Jump to content
Welcome to our new Citrix community!
  • PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies


    Richard Faulkner
    • Validation Status: Validated
      Summary: PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies
      Has Video?: No

    PoC Guide: Protecting Gateway Virtual Servers with WAF, Bot, and Advanced Authentication Policies

    May 27, 2021

    Author:  Jacob Rutski

    Special thanks:  Dileep Reddem, Michael Shuster, Matt Brooks, Martin Zugec, Anthony Raymer Overview

    Many NetScaler ADC appliances host VPN and NetScaler Gateway deployments that also provide security protections to other web applications. This PoC guide is designed to help protect VPN and Gateway virtual servers using tools already available on the NetScaler ADC appliance. This guide covers protecting the portal login page with Bot security and protecting the credential form submission with WAF capabilities. Also, advanced authentication policies add context to user logons and enable multifactor authentication.

    The flow of this configuration diagrammed as follows:

    image.jpg.649579124a2b6b09850f8b8efdce5dd2.jpg

    Configuration Options

    This guide doesn’t provide an exclusive list of protections, nor is it the only way to configure them. For example, deploying both IP Reputation and rate limiting using a responder policy on a Gateway virtual server is common. This configuration is a supported method of deployment. It has a different outcome of dropping or resetting connections before the gateway login page is rendered.

    Also, the WAF profile doesn’t have every protection enabled to prevent complex configuration, custom tuning, and potential issues. Further configuration to the WAF profile is possible, see the links in the references section for guidance.

    Note:

    CAPTCHA isn’t the most secure option for an extra factor, it’s only used for simplicity in explanation. Other MFA options such as TOTP or PUSH are better options - see the references section for links to help in deploying these options.

    Prerequisites

    This guide assumes a working knowledge of NetScaler WAF deployment, Bot Security deployment, and Advanced Authentication Policies (nFactor). It makes assumptions that a gateway or authentication virtual server is already installed and configured. The following are requirements for the configuration:

    • Advanced Authentication Policies require release 12.1 build 57.18 or later
    • Web Application Firewall protections require release 12.1 build 57.18 or later
    • Bot Security protections require release 13.0 build 71.40 or later
    • Most of the features in this guide require a premium license
    • An existing server or service listening on port 80
    • An existing Gateway or authentication virtual server, with an existing advanced authentication configuration (advanced authentication or nFactor flow)
    • Enable the following features: NetScaler Web App Firewall, NetScaler Bot Management, and Reputation
    Bot Protection

    Bot Signatures

    From Security > Citrix Bot Management > Signatures, select the Default Bot Signatures and click the Clone button. Apply a descriptive name, then click create.

    image.png.8e015d4f0f1a01e98968aad3520461f9.png

    Create a Bot Management Profile and Policy

    From Security > Citrix Bot Management > Profiles, select Add to create a new Bot Management Profile. Give the profile a descriptive name and select the previously created signature set.

    image.png.7bb17bc5c387021248751be8bb778e15.png

    Select the profile to edit the advanced settings.

    Add IP Reputation from the right column and check the box to enable it.

    image.png.7c62c33577df52e582c68cf609d9873c.png

    Next, choose ‘Add’ under categories, select IP for the Type, check the box for Enabled and set the action to Drop. Last, check the box for ‘Log’ and set the log message to something descriptive.

    image.png.f01c22a9af33e8608ddc728050fa497f.png

    image.png.d27cd07eb7616c747e606bb563e83a92.png

    Select Device Fingerprint from the right column, ensure that the ‘Enabled’ check box is NOT checked and click Update.

    image.png.b2a1e08e20cab582ff52d9f496b0a97f.png

    The last setting for the Bot Profile is to enable rate limiting, select Rate Limit from the right column and check the box for enabled. Click ‘Add’ under Configure Resources, and add three URL type rate limit bindings for the following URLs:

    • /logon/LogonPoint/index.html
    • /logon/LogonPoint/tmindex.html
    • /vpn/index.html
    Configure the rate limits as follows:
    • Enabled
    • Rate of 5
    • Period of 1000
    • Action of Drop
    • Log set to enabled
    • Log Message with a descriptive message title.
    image.png.01f75c7d3e26b543e6617e854f7b10e1.png

    The Bot Profile is now configured as follows:

    image.thumb.png.325bac5708d8999d8c436665ae04a1c4.png

    Create a Bot Management Policy by going to Security > Citrix Bot Management > Bot Policies and choosing Add. Select the previously created Bot Profile, with an expression as follows:

    HTTP.REQ.URL.CONTAINS("/vpn")||HTTP.REQ.URL.CONTAINS("/logon")

    Finally, the bot policy is bound by selecting ‘Policy Manager’. Select a Bind Point of ‘Default Global’, select ‘Click to select’ to select the policy. Highlight the previously created policy, and choose ‘Select’. Select ‘Bind’ then ‘Done’.

    image.png.9749d8165f427d3af9fa8bdfc80d8763.png

    WAF Protection

    It isn’t possible to bind a WAF policy directly to a Gateway or authentication virtual server. Also, binding a WAF policy globally with an expression that targets Gateway or authentication virtual servers won’t function as expected. The policy processing order causes this malfunction - WAF policies are processed after Gateway and authentication policies. See the image below for a traffic flow clarification.

    image.png.6bf6408a66e6a517fc2ba2b0c443d8a0.png

    The WAF protection policy uses an HTTP Callout to protect the logon page and invalidate the authentication flow if a WAF exception is caught. This configuration requires a pattern set (Patset) that includes the login URLs, a dummy service and load balancing virtual server, an HTTP callout, and the WAF policy and configuration.

    Pattern Set

    Navigate to AppExpert > Pattern Sets and select ‘Add’. Give the new Pattern Set a name, then select ‘Insert’ and add the following patterns:

    • /cgi/login (index 1)
    • /nf/auth/doAuthentication.do (index 2)
    image.png.64510a2929cfe7c9de9c2f6de9ab3fe8.png

    Alternatively, create the pattern set from the CLI:

    add policy patset GW_VPN_Patsetbind policy patset GW_VPN_Patset "/cgi/login" -index 1bind policy patset GW_VPN_Patset "/nf/auth/doAuthentication.do" -index 2

    Dummy Virtual Server and Service

    The HTTP Callout uses a dummy virtual server. This virtual server doesn’t need to be publicly available, so it can be non-addressable. The virtual server DOES need to be up, so the back end server needs to be up and responding on port 80. A new service and virtual server are created in this guide, but a pre-existing virtual server can be used.

    Go to Traffic Management > Load Balancing > Services and select ‘Add’. Give the service a descriptive name, set the protocol to HTTP and port to 80. Enter the IP address of the server and choose OK. Alternatively, create the service with an existing server. Use all default settings, including monitors bound to the service.

    image.png.6b7fc6678022d83b57948f29c00357da.png

    Next create the load balancing virtual server by going to Traffic Management > Load Balancing > Virtual Servers and select ‘Add’. Give the server a descriptive name, set the protocol to HTTP, and set the IP address type to Non Addressable. Bind the previously created service to this virtual server by selecting ‘No Load Balancing Virtual Server Service Binding’ then ‘Click to select’ and selecting the service. There is now 1 service bound to the virtual server and the state is ‘UP’.

    image.png.1be95e24dee7b046963dd7ef0a9770bc.png

    HTTP Callout

    Navigate to AppExpert > HTTP Callouts and select ‘Add’. Give the HTTP Callout a descriptive name, select ‘Virtual Server’ to receive the callout request, and select the dummy virtual server. In the Request to send to the server, select the type as Expression-Based, set the scheme to ‘HTTP’ and set the Full Expression to the following:

    HTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048)

    Note:

    The name of the header here is ‘GW_VPN-WAF_Callout’ - the application firewall filtering expression uses it later. If the name is changed here, change the WAF header expression as well.

    In the Server Response section, set the return type to BOOL and set the expression to ‘true’.

    image.png.a03e83b53d0892084b2ad65607eaa19f.png

    Alternatively, create the HTTP Callout from the CLI:

    add policy httpCallout GW_VPN_WAF_Callout -vServer dummy-vserver-here -returnType BOOL -fullReqExpr HTTP.REQ.FULL_HEADER.BEFORE_STR("\r\n\r\n")+"\r\nGW_VPN-WAF_Callout:abc\r\n\r\n"+HTTP.REQ.BODY(2048) -scheme http -resultExpr true

    Authentication Policy

    Modify an existing LDAP authentication policy to use the HTTP Callout. Open the existing authentication policy by going to Security > AAA Application Traffic > Policies > Authentication > Advanced Policies > Policy, select the existing policy and choose ‘Edit’. Modify the existing expression to the following:

    HTTP.REQ.URL.CONTAINS_ANY("GW_VPN_Patset") && SYS.HTTP_CALLOUT(GW_VPN_WAF_Callout)

    image.png.36ab3a8e909c78f4a2bd978852790988.png

    Note:

    Use this expression with any authentication policy where you want to protect the form fields on the logon page.

    WAF Profile and Policy

    To build the WAF profile go to Security > Citrix Web Application Firewall > Profiles and choose ‘Add’. Give the profile a descriptive name and select Web Application (HTML) and Basic Defaults. Open the newly created profile by choosing ‘Edit’ then select ‘Security Checks’ from the right hand column.

    Enable the following security checks (disable all other settings):

    • Buffer Overflow - Log, Stats
    • Post Body Limit - Block, Log, Stats
    • HTML Cross-Site Scripting - Block, Log, Stats
    • HTML SQL Injection - Block, Log, Stats
    image.png.e954783608cfe245747944dc9e5e3b02.png

    Next select ‘Profile Settings’ from the right hand column and set the Default Response to:

    application/octet-stream

    Then check the box for Log Every Policy Hit.

    image.png.c9c34411b4699004f8a3e081650431b7.png

    Next, configure the WAF policy by going to Security > Citrix Web Application Firewall > Policies > Firewall and choose ‘Add’. Give the policy a descriptive name and select the profile created in the previous step. For the expression, enter the following:

    HTTP.REQ.HEADER("GW_VPN-WAF_Callout").EXISTS

    Note:

    The name of the header here must match the header in the HTTP Callout created earlier.

    Last, bind the WAF policy to the dummy load balancing virtual server created earlier by going to Traffic Management > Load Balancing > Virtual Servers. Select the virtual server then choose ‘Edit’.

    From the right hand column, select ‘Policies’ then click the ‘+’ plus to add a policy. Select policy App Firewall and type Request. Select the policy created previously then select ‘Bind’ and ‘Done’.

    image.thumb.png.dc938f8504cc9b9007d07f20cd527357.png

    Alternatively, create the WAF configuration using the CLI as follows:

    add appfw profile demo_appfw_profile -startURLAction none -denyURLAction none -fieldFormatAction none -bufferOverflowAction log stats -responseContentType "application/octet-stream" -logEveryPolicyHit ON -fileUploadTypesAction noneadd appfw policy demo_appfw_policy "HTTP.REQ.HEADER(\"GW_VPN-WAF_Callout\").EXISTS" demo_appfw_profilebind lb vserver dummy-vserver-here -policyName gw_appfw_policy -priority 100 -gotoPriorityExpression END -type REQUEST

    Advanced Authentication Settings

    There are two configurations related to authentication - encrypting user credentials from the client to the ADC within nFactor and IP reputation based MFA.

    Encrypting User Credentials

    The following setting enables the ADC to encrypt the credential set when the user submits the form data using ECDHE algorithms. To enable this setting, navigate to NetScaler Gateway > Global Settings > Authentication Settings > Change Authentication AAA settings and set Login Encryption to ENABLED.

    image.png.a615226d017cbbc2e2352ad4a2335c9e.png

    Alternatively, change this setting from the CLI as follows:

    set aaa parameter -loginEncryption ENABLED

    IP Reputation Based MFA

    Use IP Reputation with advanced authentication to prompt the user for an extra factor if the database includes the source address. Also, creatte a manually maintained dataset of addresses.

    Important:

    The following configuration example uses CAPTCHA as a means to provide another factor of authentication, but any other MFA tool can be used. As with all nFactor configurations, the policies, schemas, and policy labels shown here are simple examples - add an extra configuration to meet any specific login use case.

    See the references section for additional details on configuring TOTP PUSH as a factor and additional CAPTCHA configurations.

    Create a data set by going to AppExpert > Data Sets and selecting ‘Add’. Create a data set with a descriptive name, a type of ‘ipv4’ and click ‘Create’.

    image.png.4c0b50577f5711d3865c021cef246251.png

    Next, two advanced authentication policies need to be created by going to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy and select ‘Add’.

    Create the first policy with a descriptive name, an action type of NO_AUTHN, and the expression set to ‘true’.

    image.png.7e3a2e021fe492e78de9d28ab027a7fa.png

    Create the second policy with a descriptive name, action type of NO_AUTHN, and an expression as follows:

    CLIENT.IP.SRC.IPREP_IS_MALICIOUS || CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("suspicious_ips")

    Note:

    Use the name of the previously created data set here.

    Next, a CAPTCHA login schema profile is created by going to Security > AAA - Application Traffic > Login Schema > Profiles Tab and selecting ‘Add’. Give the profile a descriptive name then edit the Authentication Schema by selecting the ‘pencil’ edit icon. Browse to the LoginSchema directory, highlight SingleAuthCaptcha.xml, and choose Select.

    image.png.3f447e89f88a5848f46e1ef4581275ea.png

    Next, create an authentication policy label for the Captcha schema by going to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy Label and selecting ‘Add’. Give the PL a descriptive name and select the previously created captcha login schema. Bind the required LDAP action policy.

    Note:

    This example is reusing a previously created LDAP authentication action.

    image.png.e78a658f8483de1bcdf72668c7a0f446.png

    Create another policy label by selecting ‘Add’. Give this PL a descriptive name, and set the login schema to LSCHEMA_INT. Next, bind the two previously created NO_AUTHN authentication policies.

    image.png.495ad1fb6c3674b9650b910b1190a1a3.png

    Last, set the next factor of the previously created authentication policy as this IP Reputation check policy label. It’s already bound to an authentication or Gateway virtual server. Highlight the authentication policy, select ‘edit binding’ then set the new policy label as the ‘Select Next Factor’ field.

    image.png.506aef1233145d3ae026f46f927c9764.png

    Summary

    NetScaler ADC provides many built-in security protections that protect Gateway or Authentication virtual servers running on the same appliance. These protections have no impact on typical users as they try to log in to NetScaler Gateway.

    References

    For additional information and configuration options, see the following articles:

    Introduction to Citrix Web Application Firewall - Citrix Product Docs: Introduction to Citrix Web Application Firewall

    Citrix Web Application Firewall PoC Guide - proof of concept deployment guide for Citrix Web Application Firewall

    Citrix Training for Application Delivery and Security - Citrix Education Training for Application Delivery and Security

    Getting started with NetScaler ADC - Citrix Product Docs: Getting started with NetScaler ADC - Packet Flow

    IP Reputation - Citrix Product Docs: IP Reputation

    Bot Management - Citrix Product Docs: Bot Management

    Bot Detection - Citrix Product Docs: Bot Detection

    nFactor Authentication - Citrix Product Docs: nFactor Authentication

    NetScaler ADC - nFactor Basics Cheat Sheet - Citrix Tech Zone: Diagrams and Posters NetScaler ADC - nFactor Basics Cheat Sheet

    CTX216091 - supporting re-Captcha with nFactor

    nFactor for NetScaler Gateway with Push Token - proof of concept deployment guide for TOTP push tokens for NetScaler Gateway

     

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...