ‘Add’ underConfigure Resources, and add three URL type rate limit bindings for the following URLs:
- /logon/LogonPoint/index.html
- /logon/LogonPoint/tmindex.html
- /vpn/index.html
Configure the rate limits as follows:
- Enabled
- Rate of 5
- Period of 1000
- Action of Drop
- Log set toenabled
- Log Message with a descriptive message title.
The Bot Profile is now configured as follows:
Create a BotManagement Policyby going toSecurity > Citrix Bot Management > Bot Policiesand choosing Add. Select the previously created Bot Profile, with an expression as follows:
HTTP.REQ.URL.CONTAINS("/vpn")||HTTP.REQ.URL.CONTAINS("/logon")<!--NeedCopy-->Finally, the bot policy is bound by selecting ‘Policy Manager’. Select a Bind Point of ‘Default Global’, select ‘Click to select’ to select the policy. Highlight the previously created policy, and choose ‘Select’. Select ‘Bind’ then ‘Done’.
WAF Protection
It isn’t possible to bind a WAF policy directly to a Gateway or authentication virtual server. Also, binding a WAF policy globally with an expression that targets Gateway or authentication virtual servers won’t function as expected. The policy processing order causes this malfunction - WAF policies are processed after Gateway and authentication policies. See the image below for a traffic flow clarification.
The WAF protection policy uses an HTTP Callout to protect the logon page and invalidate the authentication flow if a WAF exception is caught. This configuration requires a pattern set (Patset) that includes the login URLs, a dummy service and load balancing virtual server, an HTTP callout, and the WAF policy and configuration.
Pattern Set
Navigate toAppExpert > Pattern Setsand select ‘Add’. Give the new Pattern Set a name, then select ‘Insert’ and add the following patterns:
- /cgi/login (index 1)
- /nf/auth/doAuthentication.do (index 2)
Alternatively, create the pattern set from the CLI:
add policy patset GW_VPN_Patsetbindpolicy patset GW_VPN_Patset"/cgi/login"-index1bindpolicy patset GW_VPN_Patset"/nf/auth/doAuthentication.do"-index2 <!--NeedCopy-->Dummy Virtual Server and Service
The HTTP Callout uses a dummy virtual server. This virtual server doesn’t need to be publicly available, so it can be non-addressable. The virtual server DOES need to be up, so the back end server needs to be up and responding on port 80. A new service and virtual server are created in this guide, but a pre-existing virtual server can be used.
Go toTraffic Management > Load Balancing > Servicesand select ‘Add’. Give the service a descriptive name, set the protocol to HTTP and port to 80. Enter the IP address of the server and chooseOK. Alternatively, create the service with an existing server. Use all default settings, including monitors bound to the service.
Next create the load balancing virtual server by going toTraffic Management > Load Balancing > Virtual Serversand select ‘Add’. Give the server a descriptive name, set the protocol to HTTP, and set the IP address type toNon Addressable. Bind the previously created service to this virtual server by selecting ‘No Load Balancing Virtual Server Service Binding’ then ‘Click to select’ and selecting the service. There is now 1 service bound to the virtual server and the state is ‘UP’.
HTTP Callout
Navigate toAppExpert > HTTP Calloutsand select ‘Add’. Give the HTTP Callout a descriptive name, select ‘Virtual Server’ to receive the callout request, and select the dummy virtual server. In the Request to send to the server, select the type as Expression-Based, set the scheme to ‘HTTP’ and set the Full Expression to the following:
HTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048)<!--NeedCopy-->Note:
The name of the header here is ‘GW_VPN-WAF_Callout’ - the application firewall filtering expression uses it later. If the name is changed here, change the WAF header expression as well.
In the Server Response section, set the return type toBOOLand set the expression to ‘true’.
Alternatively, create the HTTP Callout from the CLI:
add policy httpCallout GW_VPN_WAF_Callout-vServerdummy-vserver-here-returnTypeBOOL-fullReqExprHTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048)-schemehttp-resultExprtrue<!--NeedCopy-->Authentication Policy
Modify an existing LDAP authentication policy to use the HTTP Callout. Open the existing authentication policy by going toSecurity > AAA Application Traffic > Policies > Authentication > Advanced Policies > Policy, select the existing policy and choose ‘Edit’. Modify the existing expression to the following:
HTTP.REQ.URL.CONTAINS_ANY("GW_VPN_Patset")&&SYS.HTTP_CALLOUT(GW_VPN_WAF_Callout)<!--NeedCopy-->
Note:
Use this expression with any authentication policy where you want to protect the form fields on the logon page.
WAF Profile and Policy
To build the WAF profile go toSecurity > Citrix Web Application Firewall > Profilesand choose ‘Add’. Give the profile a descriptive name and select Web Application (HTML) and Basic Defaults. Open the newly created profile by choosing ‘Edit’ then select ‘Security Checks’ from the right hand column.
Enable the following security checks (disable all other settings):
- Buffer Overflow - Log, Stats
- Post Body Limit - Block, Log, Stats
- HTML跨站点脚本块,日志,统计数据
- HTML SQL Injection - Block, Log, Stats
Next select ‘Profile Settings’ from the right hand column and set the Default Response to:
application/octet-stream <!--NeedCopy-->Then check the box forLog Every Policy Hit.
Next, configure the WAF policy by going toSecurity > Citrix Web Application Firewall > Policies > Firewalland choose ‘Add’. Give the policy a descriptive name and select the profile created in the previous step. For the expression, enter the following:
HTTP.REQ.HEADER("GW_VPN-WAF_Callout").EXISTS <!--NeedCopy-->Note:
The name of the header here must match the header in the HTTP Callout created earlier.
Last, bind the WAF policy to the dummy load balancing virtual server created earlier by going toTraffic Management > Load Balancing > Virtual Servers. Select the virtual server then choose ‘Edit’.
From the right hand column, select ‘Policies’ then click the ‘+’ plus to add a policy. Select policy App Firewall and type Request. Select the policy created previously then select ‘Bind’ and ‘Done’.
Alternatively, create the WAF configuration using the CLI as follows:
add appfw profile demo_appfw_profile-startURLActionnone-denyURLActionnone-fieldFormatActionnone-bufferOverflowActionlog stats-responseContentType"application/octet-stream"-logEveryPolicyHitON-fileUploadTypesActionnone add appfw policy demo_appfw_policy"HTTP.REQ.HEADER(\"GW_VPN-WAF_Callout\").EXISTS"demo_appfw_profilebindlb vserver dummy-vserver-here-policyNamegw_appfw_policy-priority100-gotoPriorityExpressionEND-typeREQUEST <!--NeedCopy-->Advanced Authentication Settings
There are two configurations related to authentication - encrypting user credentials from the client to the ADC within nFactor and IP reputation based MFA.
Encrypting User Credentials
下ing setting enables the ADC to encrypt the credential set when the user submits the form data using ECDHE algorithms. To enable this setting, navigate toCitrix Gateway > Global Settings > Authentication Settings > Change Authentication AAA settingsand setLogin EncryptiontoENABLED.
Alternatively, change this setting from the CLI as follows:
setaaa parameter-loginEncryptionENABLED <!--NeedCopy-->IP Reputation Based MFA
Use IP Reputation with advanced authentication to prompt the user for an extra factor if the database includes the source address. Also, creatte a manually maintained dataset of addresses.
Important:
下ing configuration example uses CAPTCHA as a means to provide another factor of authentication, but any other MFA tool can be used. As with all nFactor configurations, the policies, schemas, and policy labels shown here are simple examples - add an extra configuration to meet any specific login use case.
See the references section for additional details on configuring TOTP PUSH as a factor and additional CAPTCHA configurations.
Create a data set by going toAppExpert > Data Setsand selecting ‘Add’. Create a data set with a descriptive name, a type of ‘ipv4’ and click ‘Create’.
Next, two advanced authentication policies need to be created by going toSecurity > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policyand select ‘Add’.
Create the first policy with a descriptive name, an action type ofNO_AUTHN, and the expression set to ‘true’.
Create the second policy with a descriptive name, action type ofNO_AUTHN, and an expression as follows:
CLIENT.IP.SRC.IPREP_IS_MALICIOUS||CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("suspicious_ips")<!--NeedCopy-->Note:
Use the name of the previously created data set here.
Next, a CAPTCHA login schema profile is created by going toSecurity > AAA - Application Traffic > Login Schema > Profiles Taband selecting ‘Add’. Give the profile a descriptive name then edit the Authentication Schema by selecting the ‘pencil’ edit icon. Browse to the LoginSchema directory, highlightSingleAuthCaptcha.xml, and chooseSelect.
Next, create an authentication policy label for the Captcha schema by going toSecurity > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy Labeland selecting ‘Add’. Give the PL a descriptive name and select the previously created captcha login schema. Bind the required LDAP action policy.
Note:
This example is reusing a previously created LDAP authentication action.
Create another policy label by selecting ‘Add’. Give this PL a descriptive name, and set the login schema to LSCHEMA_INT. Next, bind the two previously created NO_AUTHN authentication policies.
Last, set the next factor of the previously created authentication policy as this IP Reputation check policy label. It’s already bound to an authentication or Gateway virtual server. Highlight the authentication policy, select ‘edit binding’ then set the new policy label as the ‘Select Next Factor’ field.
Summary
Citrix ADC provides many built-in security protections that protect Gateway or Authentication virtual servers running on the same appliance. These protections have no impact on typical users as they try to log in to Citrix Gateway.
References
For additional information and configuration options, see the following articles:
Introduction to Citrix Web Application Firewall- Citrix Product Docs: Introduction to Citrix Web Application Firewall
Citrix Web Application Firewall PoC Guide- proof of concept deployment guide for Citrix Web Application Firewall
Citrix Training for Application Delivery and Security- Citrix Education Training for Application Delivery and Security
Getting started with Citrix ADC- Citrix Product Docs: Getting started with Citrix ADC - Packet Flow
IP Reputation- Citrix Product Docs: IP Reputation
Bot Management- Citrix Product Docs: Bot Management
Bot Detection- Citrix Product Docs: Bot Detection
nFactor Authentication- Citrix Product Docs: nFactor Authentication
Citrix ADC - nFactor Basics Cheat Sheet- Citrix Tech Zone: Diagrams and Posters Citrix ADC - nFactor Basics Cheat Sheet
CTX216091- supporting re-Captcha with nFactor
nFactor for Citrix Gateway with Push Token- proof of concept deployment guide for TOTP push tokens for Citrix Gateway