Overview

Citrix Application Firewall offers easy to configure options to meet a wide range of application security requirements. Application firewall profiles, which consist of sets of security checks, can be used to protect both the requests and the responses by providing deep packet-level inspections. Each profile includes an option to select basic protections or advanced protections. Some protections might require use of other files. For example, xml validation checks might require WSDL or schema files. The profiles can also use other files, such as signatures or error objects. These files can be added locally, or they can be imported ahead of time and saved on the appliance for future use. They can be shared by multiple profiles.
Profiles work in conjunction with the application firewall policies. Each policy identifies a type of traffic, and that traffic is inspected for the security check violations specified in the profile that is associated with the policy. The policies can have different bind points, which determine the scope of the policy. For example, a policy that is bound to a specific virtual server is invoked and evaluated for only the traffic flowing through that virtual server. The policies are evaluated in the order of their designated priorities, and the first one that matches the request or response is applied.

How to

Use the following procedure for quick deployment of application firewall security:

1. Add an appfw profile and select the appropriate type (html, xml, web2.0) for the security requirements of the application.
2. Select the required level of security (basic or advanced).
3. Add or import the required files, such as signatures or WSDL.
4. Configure the profile to use the files, and make any other necessary changes to the default settings.
5. Add an appfw policy for this profile.
6. Bind the policy to the target bind point and specify the priority.

Application firewall entities

Following are brief overviews of the application firewall entities. For details, see the Application Firewall Guide.

Profile
An application firewall profile specifies what to look for and what to do. It inspects both the request and the response to determine which potential security violations should be checked and what actions should be taken when processing a transaction. A profile can protect an HTML, XML or HTML and XML payload. Depending on the security requirements of the application, create either a basic or an advanced profile. A basic profile can protect against known attacks. If higher security is required, deploy an advanced profile to allow controlled access to the application resources, blocking zero day attacks. However, a basic profile can be modified to offer advanced protections, and vice versa. Multiple action choices (for example, block, log, learn, and transform) are available. Advanced security checks might use session cookies and hidden form tags for controlling and monitoring the client connections. Application firewall profiles can learn the triggered violations and suggest the relaxation rules. 

Basic Protections
A basic profile includes pre-configured set of Start URL and Deny URL relaxation rules. These relaxation rules determine which requests should be allowed and which should be denied. Incoming requests are matched against these lists and the configured actions are applied. This allows the user to be able to secure applications with minimal configuration for relaxation rules. The Start URL rules protect against forceful browsing. Known web server vulnerabilities that are exploited by hackers can be detected and blocked by enabling a set of default Deny URL rules. Commonly launched attacks, such as Buffer Overflow, SQL, or Cross-site scripting can also be easily detected.

Advanced Protections
As the name indicates, advanced protections are used for applications that have higher security requirements. Relaxation rules are configured to allow access to only specific data and block the rest. This positive security model mitigates unknown attacks, which might not be detected by basic security checks. In addition to all the basic protections, an advanced profile keeps track of a user session by controlling the browsing, checking for cookies, specifying input requirements for various form fields, and protecting against tampering of forms or cross-site request forgery attacks. Learning, which observes the traffic and deploys the appropriate relaxations, is enabled by default for many security checks. Although easy to use, advanced protections require due consideration, because they offer tighter security but also require more processing and do not allow use of caching, which can affect performance.

Import
Import functionality is useful when application firewall profiles need to use external files, that is, files hosted on an external or internal web server, or that have to be copied from a local machine. Importing a file and storing it on the appliance is very useful, especially in situations where you have to control access to external websites, or where compilation takes a long time, large files have to be synced across HA deployments, or you can reuse a file by copying it across multiple devices. Following are a few examples: 

• WSDLs hosted on external web servers can be imported locally before blocking access to external websites.

• Large signature files generated by an external scan tool such as Cenzic can be imported and precompiled using schema on the Citrix appliance.

• A customized HTML or XML error page can be imported from an external web server or copied from a local file.

Signatures
Signatures are very powerful because they use pattern matching to detect malicious attacks and can be configured to check both the request and the response of a transaction. They are a preferred option when a customizable security solution is needed. Multiple choices (for example, block, log, learn, and transform) are available when a signature match is detected. The application firewall has a built-in default signature object consisting of more than 1,300 signature rules, with an option to get the latest rules by using the auto-update feature. Rules created by other scan tools can also be imported. The signature object can be customized by adding new rules, which can work in conjunction with the other security checks specified in the application firewall profile. A signature rule can have multiple patterns and can flag a violation only when all the patterns are matched, thereby avoiding false positives. Careful selection of a literal fastmatch pattern for a rule can significantly optimize processing time.

Policies
Application Firewall Policies are used to filter and separate the traffic into different types. This provides the flexibility to implement different levels of security protections for the application data. Access to highly sensitive data can be directed to advanced security-check inspections, whereas less sensitive data can be protected by basic-level security inspections. Policies can also be configured to bypass security-check inspection for harmless traffic. Higher security requires more processing, so careful design of the policies can provide desired security along with optimized performance. The priority of the policy determines the order in which it is evaluated, and its bind point determines the scope of its application. 

Following are some highlights of Citrix Application firewall:

1. Ability to secure a wide range of applications by protecting different types of data, implementing the right level of security for different resources and still getting maximized performance.

2. Flexibility to add or modify a security configuration. You can tighten or relax security checks by enabling or disabling basic and advanced protections.

3. Option to convert HTML profile to XML or Web2.0 (HTML+XML) profile and vice-versa, providing the flexibility to add security for different types of payload.

4. Easily deployed actions to block attacks, monitor them in logs, collect statistics, or even transform some attack strings to render them harmless.

5. Ability to detect attacks by inspecting incoming requests, and to prevent leakage of sensitive data by inspecting the responses sent by the servers.

6. Capability to learn from the traffic pattern to get recommendations for easily editable relaxation rules which can be deployed to allow exceptions.

7. Hybrid security model that applies the power of customizable signatures to block attacks that match specified patterns, and provides the flexibility to use the positive-security-model checks for basic or advanced security protections.

8. Availability of comprehensive configuration reports, including information about PCI-DSS compliance. 

This article provides an introduction to Citrix Application Firewall.

Netscaler 12.0 : http://docs.citrix.com/en-us/netscaler/12/application-firewall.html
Netscaler 11.1: http://docs.citrix.com/en-us/netscaler/11-1/application-firewall.html