607: netscaler, the enterprise security swiss army...
TRANSCRIPT
607: NetScaler, the enterprise security Swiss army knife
Hands-on Lab Exercise Guide This session is offered as both an instructor led training and a self-paced online lab. Make money selling Field Services Stop by the Education and Consulting booths in the Solutions Expo to find out how! We're here to help.
| 1 |
Contents Contents .................................................................................................................................... 1
Overview .................................................................................................................................... 2
Scenario..................................................................................................................................... 4
Exercise 1 .................................................................................................................................. 5
Configure Application Firewall protection using the wizard + signatures ..................................... 5
Exercise 2 .................................................................................................................................14
Application Firewall Setting and Error Pages ............................................................................14
Exercise 3 .................................................................................................................................22
SQL Injection ............................................................................................................................22
Exercise 4 .................................................................................................................................27
Stored Cross-Site Scripting .......................................................................................................27
Exercise 5 .................................................................................................................................32
Form Field Consistency ............................................................................................................32
Exercise 6 .................................................................................................................................35
Credit Cards and Safe Objects ..................................................................................................35
Exercise 7 .................................................................................................................................44
Buffer Overflow .........................................................................................................................44
Exercise 8 .................................................................................................................................46
Limit Client Bandwidth Consumption .........................................................................................46
Exercise 9 .................................................................................................................................50
Prevent Account Brute Force Attacks with NetScaler Gateway Virtual Server ...........................50
Exercise 10 ...............................................................................................................................57
Secure the web applications with SSL/TLS ...............................................................................57
Exercise 11 ...............................................................................................................................61
Remove Web Server Header Information ..................................................................................61
Bonus Exercise .........................................................................................................................63
| 2 |
Overview Hands-on Training Module Objective Citrix NetScaler boasts an impressive set of networking and traffic management features that bring flexibility and security to any network. NetScaler offers a veritable Swiss army knife of tools, including but not limited to rate limiting, responder, DoS protection, analytics and the leading Layer 7 application firewall. In this lab attendees will delve into NetScaler security and protection features to assist in securing the enterprise network from a growing number of threats.
Prerequisites • Familiarity with the NetScaler user and command line interfaces.
• Familiarity with Web Servers e.g. Apache HTTPD server and the HTTP protocol.
• Familiarity with HTML Headers, Cookies and source.
Audience Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support
Lab Environment Details Describe the lab environment. The system diagram of the lab is shown below:
| 3 |
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All windows applications such as XenCenter, (the XenServer GUI management tool), are accessed from the Student Desktop.
Lab Guide Conventions This symbol indicates particular attention must be paid to this step
Special note to offer advice or background information
reboot Text the student enters or an item they select is printed like this
VMDemo Filename mentioned in text or lines added to files during editing
Start Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen (R:255 G:20 B:147)
Shows where to click or select an item on a screen shot (R:255 G:102 B:0)
List of Virtual Machines Used VM Name IP Address Description / OS
Command Center 192.168.10.90 Command Center Server NSVPX 192.168.10.50 NetScaler Site1-Ad.training.lab 192.168.10.11 Domain Controller for Training domain/DNS Splunk 192.168.10.80 Splunk Logging Server WAMP 192.168.10.20 Windows Apache MySQL PHP Server! WebGoat 192.168.10.20 Vulnerable Web Application Win7Client 192.168.10.201 Windows 7 Client
Required Lab Credentials The credentials required to connect to the environment and complete the lab exercises.
VM Name IP Address Password Description
CommandCenter 192.168.10.90 administrator/Citrix123 CommandCenter app 192.168.10.90 root/Citrix123 MySQL 192.168.10.20 root/Citrix123 NSVPX 192.168.10.50 nsroot/nsroot Site1-Ad.training.lab 192.168.10.11 administrator/Citrix123 Splunk Application 192.168.10.80 admin/Citrix123 Splunk Server 192.168.10.80 administrator/Citrix123 WAMP 192.168.10.20 administrator/Citrix123 WebGoat 192.168.10.20 administrator/Citrix123 Win7Client 192.168.10.201 administrator/Citrix123
| 4 |
Scenario You are the NetScaler administrator in an Enterprise environment and you have been tasked by the Security team to improve the security of the web applications being serviced by the NetScaler. You have a NetScaler already in place, however Application security has not been a concern to now.
The areas you have been tasked to look at are:
1. Web Application Firewall for a variety of different Layer 7 attacks
2. Limiting Bandwidth
3. Adding an authentication layer
4. Preventing brute force authentication attacks
You would like to not affect production so have taken a copy of the NetScaler configuration and deployed it on a NetScaler VPX. You will evaluate some of the NetScaler security and protection features using two web application servers.
Being security conscious you have already configured your NetScaler as follows:
• Your NetScaler is fully licensed
• Access to the NetScaler UI is via hostname netscaler.training.lab
• DNS entry resolves to the Subnet IP (SNIP) of the NetScaler
• Secure access to the UI only
• 2048-bit Certificate issued by Certificate Services on the Windows Active Directory Domain Controller
• The password protected private key is on the NetScaler
• A content switched (CS) Virtual Server (Vserver) already exists for your web applications. There are two web applications: 1. WebGoat vulnerable webapp and 2. A WAMP (Windows Apache MySQL PHP) server. Each has an associated Load Balanced (LB) Vserver.
• A NetScaler Gateway virtual server with dual-factor (LDAP/RADIUS) authentication enabled.
• A DNS nameserver and suffix already configured
• The NetScaler features are already enabled: LB, SSL, Rewrite, Responder
For efficiency during testing you will use the Firefox browser for testing the vulnerable web application and Internet Explorer for configuring the protections on the NetScaler.
Exercises 1 and 2 are mandatory. All other exercises are optional and can be completed in any order.
The goal is to test as many features as possible in the allotted time!
| 5 |
Exercise 1 Configure Application Firewall protection using the wizard + signatures Overview In this exercise, you will use the Application Firewall wizard to demonstrate how easy and quickly you can protect your web application from known attacks.
Step by step guidance Estimated time to complete this lab: 15 minutes.
Step Action 1. Click the Win7Client VM and choose the Console tab. Log on with the following Credentials:
Username: TRAINING\Administrator Password: Citrix123
For better performance, switch to a Remote Desktop connection, if it is not already set.
| 6 |
2. Open Internet Explorer on the Win7Client VM and navigate to the NetScaler Administration UI at:
https://netscaler.training.lab
Username: nsroot Password: nsroot
3. Navigate in the NetScaler Configuration Utility to Security > Application Firewall, right-click the yellow circle, and choose Enable Feature.
4. Ensuring that you have selected the Application Firewall node on the left-hand side, you should
be able to see the Application Firewall Wizard in the right-hand window pane as shown below. Start the wizard.
5. Read through the Intro text and click Next.
| 7 |
6. Give your configuration a name, SynWeb_AF_prof, select Web 2.0 Application (HTML, XML, REST) in the Type field.
Click Next.
7. Delete the word true and click the Add button to create an expression. This expression will determine the interesting traffic that flows through the Application Firewall module in order to apply the correct rules.
8. In the Construct Expression field, select CLIENT, select IP, select DST, select EQ(ip_address_at), and then type 192.168.10.100 in the IP Address field to signify the existing SynWeb_CS Virtual server IP as the destination IP.
Click OK and click Next.
| 8 |
9. Now you need to choose which technologies you are running on your web server. In our example, we will select Microsoft IIS and PHP and click Next.
In a real life scenario, this is where one requires some basic knowledge of the application you are protecting and web architecture hosting it.
| 9 |
10. You will notice that there are 190 PHP signatures pre-loaded on the appliance. There are 150 Microsoft IIS signatures. These are imported from Snort (a network intrusion detection system for UNIX and Windows) and loaded onto the appliance by default. At this point, we could choose to block all attacks, part of the signature, or select the ones we are interested in. In this example, we will specify granular control of the attacks and policies to block. Click More for the PHP signatures.
11. If you click the >> at the end of any signature, you will see links to the BugTraq and CVE
entries which describe the vulnerability.
Click Close to return to the Vulnerability List window.
12. To commit the protection selected, click OK at the bottom of the Configure Actions for Signatures window and click Next.
| 10 |
13. We will configure deep protections later in a more granular fashion. However, if you want a one-stop shop for multi-level protection, this is where you can configure it. Once you complete this configuration, you can use the wizard to return and amend it later if you wish. Select Next to continue.
14. Review the summary. Click Finish to finalize the wizard.
| 11 |
15. Once all the rules are committed, click Exit to leave the wizard.
NOTE: We will configure error objects and other options later on.
| 12 |
16. At the completion of the Application Firewall wizard the profile is in a vanilla state. We need to make some changes to the Security Checks in the profile. Go to Security > Application Firewall > Profiles and open SynWeb_AF_prof. Click the Security Checks tab and check all of the Log, Stat and Learn checkboxes. Important: Do not check the Block checkboxes.
Click OK to commit the changes.
End of exercise
Exercise Summary
| 13 |
Key Takeaways
The key takeaways for this exercise are: • Use the wizard to select signatures to protect your web application. • Attacks that are identified by signatures can be blocked in seconds. • More in-depth blocks can be configured too – we will look at those next. • Create Application Firewall Profiles. Note the different ‘actions’ in the
profile. Block, Log, Stat, & Learn. • The profile does nothing unless it is used in an Application Firewall
Policy. The policy must be bound somewhere, (either on the Virtual Server or globally) otherwise traffic will not flow through the Application Firewall module, and it will not be protected.
NOTES Click Security > Application Firewall > Profiles. You will see the profile created by the wizard. You can modify this through the wizard, or directly from here. Click Security > Application Firewall > Policies. You will see the policies created by the wizard. You can modify this through the wizard, or directly from here. The wizard binds policies globally – which means all traffic is evaluated against the expression you configured. It is important to use an expression that will isolate only the traffic you want to protect. There are many different expressions that can be used to invoke the Application Firewall Policy. We used a destination IP address expression. Can you think of any other ways of segregating the traffic you need to protect from other http traffic? There are 3 different ways to bind a policy. 1. One can bind a policy using the Policy manager, as shown in this exercise. 2. The virtual server can be opened, and there is a policy tab. Click the >> symbol and choose Application Firewall. One can insert a policy here. 3. Use the Command Line Interface.
| 14 |
Exercise 2 Application Firewall Setting and Error Pages Overview We are going to run a vulnerable web application designed to demonstrate different flaws that can occur in web design and implementation.
In this exercise, we will look at creating a meaningful error page which can be used during user acceptance testing (UAT) to give the application user information about what feature caused their request to be blocked. This is not something you would put on your production profile!!
Exercise Details In this exercise, you will perform the following tasks:
• Change the Application Firewall logging settings
• Launch the WebGoat Vulnerable Web Application
• Create an Error Page in Application Firewall to be displayed when an attack is blocked
Step by step guidance Estimated time to complete this lab: 15 minutes.
Step Action 1. In the Security > Application Firewall node in the NetScaler Configuration utility, click
Change Engine settings in the right-hand pane of the window:
| 15 |
2. Scroll down to CEF logging and select Enabled.
Click OK.
3. We will now turn on our vulnerable web application. If you are using full screen on your Win7Client VM, press Ctrl + Enter to exit full screen.
4. Select the WebGoat VM in XenCenter and choose the Console tab. Log on with the following credentials: Training\administrator – Citrix123
5. Launch WebGoat (our vulnerable web-application) by double-clicking the StartWebGoat shortcut located on the Desktop.
This will take a couple of seconds to complete.
| 16 |
6. Switch back to the Win7Client VM. Open Firefox and click the SynergyWebGoat shortcut in the Bookmarks bar.
7. You should be prompted to enter credentials. Use webgoat/webgoat (all lowercase) as the
username and password to access the application.
Note you can use the Remember Password feature of Firefox to save the password if you wish. This would go against most Network Security policies though!
| 17 |
8. The Application should look like this when you log in. Click Start WebGoat to reach the main menu.
9. Return to the NetScaler Configuration utility running in Internet Explorer. Navigate to the
Security > Application Firewall node, expand it, and select Profiles. Select SynWeb_AF_prof and click Open.
10. Select the Settings tab, select the HTML Error Object and then click the Import button.
| 18 |
11. Click Add at the bottom of the page.
12. Click Load in the Import a new HTML Error Page dialog.
13. Select Import from Local File and then click Browse.
| 19 |
14. In the Select a file for import dialog box, select the C:\citrix\AppFWCustomErrorPage.html file and click Open.
Click OK to commit to opening this file.
| 20 |
15. Enter the name as AppFWCustomErrorPage. Click Create and click Close to return to the previous window.
16. You should now be back at the Settings tab. Choose the AppFWCustomErrorPage page
you have just created from the HTML Error Object dropdown. Click OK.
| 21 |
17 Save your configuration by clicking the Save icon on the top right. Click Yes to confirm.
End of exercise
Exercise Summary Key Takeaways
The key takeaways for this exercise are: •
| 22 |
Exercise 3 SQL Injection Overview In this exercise, we will execute a SQL Injection attack against the WebGoat application. The attack will succeed until we turn on blocking on the Application Firewall Profile.
Exercise Details In this exercise, you will perform the following tasks:
• Perform a SQL Injection attack against a vulnerable web application
• Configure the Application Firewall to block a SQL Injection attack
Step by step guidance Estimated time to complete this lab: 10 minutes.
Step Action 1. Open Firefox and navigate to the WebGoat
menu page at http://synergyweb.training.lab/WebGoat/attack Click Injection Flaws and select Numeric SQL Injection.
2. In Firefox, press the Alt key to reveal the hidden Firefox toolbar. Select Tools > Tamper Data and then click Start Tamper.
| 23 |
3. Switch back to the browser window containing WebGoat and click Go. The Tamper Data window should appear: Click Tamper.
4. In the station field change the text to: 101 OR 1=1
Click OK
5. Congratulations. You have successfully used a SQL Injection attack to see all the records from the database table!
Do you understand the logic of the SQL query and how this attack works? Refer back to the following article for additional information: http://en.wikipedia.org/wiki/SQL_injection
| 24 |
6. In the NetScaler Configuration utility in Internet Explorer, open the SynWeb_AF_prof profile from Security > Application > Profiles, click Security Checks, and enable the Block checkbox for HTML SQL Injection.
Click the >> to drill down into the SQL Injection protection settings.
7. De-select the option to Restrict checks to fields containing SQL special characters.
Click OK, and OK again to save the changes to the profile.
| 25 |
8. Return to the WebGoat application in Firefox and click Restart this Lesson.
If Tamper Data is still active, it will display the following prompt after clicking Restart
this Lesson.
Click Submit as we do not want to tamper with this request. This could happen multiple times.
9. Attempt the same SQL Injection attack once more by repeating Steps 2, 3, and 4 in this procedure. Note that you now receive the error page stating that this type of attack is blocked:
10. Switch back to Tamper Data and select Stop Tamper.
End of exercise
Exercise Summary
| 26 |
Key Takeaways
The key takeaways for this exercise are: • Perform basic numeric SQL Injection • View the log files and turn on protection against this type of injection.
NOTES The string injection can be achieved by using the following: 101 or 1=1
| 27 |
Exercise 4 Stored Cross-Site Scripting Overview In this exercise, we will perform a cross-site scripting attack, then enable XSS protection on the Application Firewall and confirm that the appliance will block this attack.
Exercise Details In this exercise you will perform the following tasks:
• Perform a Cross-Site Scripting attack against a vulnerable web application
• Configure the Application Firewall to block a Cross-Site Scripting attack
• Configure the Application Firewall to transform the HTML used in a Cross-Site Scripting attack to mitigate against it
Step by step guidance Estimated time to complete this lab: 10 minutes.
Step Action
| 28 |
1. Return to Firefox and click SynergyWebGoat to reload the WebGoat page. In the left-hand menu, browse to Cross-Site Scripting (XSS) and click Stored XSS Attacks.
For this vulnerability, WebGoat uses a text field input that attackers can leverage to submit and store malicious scripts on a known site.
2. Type Win an iPad as the title. 3. To simulate a JavaScript XSS attack, enter the following line in the Message
body: <script type="text/javascript">alert ("Script Executed")</script> Click Submit.
| 29 |
4. You will now see your message with a link to the title.
Click the Win an iPad link. You should see the following alert message indicating that the script has executed. Click OK to close the message.
Fortunately, this script does nothing other than sending an alert; however,
other scripts might not be so friendly! 5. Back in Internet Explorer, return to the NetScaler Configuration utility. Open
the Security > Application > Profiles > SynWeb_AF_prof profile. Click Security Checks and turn on blocking for HTML Cross-Site Scripting. Click OK.
6. Return to WebGoat, and repeat Steps 1, 2, and 3 from above. 7. Confirm that you are blocked by the Application Firewall.
Rather than blocking the request, you may want to transform the script into
safe HTML code. To achieve this, we can use some of the Transformation options under the HTML Cross-Site Scripting Check.
| 30 |
8. Return to Internet Explorer. Select Security > Application Firewall > Profiles and open the SynWeb_AF_prof profile. Remove the checkmark from HTML Cross-Site Scripting.
Now click the >> on the right of the HTML Cross-Site Scripting security check. Select Transform cross-site scripts and Check complete URLs for cross-site scripting.
Click OK and OK.
9. Return to Firefox and the WebGoat tab to perform the same attack again. You will need to log on again to the application. Note that you are now allowed to submit the form without receiving the pop-up.
However, when you click Win an IPad, no script is executed as the < and > characters are transformed into HTML safe characters: “<” and “>” (Hint: Inspect the source to verify). This means the browser displays the symbol, but does not interpret it as the beginning of a script.
End of Exercise
| 31 |
Exercise Summary Key Takeaways
The key takeaways for this exercise are: • Turn on Cross Site Scripting protection • Transform dangerous characters.
NOTES For more information, see How Citrix Application Firewall Modifies Application Data Traffic: http://support.citrix.com/article/CTX131488
| 32 |
Exercise 5 Form Field Consistency Overview In this exercise, we will use Tamper Data to intercept and manipulate our browsers responses in an attempt to bypass limited validation on the server side. To do this, we will configure the Firefox browser to send the requests through a plug-in called Tamper Data. This allows us to trap the request and modify any parameters before they are sent back to the server. Please follow the instructions closely.
Exercise Details In this exercise you will perform the following tasks:
• Perform a Cross-Site Scripting attack against a vulnerable web application
• Configure the Application Firewall to block Form Field based exploits
Step by step guidance Estimated time to complete this lab: 10 minutes.
Step Action 1. In Firefox, open the WebGoat tab. Click Parameter
Tampering and select Exploit Hidden Fields.
2. You should see a form called Shopping Cart with a HDTV product. Do not input anything yet.
| 33 |
3. In Firefox, press the Alt key, select Tools > Tamper Data and then click Start Tamper. Leave the window open.
4. Return to the web form and click Purchase. 5. Click Tamper in the ‘Tamper with request?’ window.
6. Enter the quantity you want and the price you want to pay! 10 TVs for 1 buck a piece? Click OK.
7. You should have successfully completed this attack. Congratulations, you just bought 10 HDTVs for 10 bucks.
| 34 |
8. To prevent this type of attack, we can enable the Form Field Consistency Check. In Internet Explorer, return to the NetScaler Configuration utility in Internet Explorer. Click Security > Application Firewall > Profiles and then open the SynWeb_AF_prof profile. Click the Security Checks tab and select Block next to the Form Field Consistency Check option. Click OK to save the changes.
9. In WebGoat, click Restart this Lesson and repeat the attack again. Check this time
that the exploit is blocked!
10. Switch to the Tamper Data window and click Stop Tamper. End of exercise
Application Firewall for a large number of connections can be memory intensive on the NetScaler appliance. To save memory resources with protections like Form Field Constistency, you can change the behaviour of the protection to be “sessionless”. Sessionless protection for Form Fields will add a new field as_ffc_field including an encrypted version of the fields in the page. See https://support.citrix.com/article/CTX131488 for more details.
Exercise Summary Key Takeaways
The key takeaways for this exercise are: • Test if there is no server-side validation use Tamper Data • Use the form field consistency protection to prevent attacks of this
nature. NOTES
| 35 |
Exercise 6 Credit Cards and Safe Objects Scenario The Security team review has flagged that there are occurrences of Credit Card, Social Security and Phone numbers present in some of the web application pages. You have been tasked with investigating what options are in the Application Firewall to mitigate these potential sensitive data leaks.
Overview In this exercise you will review removing, crossing-out and blocking pages containing Credit Cards, Social Security and Phone numbers.
Exercise Details In this exercise you will perform the following tasks:
• Perform a Cross-Site Scripting attack against a vulnerable web application
• Configure the Application Firewall to cross-out any credit cards in a web page
• Configure the Application Firewall to recognize US Social Security numbers and Phone numbers
• Configure the Application Firewall to remove Social Security numbers and to cross-out any Phone numbers
• Configure the Application Firewall to block any pages with Social Security numbers
Step by step guidance Estimated time to complete this lab: 15 minutes.
Step Action 1. Open up a new tab Firefox and navigate to synergyweb.training.lab/web/ or click the
SynergyWeb shortcut on the Bookmarks bar:
2. Click the Credit Card Demo link and view the full credit card numbers. This is a big security leak!
| 36 |
3. Switch back to Internet Explorer and the NetScaler Configuration utility at https://netscaler.training.lab/.
Browse to Security > Application Firewall > Profiles. Select SynWeb_AF_prof and click Open.
Click the Security Checks tab, highlight Credit Card and click Open.
| 37 |
4.
Select Visa and click Protect.
5. Click the General tab and select the following settings:
Actions: Log, X-Out and Statistics
Parameters: Max = 0
Click OK for the Credit Card Check and OK on the Application Firewall profile to commit the changes.
6. Switch tabs to Firefox and press Ctrl+F5 to refresh the Credit Card Demo page. The valid credit card numbers should now be crossed-out!
| 38 |
Now we will move onto the next attack and protection. Credit Cards are not the only type of numbers we would like to protect in our web application. We can leverage Safe Objects to define our own numbering schemes to protect in our web applications.
7. Return to Firefox and click the SynergyWeb button below the address field to return to the index page of SynergyWeb. Click the Safe Object Demo link and view data that could be considered sensitive – social security and phone numbers.
8. We will now create definitions for these numbers so Application Firewall can recognize them.
Switch back to the NetScaler Configuration utility in Internet Explorer and navigate to Security > Application Firewall > Profiles. Select SynWeb_AF_prof and click Open. Click the Security Checks tab, highlight Safe Object and click Open.
Click Add.
| 39 |
9. Create a new Safe Object to define United States Social Security Numbers. Use the following settings:
Enabled: Checked
Name: US Social Security Numbers
Actions: Log, Statistics, Remove
Regular Expression: \d{3}-\d{2}-\d{4}
Maximum Match Length: 11
Click Create.
Regular Expressions or often “Regex” are pattern matching using shorthand notation based on PCRE (Perl Compliant Regular Expressions) standard. The expression “\d{3}-\d{2}-\d{4}” outlines a way to denote a US Social Security Number of format 123-45-6789. The “\d” expression denotes a “digit”.
| 40 |
10. Repeat the same steps with slightly different settings for Phone Numbers. Click Add and enter the following settings:
Enabled: Checked
Name: US Phone Numbers
Actions: Log, X-Out, Statistics
Regular Expression: \d{3}-\d{3}-\d{4}
Maximum Match Length: 12
Click Create and Close and then click OK on the SynWeb_AF_prof profile.
11. Switch to the SynergyWeb tab in Firefox. Press Ctrl+F5 to refresh the Safe Object Demo page. See that the US Social Security Numbers have been removed and the Phone Numbers have been crossed-out:
| 41 |
12. Right-click on the page and select View Page Source. Note in the HTML source that the Social Security Numbers are no longer present and the Phone Numbers have been crossed-out.
| 42 |
13. The next definitive step is to completely block the page instead of removing the numbers!
Back to Internet Explorer and the NetScaler Configuration utility. Click Security > Application Firewall > Profiles. Select SynWeb_AF_prof and click Open. Select the Security Settings tab, highlight Safe Object and then click Open.
Select the US Social Security Numbers Safe Object and click Open. Uncheck Remove and then check Block.
Click OK, Close and OK to commit this change.
14. Switch to Firefox. Press Ctrl+F5 to refresh the Safe Object Demo page and note that nothing gets displayed – it’s a blank page! The TCP connection was reset!
| 43 |
15. Let’s look into this further. Return to the NetScaler Configuration utility in Internet Explorer and click System > Auditing. Click Syslog messages on the right.
In the Module drop-down list, select APPFW. Observe the logs, the last transaction should have been blocked by the NetScaler Application Firewall.
Click Close.
End of exercise
Exercise Summary Credit Cards and Social Security numbers are two examples of customer data that represent serious data leaks. In this exercise these data types were configured. The removal, crossing-out and blocking pages containing Credit Cards, Social Security and Phone numbers was demonstrated.
| 44 |
Exercise 7 Buffer Overflow Overview In this exercise you will see a demonstration of a Buffer Overflow exploit and the appropriate protection using the Application Firewall.
Exercise Details In this exercise you will perform the following tasks:
• Perform a Buffer Overflow exploit against a vulnerable web application
• Configure the Application Firewall to block the Buffer Overflow exploit
Step by step guidance Estimated time to complete this lab: 5 minutes.
Step Action 1. Open up Firefox and navigate to the SynergyWeb Index page
at http://synergyweb.training.lab/web/.
2. Click the Buffer Overflow Demo link. You should see the text “You have successfully configured buffer overflows to allow access to this long URL” in your browser.
3. Switch back to the NetScaler Configuration utility in Internet Explorer.
4. Navigate to Security > Application Firewall > Profiles. Select SynWeb_AF_prof and click Open. Click the Security Checks tab and highlight the Buffer Overflow option. Check Block, Log and Stat.
| 45 |
5. Click Open. Click Yes to save the change and then verify that the Maximum URL Length is set to 1024.
Click OK and OK.
6. Switch to Firefox and press Ctrl+F5 to refresh the Buffer Overflow Demo page again. This time you should be blocked.
7. Congratulations! You have successfully blocked Buffer Overflow attacks.
End of exercise
Exercise Summary In this exercise a Buffer Overflow exploit was demonstrated. The appropriate protection using the Application Firewall was also tested.
| 46 |
Exercise 8 Limit Client Bandwidth Consumption Overview In this exercise students will perform configurations to rate limit client bandwidth consumption dynamically with various NetScaler features.
Exercise Details In this exercise you will perform the following tasks:
• Create an Analytics Stream Identifier
• Create a Rewrite policy and action to insert a HTTP Header with a bandwidth value
• Create Responder actions and policies to respond dynamically if the client exceeds the bandwidth limit
• Configure a service to insert a HTTP Header with the Client IP address
• Test the configuration by trying to exceed the bandwidth limit for a webpage
Step by step guidance Estimated time to complete this lab: 15 minutes.
Step Action 1. Double-click the PuTTY shortcut on the Win7Client VM Desktop. Select the saved
session netscaler.training.lab and click Open.
| 47 |
2. Log on with the default credentials nsroot/nsroot.
3. Enter the following command to create an Analytics Stream Identifier. This will work with the default Top_CLIENTS Selector.
add stream identifier top_bandwidth Top_CLIENTS
4. Enter the following command to create a rewrite action will insert an HTTP Request Header called ActionAnalyticsBW indicating the bandwidth for the current client. This will be output later on by the PHP webpage.
add rewrite action actionanalytics_bandwidth_act insert_http_header ActionAnalyticsBW "ANALYTICS.STREAM(\"top_bandwidth\").BANDWIDTH"
5. Enter the following command to create a policy that will tie our Rewrite action together.
add rewrite policy actionanalytics_bandwidth_pol "HTTP.REQ.URL.ENDSWITH(\"actionanalytics2.php\")" actionanalytics_bandwidth_act
6. Enter the following command to bind the Rewrite policy to the LB Vserver.
bind lb vserver SynWeb_WAMP_LB -policyName actionanalytics_bandwidth_pol -priority 100 -type REQUEST
7. Enter the following command to create the Responder policies needed for this exercise.
add responder policy top_bandwidth_group_collect_pol "ANALYTICS.STREAM(\"top_bandwidth\").COLLECT_STATS" NOOP
8. Enter the following commands to create the Responder action for when the bandwidth limit has been exceeded. The first command will import an existing web page onto the NetScaler. The second command will create the Responder action.
import responder htmlpage "http://synergyweb.training.lab/web/countdown_color.html" Countdown
add responder action bandwidth_exceeded_javascript respondwithhtmlpage Countdown
9. Enter the following command to create the Responder policy that will fire on any URL ending in actionalytics2.php and where the bandwidth used is greater than 50Kb.
add responder policy top_bandwidth_group_1_pol "HTTP.REQ.URL.ENDSWITH(\"actionanalytics2.php\") && ANALYTICS.STREAM(\"top_bandwidth\").BANDWIDTH.GT(50)" bandwidth_exceeded_javascript
| 48 |
10. Enter the following commands to bind the Responder policies to the WAMP LB Vserver.
bind lb vserver SynWeb_WAMP_LB -policyName top_bandwidth_group_collect_pol -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind lb vserver SynWeb_WAMP_LB -policyName top_bandwidth_group_1_pol -priority 110 -gotoPriorityExpression END -type REQUEST
11. Enter the following command to configure the WAMP service to add the ClientIP Header.
set service SynWeb_WAMP_svc -cip ENABLED ClientIP
12. Enter the following command to save the NetScaler configuration.
save config
The Client IP header will be used in the action analytics PHP web page. Using normal PHP syntax like:
<?php echo $_SERVER['REMOTE_ADDR']; ?>
It will output the NetScaler Subnet IP address. This is because the NetScaler will be accessing the webpage and would be considered the ‘client’. To work around this we can insert the Client IP into a header and that will be seen by the WAMP Web Server in the HTTP Request to show the real client IP.
13. Now, go to http://synergyweb.training.lab/analytics/actionanalytics2.php in your Firefox web browser. Press Ctrl+F5 to refresh the page. The number of kilobytes being used should increase.
14. Continue to refresh the browser and after 50 KBytes the action should take effect. You should see the following message in your browser.
15. Wait for 30 seconds and try refreshing. The bandwidth value should have reset appropriately. Go back to the NetScaler Configuration utility in Internet Explorer, click Configuration and then click the Save icon on the top right corner to save the configuration. Click Yes to confirm.
| 49 |
End of exercise
Exercise Summary In this exercise, we saw how to use Action Analytics to work together with the Rewrite feature to rate-limit bandwidth that is requesting too much traffic from the web server.
| 50 |
Exercise 9 Prevent Account Brute Force Attacks with NetScaler Gateway Virtual Server Overview In this exercise, we will configure the new AAA parameters to slow down any brute-force password attack. This exercise requires the configuration of an existing NetScaler Gateway virtual server and policies/profiles.
Exercise Details In this exercise you will perform the following tasks:
• Re-configure the dual-factor authentication order of an existing NetScaler Gateway virtual server
• Test logons to the NetScaler Gateway portal web page
• Configure the NetScaler Gateway to restrict the number of logons to three in one minute
• Simulate more than three logons to the NetScaler Gateway portal web page in one minute
Step by step guidance Estimated time to complete this lab: 15 minutes.
Step Action 1. Open Firefox and enter the URL https://gateway.training.lab/ to access the
NetScaler Gateway portal page or click the Citrix NetScaler Gateway shortcut in the Bookmarks bar.
| 51 |
2. Log on with the following credentials:
Username: user1 Password 1: Citrix123 Password 2: Citrix123
Click Log On to validate the credentials. As the focus is on authentication no tasks are needed when logged onto NetScaler Gateway! Click Log Off.
3. Open up a new tab in Internet Explorer and enter https://netscaler.training.lab/ to view the NetScaler Configuration utility.
| 52 |
4. Navigate to NetScaler Gateway > Virtual Servers and open up the virtual server gateway.training.lab. Click the Authentication tab and review the Primary authentication method.
Click auth_LDAP_prof and review the LDAP settings. Click Close.
5. Repeat the same steps to review the RADIUS settings by selecting the Secondary tab and clicking the auth_RADIUS_pol policy. Click Close.
6. Let’s switch the order of the dual-factor authentication. While in the Secondary tab, click the drop-down triangle beside auth_RADIUS_pol and select auth_LDAP_pol instead.
| 53 |
7. Go to the Primary tab and select the drop-down triangle beside auth_LDAP_pol and select auth_RADIUS_pol instead. Click OK to commit the change.
The reason for this configuration is a RADIUS policy set as primary and LDAP policy set as secondary is to prevent account lockout attacks. Since RADIUS is usually used for one time password (OTP) authentication mechanisms, this protects the Active Directory account from any account lockouts that might occur from repeated authentication attempts.
8. In Firefox, navigate to the URL https://gateway.training.lab/. Enter the following user credentials at the log on page:
Username: user1 Password 1: Citrix123 Password 2: Citrix123
Click Log On. You have successfully logged on. Now select Log Off.
9. One of the AAA features in NetScaler 10.1 is the ability to define the maximum number of login attempts as well as a lockout timeout.
Return to Internet Explorer. Click NetScaler Gateway > Virtual Servers and open gateway.training.lab. In the Failed Login Timeout field, type 1. In the Max Login Attempts field, type 3.
Click OK to commit the changes.
| 54 |
This will prevent more than three authentication requests from the same user within the next 60 seconds of the last failed attempt.
10. Switch back to Firefox, navigate to https://gateway.training.lab/ and enter the wrong credentials 3 times in a row in a period of less than 60 seconds.
Username: user1 Password1: 123 Password2: 123
Click Log On.
11. At this point, the account has been flagged as temporarily locked out. Now, enter the user credentials once more. You should receive a message stating that you have exceeded the maximum number of attempts. Verify that this is the case.
| 55 |
12. Close Firefox and reopen it. Browse to https://gateway.training.lab/.
Attempt to log on as user2.
Username: user2 Password1: Citrix123 Password2: Citrix123
You should be able to log on. Click Log Off.
13. Close Firefox. After 30 seconds have elapsed, reopen it and browse to: https://gateway.training.lab/
Log on with user1 credentials:
Username: user1 Password1: Citrix123 Password2: Citrix123
14. Since the Failed Login Timeout already expired, you should be able to log on with user1 credentials. Verify that this is the case and then close Firefox.
| 56 |
15. Congratulations! You have configure a simple account lockout mechanism using NetScaler.
Save your configuration by clicking on the Save icon on the top right of the NetScaler Configuration utility in Internet Explorer. Click Yes to confirm.
The same configuration is possible with an AAA-Traffic Management Virtual server. This is possible because AAA-TM and NetScaler Gateway share the same NetScaler architecture for authentication.
The AAA-TM virtual server could be placed in front of your web applications and configured with dual-factor and your authentication mechanism of choice – RADIUS, LDAP, SAML, Kerberos and more.
Exercise Summary We have learned how to improve NetScaler Gateway security by placing RADIUS as the first factor in dual-factor authentication. We also configured the account protection features and lockout timeouts for a NetScaler Gateway virtual server.
| 57 |
Exercise 10 Secure the web applications with SSL/TLS Scenario The Security Team review has flagged that the web application layer is not protected with SSL/TLS security. They would like to investigate methods to convert the existing content switching Virtual server over to SSL. You must also meet these criteria:
• Minimal downtime in the switchover from HTTP to SSL based virtual server
• If traffic is redirected form HTTP to HTTPS, then the URL and queries must be preserved.
Overview In this exercise, we will perform the following tasks:
• Add a new SSL based Content Switching Virtual Server
• Create a new Responder action and policy
• Bind the responder policy to the existing HTTP based CS Vserver
Step by step guidance Estimated time to complete this lab: 10 minutes.
Step Action
| 58 |
1. Double-click the PuTTY shortcut on the Win7Client VM Desktop. Select the saved session netscaler.training.lab and click Open.
2. Log on with the default credentials of nsroot/nsroot.
3. Enter the following command to add the Responder action.
add responder action SynWeb_resp_act respondwith q{"HTTP/1.1 301 MOVED PERMANENTLY\r\n" + "Location: https://synergyweb.training.lab" + HTTP.REQ.URL.path_and_query.HTTP_URL_SAFE + "\r\n" + "Connection: close\r\n" + "\r\n"}
The responder action is more efficient than other redirect methods because the URL path and queries are retained in the redirect. For example http://synergyweb.training.lab/WebGoat/attack will be redirected to https://synergyweb.training.lab/WebGoat/attack
4. Enter the following command to add the Responder policy.
add responder policy SynWeb_resp_pol "CLIENT.IP.DST.EQ(192.168.10.100) && CLIENT.TCP.DSTPORT.EQ(80)" SynWeb_resp_act
The Responder policy will match against client connections destined for IP 192.168.10.100 and on TCP port 80.
| 59 |
5. Enter the following command to bind the Responder policy to the existing CS Vserver.
bind cs vserver SynWeb_CS -policyName SynWeb_resp_pol -priority 100
6. Enter the following command to create a new SSL based CS Vserver.
add cs vserver SynWeb_CS_SSL SSL 192.168.10.100 443
7. Enter the following commands to bind the CS policies to the CS Vserver.
bind cs vserver SynWeb_CS_SSL -policyName CS_WebGoat_pol -priority 100
bind cs vserver SynWeb_CS_SSL -policyName CS_WAMP_pol -priority 110
8. Enter the following command to make the WAMP server the default LB Vserver bound to the CS Vserver for any requests that do not match the policy expression.
bind cs vserver SynWeb_CS_SSL -lbvserver SynWeb_WAMP_LB
9. Enter the following command to bind the SSL certificate to the CS Vserver.
bind ssl vserver SynWeb_CS_SSL -certkeyName synergyweb.training.lab
10. Enter the following command to bind the AppFW policy to the new CS Vserver to complete the configuration.
bind cs vserver SynWeb_CS_SSL –policyName SynWeb_AF_prof –priority 100
11. Enter the following command to improve the SSL security level by removing the default SSL ciphers
unbind ssl vserver SynWeb_CS_SSL -cipherName DEFAULT
You will receive a warning during the removal/addition of new ciphers however this is safe to ignore:
Warning: No usable ciphers configured on the SSL
12. Enter the following command to add a cipher that replaces the cipher removed in the previous step.
bind ssl vserver SynWeb_CS_SSL -cipherName HIGH
13. Enter the following command to save the configuration.
save config
| 60 |
14. Switch to Firefox and click the first SynergyWeb link from the Bookmarks bar.
Notice that the web pages are now secured with SSL/TLS (https).
End of exercise
Exercise Summary The security of web applications was improved by placing an SSL/TLS layer in front. The NetScaler provides many SSL/TLS related options, which could be investigated. Some examples are the ability to turn on versions of SSL/TLS such as SSLv2, SSLv3, TLSv1 and TLSv1.1/TLSv1.2 on the NetScaler MPX hardware appliances.
| 61 |
Exercise 11 Remove Web Server Header Information Overview In this exercise HTTP Headers are demonstrated. There are ways to mitigate revealing too much information in these headers to potential attackers using the NetScaler Rewrite feature.
Step by step guidance Estimated time to complete this lab: 15 minutes.
Step
Action
1. In the Win7Client VM open up Firefox. Click ALT to reveal the menu bar and select Tools > Web Developer > HttpFox > Toggle HttpFox.
2. In HttpFox click Start.
3. In the Bookmarks bar click the link for SynergyWeb.
4. In the HttpFox window take a look at the first HTTP request for the URL http://synergyweb.training.lab/web/
| 62 |
Here we can see in the Response Header column on the right-hand side that there is a Header called ‘Server’ with the value ‘Apache’. This could be leveraged by an attacker during reconnaissance to gain more insight into the customer’s back end environment and any potential weaknesses.
To remove this header the Rewrite feature of the NetScaler will be used.
5. Minimize the browser window and open up the PuTTY shortcut from the windows 7 desktop. Select the netscaler.training.lab from Saved Sessions and click Open.
6. Enter the default credentials nsroot/nsroot
7. Add the Rewrite action to target the HTTP Header ‘Server’.
add rewrite action SynWeb_rwr_hdr_act replace "HTTP.RES.HEADER(\"Server\")" "\"Unspecified\""
8. Add the Rewrite policy to trigger the Rewrite action based on the criteria that the HTTP Response is a valid one.
add rewrite policy SynWeb_rwr_hdr_pol HTTP.RES.IS_VALID SynWeb_rwr_hdr_act
9. Bind the Rewrite policy as a Global Binding. This will affect the ‘Server’ HTTP Header for every response received to the NetScaler.
bind rewrite global SynWeb_rwr_hdr_pol 100
10. Save the NetScaler configuration.
save config
The Rewrite configuration just created will replace the value of the HTTP Header ‘Server’ with the string ‘Unspecified’ and perform this action on all valid HTTP Responses seen by the NetScaler from back-end web servers.
11. Switch back to Firefox and click CTRL+F5 to refresh the page. Inspect the Server header in the Response pane as per Step 4. What value do you get now?
Exercise Summary HTTP Headers such as ‘Server’ could be leveraged by an attacker during reconnaissance to gain more insight into the customer’s back end environment and any potential vulnerabilities in a version of a web server.
Removing this header using the NetScaler Rewrite feature is simple.
| 63 |
Bonus Exercise Auditing and Logging Overview Congratulations on getting this far!
No lab about security could be complete without a discussion around auditing and logging. As a bonus we have hidden a pre-configured a Command Center installation on a Windows VM which the NetScaler has been sending logs to as you worked through the exercises.
Step by step guidance Estimated time to complete this lab: 10 minutes.
Step Action In the XenCenter, select View > Hidden Objects.
Notice there is a hidden Command Center VM.
1. Let’s get logged on!
In Internet Explorer on the Student Desktop, navigate to https://commandcenter.training.lab or click the Citrix Command Center 5.1 shortcut in the Favorites bar.
2. Log on with the root/Citrix123 credentials.
| 64 |
3. Click Reporting and under AppFirewall, click Dashboard.
4. After all of your hard word getting this far, there should be plenty of data populated for Application Firewall.
5. Click AppFirewall > Reports. Select Top violations by client and click View Graph.
Click OK.
| 65 |
6. There should be lots of hits for our Windows 7 client at 192.168.10.201! Close the View Graph window.
7. Click AppFirewall > Recent Logs to view the latest Syslogs.
8. Congratulations. You have completed this exercise.
Exercise Summary In this exercise some brief demonstration of logging functionality using Sylogs reported to a Citrix Command Center installation.
Please complete this survey
We value your feedback! Please take a moment to let us know about your training experience by completing the brief Learning Lab Survey
| 66 |
Revision: Change Description Updated By Date
1.0 Original version Andrew Sandford May 2014
About Citrix Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, securely accessing apps and data on any of the latest devices, as easily as they would in their own office. Citrix solutions help IT and service providers build clouds, leveraging virtualization and networking technologies to deliver high-performance, elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than 330,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.