NetScaler 培訓(xùn)教學(xué)內(nèi)容.ppt

CitrixNetScalerApplicationFirewall培訓(xùn) Agenda CitrixWAF簡(jiǎn)述順網(wǎng)拓?fù)浼軜?gòu)簡(jiǎn)介業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 網(wǎng)頁(yè)應(yīng)用程序防火墻 NetworkFirewall IDSIPS DatabaseServersCustomerInfoBusinessDataTransactionInfo 私密資料 客制化網(wǎng)頁(yè)程序客制化套裝應(yīng)用程序自行開(kāi)發(fā)或第三方程式 特征碼 HTTP HTTPS 我看得懂文檔 WAF 我看不懂不讓你過(guò) 正常訪問(wèn) 我看不懂放行 依據(jù)網(wǎng)頁(yè)程序內(nèi)容邏輯 制定合法規(guī)則 檢測(cè)進(jìn)出聯(lián)機(jī)內(nèi)容 正向防護(hù)白名單 預(yù)設(shè)行為 阻擋符合規(guī)則 放行效益 防范已知 未知攻擊防護(hù)產(chǎn)品 網(wǎng)絡(luò)防火墻網(wǎng)頁(yè)應(yīng)用程序防火墻其他 不易誤判 除非設(shè)定錯(cuò)誤 需時(shí)間學(xué)習(xí) 設(shè)定 反向防護(hù)黑名單 預(yù)設(shè)行為 放行符合特征 阻擋效益 防范已知攻擊防護(hù)產(chǎn)品 防病毒軟件 防毒墻入侵偵沒(méi)系統(tǒng) IPS 其他 容易誤判容易繞過(guò) 防護(hù)邏輯 WAFvsIPSvsNetworkFirewall WAF運(yùn)作機(jī)制 雙向保護(hù) 用戶請(qǐng)求 服務(wù)器回應(yīng) Internet Intranet WAF 請(qǐng)求檢查 輸入正確性檢測(cè) 安全轉(zhuǎn)發(fā) ProtectedAP 用戶請(qǐng)求 安全轉(zhuǎn)發(fā) 服務(wù)器回應(yīng) 內(nèi)容響應(yīng)防護(hù)處理 NetScaler網(wǎng)頁(yè)應(yīng)用防火墻采用混合安全模型 正面表列自我學(xué)習(xí)應(yīng)用程序 負(fù)面表列特征碼偵測(cè) Negative Positive Hybrid 混合模型防護(hù)已知和未知的安全威脅 DDos SSL VPN SSL WAF XMLFW AAA SSO Reporting NetScalerMPXandVPX CitrixNetScaler融合多種應(yīng)用安全 Internet WebAppUsers 允許合法流量通過(guò)響應(yīng)內(nèi)容檢測(cè) 應(yīng)用程序攻擊阻擋 防御Zeroday攻擊雙向檢測(cè) 進(jìn)階式攻擊防御SSL加密聯(lián)機(jī)支持ICSA CommonCriteria認(rèn)證 Agenda CitrixWAF簡(jiǎn)述順網(wǎng)拓?fù)浼軜?gòu)及Netscaler架構(gòu)概述業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 現(xiàn)網(wǎng)拓?fù)?NetScalerArchitectureOverview NetScaler ownedIPAddresses TheNetScalersystemusesdifferenttypesofIPaddressesformanagementandproxyingconnectionstotheserverTheseIPaddressesare NetScalerIP NSIP addressesSubnetIP SNIP addressesVirtualIP VIP addresses NetScalerIPAddress TheNetScalerIPaddress NSIP istheprimaryaddressformanagementandgeneralsystemaccessThedefaultIPaddressandnetmaskis192 168 100 1 16 255 255 0 0 修改該IP地址 設(shè)備需要重啟 SubnetIPAddress ThesubnetIP SNIP addressisusedinconnectionmanagementandservermonitoringASNIPaddressprovidestheNetScalersystemwithanAddressResolutionProtocol ARP presenceinsubnetstowhichthesystemmaynotbedirectlyconnectedANetScalersystemshouldhaveaSNIPaddressconfiguredforeverydirectlyconnectedsubnet VirtualIPAddress VIPaddressesareusedforclient to NetScaler systemcommunicationWhentheVIPaddressisapublicIPaddress itusuallycorrespondstotheDNSentryforadomainAVIPaddressisautomaticallycreatedwhenavirtualserverisadded EntityManagement HighAvailabilityFunctionality 上線后全網(wǎng)配置調(diào)整 NS上對(duì)外發(fā)布一個(gè)VIP F5的VIP作為NSVIP的Service 防火墻將原先的到F5VS的映射改為到NSVS的映射 由于服務(wù)器端需要看到客戶端的真實(shí)IP地址 現(xiàn)在的架構(gòu)是在F5上通過(guò)插入一個(gè)HTTPX Forwarded For報(bào)頭 報(bào)頭里面記錄了客戶端IP地址 服務(wù)器端解這個(gè)報(bào)頭來(lái)獲得客戶端真實(shí)IP NS部署后 添加這個(gè)報(bào)頭的工作由NS完成 即將F5上配置的這個(gè)功能取消 將這個(gè)功能在NS上配置 在NS上配置的報(bào)頭名稱(chēng)不變 這樣后臺(tái)服務(wù)器就不需要做任何修改 HardwareComponents HardwarecomponentsoftheNetScalersysteminclude NetworkinterfacesLCDSerialinterfaceFilesystemRAMdrive Flashmemory flash Harddisk var HardwareComponents NetScalerArchitectureOverview Agenda CitrixWAF簡(jiǎn)述順網(wǎng)拓?fù)浼軜?gòu)及Netscaler架構(gòu)概述業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 操作流程 通過(guò)GUI方式登錄設(shè)備進(jìn)行配置 客戶端需要JRE環(huán)境 NSIP SNIP都可以對(duì)設(shè)備進(jìn)行配置管理通過(guò)SSH登錄設(shè)備進(jìn)行命令行下查看配置等操作 上線流程 創(chuàng)建Service F5VS地址 創(chuàng)建對(duì)外發(fā)布的VS地址并關(guān)聯(lián)相應(yīng)Service創(chuàng)建WAFPolicy將WAFPolicy與相對(duì)應(yīng)的VS關(guān)聯(lián) Agenda CitrixWAF簡(jiǎn)述順網(wǎng)拓?fù)浼軜?gòu)及Netscaler架構(gòu)概述業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 WAF技術(shù)介紹 INTERNAL DataFlowProcess NetScaler WebApplications Database 1 ClientRequest EXTERNAL 2 RequestInspections 3 ClientR 4 ServerR 5 ResponseInspections 6 ServerResponse StartURLsXSSSQLInjectionFieldConsistencyBufferOverflow CreditCardsSAFEObject FullADCIntegration ProfilesEnableBasicorAdvanceddefaultsConsistsofSecuritySettingsPoliciesDirectstraffictoprofilesMatchesonrequestorresponseparametersPolicy創(chuàng)建后 即可以設(shè)置為全局生效 即所以流量都通過(guò)該policy進(jìn)行檢查 或者關(guān)聯(lián)到一個(gè)VS上單獨(dú)生效 CustomizableProfilesandPolicy CompleteWebAppProtectionwithLearning PositiveSecurity ApplicationFirewall Advancedprofile Whenconfigureapplicationfirewall appfw 1stthingtodoiscreateaprofile AndthereisBasicandAdvancedprofile whatisthedifference Withadvancedprofile sessionization orsessiontrackingwillbeenabled Thesecuritychecksrequiredsessionizationare URLClosureCookieConsistencyFormFieldConsistency ApplicationFirewall sessionization Whatissessionization ItmeansAppfwhastotrackallrequestsandresponsesfromaclientaslongasthebrowserremainsopenwithinthesessiontimeoutperiod thatistrackeachsession Thesessionismarkedbysessioncookie thedefaultcookienameiscitrix ns idDefaultsessiontimeoutis900seconds 15minutes AppFw whysessionizationisneeded Example1 bufferoverflowprotection Asanexample assumetheAppfwisconfiguredwithbufferoverflowsuchthatmaximumallowedURLlengthis10characters Appfwdoesnotneedtocarewhosendstherequest aslongastheURLislongerthan10characters itwillblockit AppFw whysessionizationisneeded Example2 URLClosure Asanexample assumetheAppfwisconfiguredwithstartURLandURLClosureprotection thestartURLallowedishome1 htm UserA Inthisexample wecanobservethatfeaturelikeURLClosurerequiredtheAppfwto record somesortofactivitiesforeachuser sessioninordertodeterminetoalloworblocktherequest Intheotherwords thesession shistoryisafactortodetermineallow block Appfw sessionization Wehavetopaythepriceforsessionization thatisMemory Sinceweneedtostoreinformationforeachsession morememoryisrequiredThereissomethinginterestinghere exceptfromthenumberofuser therearesomeotherfactorsthataffecthowmuchmemoryisrequired Appfw URLClosureexample Webpage1 Webpage2 ForURLClosure whichoftheabovepagewillconsumemorememorywhenauseraccessthepageasstartURL Appfw Memoryusage Ofcourse webpage2 willtakesmorememorybecauseithasmuchmorehyperlink whenappfwstoresinformationonwhichlinktheusercanaccess itneedstostoremoreinformationURLClosure Morehyperlink morememoryisrequiredFormFieldConsistency Moreform largerform morememoryisrequired UsuallymostmemoryconsumingisURLClosurebecausewebpagewithalotoflinksarecommonbutwebpagewithalotofformsislesscommon EasyDeploymentModeProtectsagainstSQLInjectionCrossSiteScriptingCrosssiteRequestForgery Referrerheader ForcefulBrowsing Start DenyURLs BufferOverflowFormFieldFormattingNosessionizationrequiredLearningaideddeployment BasicDefaults PositiveSecurityModel SQLInjectionattacks Howthismightbedone UserentersdataintoaformonawebpageTheapplicationsendsthisaspartofanSQLquerytothebackenddatabase ItemNumber ItemLookup EnterDesiredItemNumber SUBMIT 1234 or 1 1 Cross siteScripting XSS Attacks Attackingtrustrelationships CrossSiteRequestForgeryAttacks Protectionactions VerifyReferrerheadersTageachformwithuniquetokenandverifyonformsubmission Attackingtrustrelationships CSRF ReferrerHeaderProtection X ForcefulBrowsing ForcefulBrowsingAttack ManipulatingrequestURLstogainaccesstocontentyouarenotentitledtosee Brute forcepenetrationoftheinfrastructure ParisHilton sSidekickhacked hackerNicolasJacobsenpledguiltytoasinglechargeofintentionallyaccessingaprotectedcomputerandrecklesslycausingdamage JacobsenwasarrestedbyUSauthoritieslastOctober buthadhadaccesstoT Mobile sserversformorethanayear HereportedlyamusedhimselfbyaccessingUSSecretServiceemail andraidingotherSidekickusers accounts Igothacked BufferOverflowProtection Hacker BufferOverflowAttack Application Platform OS GainapplicationPrivileges Gainplatformprivileges Gainrootserveraccess Preventhackersfromgainingunauthorizedsystemprivileges ApplicationFirewalllimitsinputparametersizesfor URLsHeadersCookies ApplicationServer Internet AdvancedDefaultsSessionbasedenablesadditionalprotectionsCookieFormFieldConsistencyURLClosureprotectionTagBasedCrossSiteRequestForgeryIncludesallbasicprotections Session basedProtectionwithAdvancedDefaults CookiePoisoningdefense Preventsidentitytheftandsessionhijacking Clientreturnscookietoserver Webserversendsclientcookie ApplicationFirewallverifiesthatcookieshavenotbeenmodifiedbyclient CookieAttackProtection EncryptCookies Encryptonlysessioncookies non persistent orallapplicationcookies AES 192encryption CookieAttackProtection ProxyCookies ReplaceallservercookieswithasingleAppFirewallsessioncookie CookieAttackProtection FlagCookies HTTPOnly MakecookieunavailabletoJavaScriptSecure CookiesubmittedonlyforHTTPSURLsAll BothattributesareaddedtotheSet Cookieheader CSRF FormTaggingProtection X CitrixConfidential DoNotDistribute HTMLFormFieldProtection Clientcompletesandreturnsform Applicationsendsformtoclient Protectapplicationsbyblockingmaliciousandillegalinputparameters ForeachusersessionAppFwensuresthat EachfieldisreturnedNofieldswereaddedbyclientRead onlyandhiddenfieldsareunalteredDataindrop downlistorradiobuttonfieldconformsMaxlengthofformfieldsisadheredto AdditionalSecurityMeasures ClicktoRuleApplicationFirewall ApplicationFirewallrelaxationrulescannowbedeployedfromthelogsThelogsmustbeinCEFlogformatConvenientoptiontorelaxaruleblockingalegitimaterequest LogusingCEF basedlogsMar1516 48 1410 90 196 150CEF 0 Citrix NetScaler NS10 0 APPFW APPFW STARTURL 6 src 10 90 33 39spt 52737method GETrequest http 10 90 196 152 msg DisallowIllegalURL cn1 69cn2 3999cs1 Application Firewall Profilecs2 PPE2cs3 edw9DRH XRTNya64AIYNZM1sgfUA020cs4 ALERTcs5 2012act blockedEasyintegrationwithnumerousvendorsthatsupportCEFformat CommonEventFormatLoggingSupport BusinessObjectProtectionModules FinancialTheftPrevention Preventtheinadvertentdisclosureofcustomerorcorporatedata ConfigurableProtections CreditCardNumbers Customer definedDataObjects Mastercard5168701720999598548710669503982253742473462950375229226821960783512077224560856554182441660268145214846392378060559321982241412253024957748417185141463445796112VISA4532804852500010432838048818612645327409122469234716318594729561491602234704926349296934539258794916392627322353448549592428390445322039361620554916164014266109 MastercardXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXVISAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Server Msg547 Level16 State1 Procedureerror demo sp Line2UPDATEstatementconflictedwithCOLUMNFOREIGNKEYconstraint fk7 acc cur Theconflictoccurredindatabase bos sommar table currencies column curcode The