While network-based attacks rely on vulnerabilities in transport layer protocols such as TCP or even lower level protocols, Web application attacks target vulnerabilities that are specific to the application, such as the input it accepts. Because this application-level visibility is missing in Standard Network Firewalls, they cannot offer sufficient fine-grained protection. This is where web Application Firewalls come in.
Application Firewall or AppFirewall, which is how it is commonly referred to, is available either as a standalone product, as an option with NetScaler Enterprise Edition or is included when purchasing NetScaler Platinum Edition. We will use the term AppFirewall everywhere in the chapter for easier reading.
Payment Card Industry Data Security Standard (PCI-DSS) is a security standard that is aimed to certify whether your e-commerce infrastructure is secure enough for your customers to use for transactions. Web Application Firewalls are specified as Requirement 6.6 of the PCI-DSS standard, which lists that either proactive code reviews (non-trivial due to the personnel requirements) or a properly configured AppFirewall as a mandatory requirement.
While this book is about troubleshooting, application attacks are a new subject for many and hence knowing some of that background information and how it applies to NetScaler is crucial for troubleshooting.
To help you make the most of this chapter by covering this background info, we will use the following order for the topics:
While you can stand up a basic AppFirewall deployment quickly, things are far from plug and play and you shouldn't move to production without adequate testing. This topic discusses some of the considerations you should think about during your planning phase.
Deploying AppFirewall involves the following steps:
Creating a suitable profile and policy requires a thorough understanding of the application that you are protecting and the service that it is required to provide. Working with the developers of your applications is key to getting this configuration correct. Questions you should ask are:
So if you require these four protections, start with an advanced profile.
Using signatures on the other hand is the negative security model. This model has the advantage of allowing you to benefit from a widely applied knowledge of past and current vulnerabilities. Also, getting the latest protection is as simple as clicking on the update version button from the GUI:
The source of these signatures is snort, which is a leading and trusted open source intrusion protection system. The recommended practice is to use a hybrid model where you apply specific rules you have learned but complement it by turning on signatures suitable for the Web application.
18.117.119.7