Use case - Binding Web App Firewall policy to a VPN virtual server
NetScaler provides a solution to protect multiple applications that the VPN virtual server manages. By binding application security policies to the VPN virtual server, you can protect all the applications behind it.
The following are the ways to deploy application security at a VPN virtual server:
- Protect all the applications behind the VPN virtual server with a single Web App Firewall profile
- Protect each application behind the VPN virtual server with a different Web App Firewall profile
Protect all the applications behind the VPN virtual server with a single Web App Firewall profile
To protect all your applications that are behind the VPN virtual server with a single Web App Firewall policy, you must create a Web App Firewall policy and bind it to a VPN virtual server.
Example:
A company hosts three critical applications - SAP, Workday, and Tally - on a VPN virtual server. As a network administrator, you decide to protect these applications against the OWASP Top 10 security risks.
To achieve this use case, perform the following operations:
-
Create the Web App Firewall profile with appropriate checks for OSWAP Top 10 security risks.
add appfw profile pr-basic -crossSiteScriptingAction block -SQLInjectionAction blockFor more information on configuring OSWAP Top 10 security risks, see Add security protection.
-
Add the app firewall policy and associate that policy with the profile pr-basic.
add appfw policy owasp_policy true pr-basic -
Bind the Web App Firewall policy to the VPN virtual server.
bind appfw vpn vserver vserver10 -policy owasp_policy -priority 10
Protect each application behind VPN virtual server with a different Web App Firewall profile
To perform specific security checks based on the Web App Firewall architecture (server, OS, JavaScript library, and so on.), individual security checks might be required for each web application. In such scenarios, multiple Web App Firewall policies can be configured.
Example:
A company hosts three critical applications (SAP, Workday, and Tally) behind a VPN virtual server. As a network administrator, you decide to create a unique Web App Firewall policy for optimal protection for each application.
To achieve this use case, perform the following operations:
-
Create multiple profiles based on the required application. Configure the profile with the necessary security checks based on the application’s need.
add appfw profile pr-basic1 -crossSiteScriptingAction block -SQLInjectionAction block add appfw profile pr-basic 2-crossSiteScriptingAction block -SQLInjectionAction block add appfw profile pr-basic 3 -crossSiteScriptingAction block -SQLInjectionAction block -
Add the app firewall policies that are applicable for each application and associate the policy with the profile.
add appfw policy sap_policy true HTTP.REQ.URL.CONTAINS (“sap.com”) pr-basic1
add appfw policy workday_policy true HTTP.REQ.URL.CONTAINS (“workday.com”) pr-basic2
add appfw policy tally_policy true HTTP.REQ.URL.CONTAINS (“tally.com”) pr-basic3
- Bind the created policy to VPN vserver1
. bind appfw vpn vserver vserver1 -policy sap_policy -priority 10
. bind appfw vpn vserver vserver1 -policy workday_policy -priority 20
. bind appfw vpn vserver vserver1 -policy tally_policy -priority 30
For more information on the following topics:
- Configuring the Web App Firewall policy, see Creating and configuring Web App Firewall policies.
- Binding the Web App Firewall policy, see Binding Web App Firewall policies.
- Configuring VPN virtual servers, see Create virtual servers.