Application Templates are largely popular in NetScaler customer base as it eases deployment and provides single view of end to end Application configuration on NetScaler. With explosion of Apps and growth in usage of Application Template we need to effectively secure the App deployment as well. With NetScaler 9.3 release Application Template deployment is enhanced to use Application Firewall profile and policies as rest of the features.
Not just the Application Firewall feature is incorporated in whole Application Template story but also it is made smart to use the Signature based protection at endpoint and deep positive protections at AppUnit layer. Signature based protection provides ability to block all known attacks at the vserver layer. Every AppUnit deployment has different characteristics like static pages versus dynamic scripts or images versus text or document versus pdf etc. Thus deep positive protection configuration would vary for all these AppUnit deployments based on what kind of content needs to be protected and against which attack vector. This provides much smarter way to only enable what is needed at every point and ensures that performance of the Application does not degrade by unnecessary checks everywhere. For example doing SQL Injection protection for server/services which only handle plaintext does not add any value while it increases load on NetScaler to parse through the whole text.
Here is quick screen shot of how you can enable Application Firewall configuration on existing/new Application Template deployments.
On the endpoint right click and select “Configure Application Firewall” option. This takes you through a simple wizard which lets you select the signatures you want to protect with. You can select the signature actions for every group and also get deeper into the individual rules configuration within every group.
Once you complete configuring signature based protection on the end point, move towards configuring positive protection on every AppUnit. Clicking on “+” sign on Application Firewall column for any AppUnit brings following wizard for configuring positive security.
With this wizard you can configure positive/deep protection against various attacks like
- Cross Site Scripting
- SQL Injection
- Buffer Overflow
- Cookie Consistency
- Credit Card
- Form based
- URL based
- XML Format
- XML DoS
- XML XSS/SQL
- XML Attachment
- XML Message Validation
- SOAP Faults
Once you select attack protection respective to given AppUnit, you will be able to configure appropriate actions and advance settings on these attack protection parameters. Thus from single Application Template screen you can now configure end to end Application protection using smart AppFw wizards on endpoint and AppUnits.