FAQ:What are the adaptive features of Application firewall

Adaptive Features?? Citrix NetScaler Application Firewall?? ?? ?? ??

??

Most Application Firewall security checks do not require user input to function properly. Following are descriptions of a few security checks that use adaptive features without requiring user intervention:

Field Consistency: The Form Field Consistency check parses the details of each web form in a protected application each time that the application sends the form to a user. When a user submits a web form, the Application Firewall verifies that the form has not been altered. When a new web form is added to the application or changes are made to a web form, the Application Firewall detects the changes the first time that the application sends the altered web form to a user, which ensures that the Application Firewall uses the most current information to verify web forms returned by users.

Cross Site Request Forgery (CSRF): The CSRF check, like the Form Field Consistency check, parses the details of each web form each time that it is sent to a user. New and changed web forms are detected automatically, ensuring that the Application Firewall uses the most current information when examining web forms returned by users.

SQL Injection/Cross-Site Scripting: The SQL Injection and Cross-Site Scripting checks parse the details of each web form before examining those forms for injected SQL or unsafe HTML. No check ever relies on stale data.

Cookie Consistency: The Cookie Consistency check detects new and changed cookies the first time that a protected application sets that cookie in a response, ensuring that the Application Firewall uses the most current information when examining cookies returned by users.??

URL Closure: The Start URL security check URL Closure feature parses the URLs from all responses sent by a protected application, and adds those URLs to the Start URL allowed URL list. Requests to any of these URLs are exempted from the Start URL check. Any changes made to the protected application, such as addition of new pages, are automatically detected and added to the URL list the first time that they are “seen” on a page that a user requests.

??

??

Following are examples of security checks that use adaptive features, but require some user intervention before they can be used:

Field Format: The Field Format check requires configuration before it is used. The Application Firewall’s adaptive learning feature (described below) can generate the recommended settings, but the user must review and approve them.

Buffer Overflow: The Buffer Overflow check requires the user to review the limits and enable the check, although the default settings are appropriate for most applications. This is also true of similar checks in other web application firewalls.

Signatures: The user must review and configure the Application Firewall’s response to violations of the attack signatures. This is also true of similar features in other web application firewalls.

The adaptive learning engine (part of the Application Firewall since its first release over a decade ago) observes protected applications and generates appropriate configuration options for each application. The learning engine helps users configure those security checks that require configuration before they are used.

In addition, the learning engine prevents blocking of legitimate traffic by other security checks that can be used immediately, but might block legitimate traffic to applications that use web form interfaces to SQL servers, complex Javascript, and types of code that the Application Firewall cannot parse. Like the security checks, the learning engine observes traffic to your applications, but it detects?? appropriate traffic that violates a security check instead of anomalous traffic that should be blocked, and generates exceptions to the security checks that are tailored to the specific application.??

Finally, for those who choose to build a completely adaptive configuration, all learned data (heuristics) on the Application Firewall is available via XML and the Nitro APIs. A script can use that data to generate and deploy rules automatically. If sufficient demand exists, a future Application Firewall release will include an enhancement that provides a native API to this data.