NetScaler 培訓教學內(nèi)容.ppt

CitrixNetScalerApplicationFirewall培訓 Agenda CitrixWAF簡述順網(wǎng)拓撲架構(gòu)簡介業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 網(wǎng)頁應(yīng)用程序防火墻 NetworkFirewall IDSIPS DatabaseServersCustomerInfoBusinessDataTransactionInfo 私密資料 客制化網(wǎng)頁程序客制化套裝應(yīng)用程序自行開發(fā)或第三方程式 特征碼 HTTP HTTPS 我看得懂文檔 WAF 我看不懂不讓你過 正常訪問 我看不懂放行 依據(jù)網(wǎng)頁程序內(nèi)容邏輯 制定合法規(guī)則 檢測進出聯(lián)機內(nèi)容 正向防護白名單 預(yù)設(shè)行為 阻擋符合規(guī)則 放行效益 防范已知 未知攻擊防護產(chǎn)品 網(wǎng)絡(luò)防火墻網(wǎng)頁應(yīng)用程序防火墻其他 不易誤判 除非設(shè)定錯誤 需時間學習 設(shè)定 反向防護黑名單 預(yù)設(shè)行為 放行符合特征 阻擋效益 防范已知攻擊防護產(chǎn)品 防病毒軟件 防毒墻入侵偵沒系統(tǒng) IPS 其他 容易誤判容易繞過 防護邏輯 WAFvsIPSvsNetworkFirewall WAF運作機制 雙向保護 用戶請求 服務(wù)器回應(yīng) Internet Intranet WAF 請求檢查 輸入正確性檢測 安全轉(zhuǎn)發(fā) ProtectedAP 用戶請求 安全轉(zhuǎn)發(fā) 服務(wù)器回應(yīng) 內(nèi)容響應(yīng)防護處理 NetScaler網(wǎng)頁應(yīng)用防火墻采用混合安全模型 正面表列自我學習應(yīng)用程序 負面表列特征碼偵測 Negative Positive Hybrid 混合模型防護已知和未知的安全威脅 DDos SSL VPN SSL WAF XMLFW AAA SSO Reporting NetScalerMPXandVPX CitrixNetScaler融合多種應(yīng)用安全 Internet WebAppUsers 允許合法流量通過響應(yīng)內(nèi)容檢測 應(yīng)用程序攻擊阻擋 防御Zeroday攻擊雙向檢測 進階式攻擊防御SSL加密聯(lián)機支持ICSA CommonCriteria認證 Agenda CitrixWAF簡述順網(wǎng)拓撲架構(gòu)及Netscaler架構(gòu)概述業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 現(xiàn)網(wǎng)拓撲 NetScalerArchitectureOverview NetScaler ownedIPAddresses TheNetScalersystemusesdifferenttypesofIPaddressesformanagementandproxyingconnectionstotheserverTheseIPaddressesare NetScalerIP NSIP addressesSubnetIP SNIP addressesVirtualIP VIP addresses NetScalerIPAddress TheNetScalerIPaddress NSIP istheprimaryaddressformanagementandgeneralsystemaccessThedefaultIPaddressandnetmaskis192 168 100 1 16 255 255 0 0 修改該IP地址 設(shè)備需要重啟 SubnetIPAddress ThesubnetIP SNIP addressisusedinconnectionmanagementandservermonitoringASNIPaddressprovidestheNetScalersystemwithanAddressResolutionProtocol ARP presenceinsubnetstowhichthesystemmaynotbedirectlyconnectedANetScalersystemshouldhaveaSNIPaddressconfiguredforeverydirectlyconnectedsubnet VirtualIPAddress VIPaddressesareusedforclient to NetScaler systemcommunicationWhentheVIPaddressisapublicIPaddress itusuallycorrespondstotheDNSentryforadomainAVIPaddressisautomaticallycreatedwhenavirtualserverisadded EntityManagement HighAvailabilityFunctionality 上線后全網(wǎng)配置調(diào)整 NS上對外發(fā)布一個VIP F5的VIP作為NSVIP的Service 防火墻將原先的到F5VS的映射改為到NSVS的映射 由于服務(wù)器端需要看到客戶端的真實IP地址 現(xiàn)在的架構(gòu)是在F5上通過插入一個HTTPX Forwarded For報頭 報頭里面記錄了客戶端IP地址 服務(wù)器端解這個報頭來獲得客戶端真實IP NS部署后 添加這個報頭的工作由NS完成 即將F5上配置的這個功能取消 將這個功能在NS上配置 在NS上配置的報頭名稱不變 這樣后臺服務(wù)器就不需要做任何修改 HardwareComponents HardwarecomponentsoftheNetScalersysteminclude NetworkinterfacesLCDSerialinterfaceFilesystemRAMdrive Flashmemory flash Harddisk var HardwareComponents NetScalerArchitectureOverview Agenda CitrixWAF簡述順網(wǎng)拓撲架構(gòu)及Netscaler架構(gòu)概述業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 操作流程 通過GUI方式登錄設(shè)備進行配置 客戶端需要JRE環(huán)境 NSIP SNIP都可以對設(shè)備進行配置管理通過SSH登錄設(shè)備進行命令行下查看配置等操作 上線流程 創(chuàng)建Service F5VS地址 創(chuàng)建對外發(fā)布的VS地址并關(guān)聯(lián)相應(yīng)Service創(chuàng)建WAFPolicy將WAFPolicy與相對應(yīng)的VS關(guān)聯(lián) Agenda CitrixWAF簡述順網(wǎng)拓撲架構(gòu)及Netscaler架構(gòu)概述業(yè)務(wù)上線流程ApplicationFirewall技術(shù)概述 WAF技術(shù)介紹 INTERNAL DataFlowProcess NetScaler WebApplications Database 1 ClientRequest EXTERNAL 2 RequestInspections 3 ClientR 4 ServerR 5 ResponseInspections 6 ServerResponse StartURLsXSSSQLInjectionFieldConsistencyBufferOverflow CreditCardsSAFEObject FullADCIntegration ProfilesEnableBasicorAdvanceddefaultsConsistsofSecuritySettingsPoliciesDirectstraffictoprofilesMatchesonrequestorresponseparametersPolicy創(chuàng)建后 即可以設(shè)置為全局生效 即所以流量都通過該policy進行檢查 或者關(guān)聯(lián)到一個VS上單獨生效 CustomizableProfilesandPolicy CompleteWebAppProtectionwithLearning PositiveSecurity ApplicationFirewall Advancedprofile Whenconfigureapplicationfirewall appfw 1stthingtodoiscreateaprofile AndthereisBasicandAdvancedprofile whatisthedifference Withadvancedprofile sessionization orsessiontrackingwillbeenabled Thesecuritychecksrequiredsessionizationare URLClosureCookieConsistencyFormFieldConsistency ApplicationFirewall sessionization Whatissessionization ItmeansAppfwhastotrackallrequestsandresponsesfromaclientaslongasthebrowserremainsopenwithinthesessiontimeoutperiod thatistrackeachsession Thesessionismarkedbysessioncookie thedefaultcookienameiscitrix ns idDefaultsessiontimeoutis900seconds 15minutes AppFw whysessionizationisneeded Example1 bufferoverflowprotection Asanexample assumetheAppfwisconfiguredwithbufferoverflowsuchthatmaximumallowedURLlengthis10characters Appfwdoesnotneedtocarewhosendstherequest aslongastheURLislongerthan10characters itwillblockit AppFw whysessionizationisneeded Example2 URLClosure Asanexample assumetheAppfwisconfiguredwithstartURLandURLClosureprotection thestartURLallowedishome1 htm UserA Inthisexample wecanobservethatfeaturelikeURLClosurerequiredtheAppfwto record somesortofactivitiesforeachuser sessioninordertodeterminetoalloworblocktherequest Intheotherwords thesession shistoryisafactortodetermineallow block Appfw sessionization Wehavetopaythepriceforsessionization thatisMemory Sinceweneedtostoreinformationforeachsession morememoryisrequiredThereissomethinginterestinghere exceptfromthenumberofuser therearesomeotherfactorsthataffecthowmuchmemoryisrequired Appfw URLClosureexample Webpage1 Webpage2 ForURLClosure whichoftheabovepagewillconsumemorememorywhenauseraccessthepageasstartURL Appfw Memoryusage Ofcourse webpage2 willtakesmorememorybecauseithasmuchmorehyperlink whenappfwstoresinformationonwhichlinktheusercanaccess itneedstostoremoreinformationURLClosure Morehyperlink morememoryisrequiredFormFieldConsistency Moreform largerform morememoryisrequired UsuallymostmemoryconsumingisURLClosurebecausewebpagewithalotoflinksarecommonbutwebpagewithalotofformsislesscommon EasyDeploymentModeProtectsagainstSQLInjectionCrossSiteScriptingCrosssiteRequestForgery Referrerheader ForcefulBrowsing Start DenyURLs BufferOverflowFormFieldFormattingNosessionizationrequiredLearningaideddeployment BasicDefaults PositiveSecurityModel SQLInjectionattacks Howthismightbedone UserentersdataintoaformonawebpageTheapplicationsendsthisaspartofanSQLquerytothebackenddatabase ItemNumber ItemLookup EnterDesiredItemNumber SUBMIT 1234 or 1 1 Cross siteScripting XSS Attacks Attackingtrustrelationships CrossSiteRequestForgeryAttacks Protectionactions VerifyReferrerheadersTageachformwithuniquetokenandverifyonformsubmission Attackingtrustrelationships CSRF ReferrerHeaderProtection X ForcefulBrowsing ForcefulBrowsingAttack ManipulatingrequestURLstogainaccesstocontentyouarenotentitledtosee Brute forcepenetrationoftheinfrastructure ParisHilton sSidekickhacked hackerNicolasJacobsenpledguiltytoasinglechargeofintentionallyaccessingaprotectedcomputerandrecklesslycausingdamage JacobsenwasarrestedbyUSauthoritieslastOctober buthadhadaccesstoT Mobile sserversformorethanayear HereportedlyamusedhimselfbyaccessingUSSecretServiceemail andraidingotherSidekickusers accounts Igothacked BufferOverflowProtection Hacker BufferOverflowAttack Application Platform OS GainapplicationPrivileges Gainplatformprivileges Gainrootserveraccess Preventhackersfromgainingunauthorizedsystemprivileges ApplicationFirewalllimitsinputparametersizesfor URLsHeadersCookies ApplicationServer Internet AdvancedDefaultsSessionbasedenablesadditionalprotectionsCookieFormFieldConsistencyURLClosureprotectionTagBasedCrossSiteRequestForgeryIncludesallbasicprotections Session basedProtectionwithAdvancedDefaults CookiePoisoningdefense Preventsidentitytheftandsessionhijacking Clientreturnscookietoserver Webserversendsclientcookie ApplicationFirewallverifiesthatcookieshavenotbeenmodifiedbyclient CookieAttackProtection EncryptCookies Encryptonlysessioncookies non persistent orallapplicationcookies AES 192encryption CookieAttackProtection ProxyCookies ReplaceallservercookieswithasingleAppFirewallsessioncookie CookieAttackProtection FlagCookies HTTPOnly MakecookieunavailabletoJavaScriptSecure CookiesubmittedonlyforHTTPSURLsAll BothattributesareaddedtotheSet Cookieheader CSRF FormTaggingProtection X CitrixConfidential DoNotDistribute HTMLFormFieldProtection Clientcompletesandreturnsform Applicationsendsformtoclient Protectapplicationsbyblockingmaliciousandillegalinputparameters ForeachusersessionAppFwensuresthat EachfieldisreturnedNofieldswereaddedbyclientRead onlyandhiddenfieldsareunalteredDataindrop downlistorradiobuttonfieldconformsMaxlengthofformfieldsisadheredto AdditionalSecurityMeasures ClicktoRuleApplicationFirewall ApplicationFirewallrelaxationrulescannowbedeployedfromthelogsThelogsmustbeinCEFlogformatConvenientoptiontorelaxaruleblockingalegitimaterequest LogusingCEF basedlogsMar1516 48 1410 90 196 150CEF 0 Citrix NetScaler NS10 0 APPFW APPFW STARTURL 6 src 10 90 33 39spt 52737method GETrequest http 10 90 196 152 msg DisallowIllegalURL cn1 69cn2 3999cs1 Application Firewall Profilecs2 PPE2cs3 edw9DRH XRTNya64AIYNZM1sgfUA020cs4 ALERTcs5 2012act blockedEasyintegrationwithnumerousvendorsthatsupportCEFformat CommonEventFormatLoggingSupport BusinessObjectProtectionModules FinancialTheftPrevention Preventtheinadvertentdisclosureofcustomerorcorporatedata ConfigurableProtections CreditCardNumbers Customer definedDataObjects Mastercard5168701720999598548710669503982253742473462950375229226821960783512077224560856554182441660268145214846392378060559321982241412253024957748417185141463445796112VISA4532804852500010432838048818612645327409122469234716318594729561491602234704926349296934539258794916392627322353448549592428390445322039361620554916164014266109 MastercardXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXVISAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Server Msg547 Level16 State1 Procedureerror demo sp Line2UPDATEstatementconflictedwithCOLUMNFOREIGNKEYconstraint fk7 acc cur Theconflictoccurredindatabase bos sommar table currencies column curcode The