The Open Web Application Security Project(OWASP) recently released the OWASP Top 10 for 2010 for web application security. This list documents the most common web application vulnerabilities and is a great starting point to evaluate web security. Here we detail how to configure the NetScaler Application Firewall to mitigate these flaws. The Application Firewall is available as an integrated module in the NetScaler Application Delivery Controller adding to the high performance load balancing functions. It is also available as a full range of firewall appliances on the same NetScaler MPX hardware appliances delivering the fastest Web Application Firewall in the market today.
The full OWASP Top 10 document is available at OWASP Top 10 for 2010.
I assume some familiarity with the NetScaler Application Firewall configuration and features. Some of the OWASP Top 10 refer to the broader security environment (like Insecure configuration, SSL) etc but the relevant NetScaler specific configuration is noted. The OWASP Top 10 is best used as a starting point to gauge your web application security. NetScaler offers a much richer set of functionality beyond that covered by this list.
|OWASP Top 10 – 2010||NetScaler feature|
|A1 – Injection||Injection attack prevention (SQL/ Custom)|
|A2 – Cross Site Scripting (XSS)||XSS attack prevention|
|A3 – Broken Authentication and Session management||AAA, Cookie Tampering protection, CSRF tagging. Use SSL|
|A4 – Insecure Direct object references||Form field consistency, field format, AAA|
|A5 – Cross Site Request Forgery (CSRF)||CSRF form tagging, Referer header validation|
|A6 – Security Misconfiguration||PCI reports|
|A7 – Failure to Restrict URL access||Start URL protection with URL closure|
|A8 – Unvalidated Redirects and Forwards||Policy control, field format protection configuration, Referer header scrubbing|
|A9 – Insecure Cryptographic storage||Applicable to backend server infrastructure. FIPS compliant model available for securing keys on Firewall device itself|
|A10 – Insufficient Transport Layer protection||Use SSL with strong keys and ciphers.|
The full document is available as a whitepaper for download (NetScaler Application Firewall and the OWASP Top 10 2010).
Twitter: @netscaler or me @vkorr
- Download and try the Application Firewall in NetScaler VPX virtual appliance with a free 90-day Platinum edition evaluation license today.
- NetScaler Product documentation can be found at http://support.citrix.com/product/nsad/v9.2/#tab-doc.