One of the first things you do if you need to secure a web appication using Citrix NetScaler ADC WAF (Web paalication Firewall), is setting the correct profile type. Even though the profile type may bet changed later on, it is a serious decision you have to do.
- The Profile Type
Defauls is about scans being enabled by default. There is no hidden secret about this. Everything may get changed later on, a default profile may become an advanced one and vice versa. Therefore I will not go into this
While setting defaults is not an important decision, the profile type is. But let’s first get into, what a profile type is good for.
There are three types of scans:
- common scans, for both, HTML and XML
- Scans, specific to HTNL
- Scans, specific to XML
1) HTML Profile
HTML applications are straight forward, simple HTML. Most of these classic web applications are HTML. HTML profiles are simple to understand as everything is visible. Most of the classes about NetScaler WAF focus on HTML as HTML applications are totally visible. All attacks can be demonstrated easily.
URLs a user may connect too. Every URL a user connects too has to be allowed explicitly. You should do this using RegEx. Citrix NetScaler ADC uses PCRE, Pearl compatible Regular Expressions.You may use a tool like Regex101 to simulate your RegEx, or the one built into Citrix NetScaler ADC WAF policy engine. There are two built in relaxations allowing almost everything. You should disable these!
There is also a feature called URL closure. You don’t need to allow start URLs, except of the initial one, if you enable this feature. This feature is designed for protected parts of the application. Your start URL would be the logon confirmation page, containing all links into protected area of your application. All links will be dynamically whitelisted. This means some overhead in terms of CPU and memory to your Citrix NetScaler ADC.
You should not use this feature in areas your users should be able to connect freely. Crawlers of search engines will start with the root directory and crawl all your web page, it will therefore be able to put all pages into their index, however users following links of search engines will not be white listed and hit the application firewall. They’ll see the error page specified. I mainly use this feature for sensitive parts like order tracking, invoices, user profile ans so on.