Transcription
Citrix NetScaler 1000VApplication Security GuideCitrix NetScaler 10.1October 3, 2013Cisco Systems, Inc.www.cisco.comCisco has more than 200 offices worldwide.Addresses, phone numbers, and fax numbersare listed on the Cisco website atwww.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALLSTATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THATSHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuantto part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercialenvironment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may causeharmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be requiredto correct the interference at their own expense.The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuantto part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can bedetermined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures: Reorient or relocate the receiving antenna.Increase the separation between the equipment and receiver.Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.Consult the dealer or an experienced radio/TV technician for help.Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s publicdomain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITHALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUTLIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OFDEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCOOR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command displayoutput, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers inillustrative content is unintentional and coincidental.Citrix and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the United States Patentand Trademark Office and in other countries. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners. 2013 Cisco Systems, Inc. All rights reserved.
Contents1AAA Application Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15How AAA Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Enabling AAA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18To enable AAA by using the command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18To enable AAA by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Setting up AAA Virtual Servers and DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Configuring the Authentication Virtual Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20To configure an authentication virtual server by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20To configure an authentication virtual server by using the configuration utility. . 21Configuring a Traffic Management Virtual Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22To configure a TM virtual server for AAA by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22To configure a TM virtual server for AAA by using the configuration utility. . . . . . 23Configuring DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Verifying Your Setup for AAA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23To verify authentication virtual server setup by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23To verify your AAA virtual server setup by using the configuration utility. . . . . . . . 24Configuring Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24To create a local AAA user account by using the command line interface. . . . . . . . . . . . 25To change the password for an existing AAA local user account by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25To configure AAA local users by using the configuration utility. . . . . . . . . . . . . . . . . . . . . . . . 25To create AAA local groups and add users to them by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26To remove users from an AAA group by using the command line interface. . . . . . . . . . 26To remove an AAA group by using the command line interface. . . . . . . . . . . . . . . . . . . . . . . 27To configure AAA local groups and add users to them by using the configurationutility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring AAA Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28iii
ContentsAuthentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28To add an authentication action by using the command line interface. . . . . . . . . . . 29To configure an authentication action by using the command line interface. . . . . 30To remove an authentication action by using the command line interface. . . . . . . 30To configure an authentication server by using the configuration utility. . . . . . . . . .30To create and bind an authentication policy by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31To modify an existing authentication policy by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32To remove an authentication policy by using the command line interface. . . . . . . 32To configure and bind authentication policies by using the configurationutility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32LDAP Authentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33RADIUS Authentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35SAML Authentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Authorization Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40To create an authorization policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40To modify an authorization policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40To bind an authorization policy to a user account or group. . . . . . . . . . . . . . . . . . . . . . .41To unbind an authorization policy from a user account or group. . . . . . . . . . . . . . . . . 41To remove an authorization policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42To configure and bind authorization policies by using the configuration utility. . . 42Auditing Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43To create an auditing policy by using the command line interface. . . . . . . . . . . . . . . 43To modify an auditing policy by using the command line interface. . . . . . . . . . . . . . . 43To globally bind an auditing policy by using the command line interface. . . . . . . . 44To bind an auditing policy to an authentication virtual server by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44To bind an auditing policy to a user account or a group by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45To unbind a globally bound auditing policy by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45To unbind an auditing policy from an authentication virtual server by usingthe command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45To unbind an auditing policy from a user account or a group by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46To remove an auditing policy by using the command line interface. . . . . . . . . . . . . . 46To configure and bind auditing policies by using the configuration utility. . . . . . . . 46Session Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Session Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48iv
Citrix NetScaler Application Security GuideTo create a session profile by using the command line interface. . . . . . . . . . . . . . . . 48To modify a session profile by using the command line interface. . . . . . . . . . . . . . . . 49To remove a session profile by using the command line interface. . . . . . . . . . . . . . . 49To configure session profiles by using the configuration utility. . . . . . . . . . . . . . . . . . . 49Session Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50To create a session policy by using the command line interface. . . . . . . . . . . . . . . . . 50To modify a session policy by using the command line interface. . . . . . . . . . . . . . . . 50To globally bind a session policy by using the command line interface. . . . . . . . . . 51To bind a session policy to an authentication virtual server by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51To unbind a session policy from an authentication virtual server by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52To unbind a globally bound session policy by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52To remove a session policy by using the command line interface. . . . . . . . . . . . . . . .52To configure and bind session policies by using the configuration utility. . . . . . . . .52Global Session Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53To configure the session settings by using the command line interface. . . . . . . . . 54To configure the session settings by using the configuration utility. . . . . . . . . . . . . . 54Traffic Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55Traffic Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55To create a traffic profile by using the command line interface. . . . . . . . . . . . . . . . . . . 55To modify a session profile by using the command line interface. . . . . . . . . . . . . . . . 55To remove a session profile by using the command line interface. . . . . . . . . . . . . . . 56To configure traffic profiles by using the configuration utility. . . . . . . . . . . . . . . . . . . . . 56Traffic Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57To create a traffic policy by using the command line interface. . . . . . . . . . . . . . . . . . . 57To modify a traffic policy by using the command line interface. . . . . . . . . . . . . . . . . . . 57To globally bind a traffic policy by using the command line interface. . . . . . . . . . . . 57To bind a traffic policy to an authentication virtual server by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57To unbind a globally bound traffic policy by using the command line interface. . 58To unbind a traffic policy from an authentication virtual server by using thecommand line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58To remove a traffic policy by using the command line interface. . . . . . . . . . . . . . . . . . 58To configure and bind traffic policies by using the configuration utility. . . . . . . . . . . 59Form SSO Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59To create a form SSO profile by using the command line interface. . . . . . . . . . . . . . 60To modify a form SSO by using the command line interface. . . . . . . . . . . . . . . . . . . . . 60To remove a form SSO profile by using the command line interface. . . . . . . . . . . . .60v
ContentsTo configure form SSO profiles by using the configuration utility. . . . . . . . . . . . . . . . .61SAML SSO Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61To create a SAML SSO profile by using the command line interface. . . . . . . . . . . . 61To modify a SAML SSO by using the command line interface. . . . . . . . . . . . . . . . . . . 62To remove a SAML SSO profile by using the command line interface. . . . . . . . . . . 62To configure a SAML SSO profile by using the configuration utility. . . . . . . . . . . . . . 62Authenticating with Client Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63To configure the AAA client certificate parameters by using the command lineinterface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64To configure the AAA client certificate parameters by using the configurationutility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Configuring AAA with Commonly Used Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Handling Authentication, Authorization and Auditing with Kerberos/NTLM. . . . . . . . . . . 65How NetScaler Implements Kerberos Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Kerberos Authentication - Configuration on the NetScaler Appliance. . . . . . . . . . . .69Configuration of Kerberos Authentication on a Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Offloading Kerberos Authentication from Physical Servers. . . . . . . . . . . . . . . . . . . . . . 77Kerberos Protocol Transition and Constrained Delegation. . . . . . . . . . . . . . . . . . . . . . . 802Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Web Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Known Web Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Unknown Web Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94How The Application Firewall Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Application Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97The Application Firewall User Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Configuring the Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98The Application Firewall Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99The Citrix Web Interface AppExpert Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100The Citrix NetScaler Configuration Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101The Citrix NetScaler Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101Enabling the Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102To enable the application firewall by using the command line interface. . . . . . . . 102To enable the application firewall by using the configuration utility. . . . . . . . . . . . . 102The Application Firewall Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103Opening the Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103The Wizard Screens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103To configure the Application Firewall: Initial Configuration. . . . . . . . . . . . . . . . . . . . . . 107To configure the Application Firewall: Enabling Blocking for Signatures. . . . . . . 108vi
Citrix NetScaler Application Security GuideTo configure the Application Firewall: Enabling and Configuring advancedprotection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108To configure the Application Firewall: Creating A Policy. . . . . . . . . . . . . . . . . . . . . . . . 109Manual Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Manual Configuration By Using the Configuration Utility. . . . . . . . . . . . . . . . . . . . . . . . 110Manual Configuration By Using the Command Line Interface. . . . . . . . . . . . . . . . . . 121Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Manually Configuring the Signatures Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Adding a New Signatures Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125To create a signatures object from a template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126To create a signatures object by importing a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Configuring or Modifying a Signatures Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126To configure or modify a signatures object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Updating a Signatures Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129To update a signatures object from a Citrix format file by using theconfiguration utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130To import and update signatures from a vulnerability scanning tool. . . . . . . . . . . . 130Updating a Signatures Object from a Citrix Format File. . . . . . . . . . . . . . . . . . . . . . . . .131Updating a Signatures Object from a Supported Vulnerability Scanning Tool. .132Exporting a Signatures Object to a File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133To export a signatures object to a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133The Signatures Editor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134To add or modify a local signature rule by using the Signatures Editor. . . . . . . . .134To add a signature rule category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Signature Rule Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Advanced Protections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141Top-Level Advanced Protections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143HTML Cross-Site Scripting Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143HTML SQL Injection Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Buffer Overflow Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Cookie Consistency Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150Data Leak Prevention Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153Credit Card Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Safe Object Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154Advanced Form Protection Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Field Formats Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Form Field Consistency Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158CSRF Form Tagging Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Deny URL Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163URL Protection Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164vii
ContentsStart URL Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164Deny URL Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167XML Protection Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168XML Format Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168XML Denial-of-Service Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169XML Cross-Site Scripting Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171XML SQL Injection Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173XML Attachment Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Web Services Interoperability Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176XML Message Validation Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177XML SOAP Fault Filtering Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Creating Application Firewall Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Citrix NetScaler 1000V Application Security Guide Citrix NetScaler 10.1 October 3, 2013. . The Citrix Web Interface AppExpert Template .100 The Citrix NetScaler Configuration Utility . 101. Citrix NetScaler Application Security Guide. configuration: .
