Barracuda Web Site Firewall Configuration Guide
NetContinuum Device Manager
Application Configuration Guide
NetContinuum OS 6.1
449-000018-00-6.1-A
Notice
The information contained in this document is subject to change without notice.
UNLESS EXPRESSLY SET FORTH IN A WRITTEN AGREEMENT SIGNED BY AN AUTHORIZED
REPRESENTATIVE OF BARRACUDA NETWORKS, INC., BARRACUDA NETWORKS MAKES NO WARRANTY OR
REPRESENTATION OF ANY KIND WITH RESPECT TO THE INFORMATION CONTAINED HEREIN, INCLUDING
WARRANTY OF MERCHANTABILITY AND FITNESS FOR A PURPOSE. Barracuda Networks assumes no
responsibility or obligation of any kind for any errors contained herein or in connection with the furnishing, performance,
or use of this document.
This document contains information that is the property of Barracuda Networks, Inc. This document may not be copied,
reproduced, reduced to any electronic medium or machine readable form, or otherwise duplicated, and the information
herein may not be used, disseminated or otherwise disclosed, except with the prior written consent of Barracuda
Networks.
NETCONTINUUM is a registered trademark of Barracuda Networks, Inc.
Linux is a registered trademark of Linus Torvalds in the United States and other countries.
Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
Netscape is a registered trademark of AOL Time Warner, Inc. and Netscape Communications Corp. in the United
States and other countries.
All other trademarks and registered trademarks are the property of their respective holders.
Manual Name: NetContinuum Device Manager Application Configuration Guide
Part Number: 449-000018-00
Revision Number: 6.1-A
Release Number: 6.1
Publication Date: December 2007
Barracuda Networks, Inc.
3175 S. Winchester Blvd.
Campbell, CA 95008
Copyright © 2007 Barracuda Networks, Inc. All Rights Reserved.
Contents
Preface xv
Revision Information xv
Audience xvi
Notation Conventions xvi
Product Documentation xviii
Customer Support xix
1. Introduction 1–1
Overview 1–1
Configuration Areas 1–2
Application Configuration Features 1–3
Application Objects 1–4
2. Creating a Vsite 2–1
Creating a Vsite 2–1
Creating a Bridged Vsite 2–3
Creating a Private Interface 2–4
Creating a Server Group 2–5
Configuring a Web Server 2–6
Defining a Web Server 2–6
Creating Back-Up Web Server 2–11
Configuring Server-side SSL 2–11
Configuring Redirection Policy 2–13
Configuring In-Band Health Check 2–14
Configuring Out-Of-Band Health Check 2–16
Configure Out-of-Band Monitoring 2–16
Add HTTP Monitoring 2–17
Configuring a Bridged Web Server 2–18
Configuring Response Pages 2–19
Configuring Trusted Hosts 2–20
Configuring Session Identifiers 2–21
Configuring Custom Parameter Classes 2–23
Configuring CRLs 2–28
Configuring Update Schedule 2–29
3. Creating a Web Application 3–1
NetContinuum OS 6.1 Contents iii
Contents
Overview 3–1
Creating a Web Application 3–2
Creating a Special Web Application 3–5
OWA Web Application 3–5
Sharepoint Web Application 3–7
OWA HTTPS Web Application 3–8
Oracle Applications Web Application 3–8
Creating a Bridged Web Application 3–8
Confirming Connection 3–8
Creating a Default Route 3–9
4. Encrypting Application Traffic 4–1
Overview 4–1
SSL Features 4–1
SSL Components 4–2
SSL Configuration Types 4–2
Prerequisites 4–3
Creating Certificates 4–3
Modifying a Web Application 4–3
Client-side SSL 4–4
Configuring Client-side SSL 4–4
Client Authentication 4–6
Configuring Client Authentication 4–7
Configuring Allow List 4–9
Configuring a Deny List 4–12
Server-side SSL 4–12
Instant SSL 4–12
Configuring Instant SSL 4–13
5. Web Firewall Policies 5–1
Overview 5–1
Configuring Web Firewall Policy 5–2
Configuring Global URL ACLs 5–3
Configuring Request Limits 5–8
Configuring URL Normalization 5–10
Configuring Cookie Security 5–14
Configuring Default URL Protection 5–16
Configuring Default Parameter Protection 5–19
Configuring Website Cloaking 5–23
Configuring Data Theft Protection 5–25
Default Policies 5–28
Modifying Attack Action 5–32
Configuring Web Firewall 5–34
Configuring Web Firewall General Parameters 5–34
iv Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Session Tracking 5–36
URL ACL 5–37
Configuring URL ACL General Parameters 5–40
6. URL Policies 6–1
Overview 6–1
URL Policies 6–2
Configuring General Parameters 6–2
Configuring Bruteforce Prevention 6–6
Configuring Entry Control 6–7
Configuring Data Theft Protection 6–11
Configuring Anti Crawl Trigger 6–12
Listing Locked-Out Clients 6–13
Configuring Access Control 6–13
Configuring SOAP Security 6–19
Header ACLs 6–20
Configuring a Header ACL 6–20
Configuring Rate Control 6–23
Creating Preferred Clients 6–25
Setting Rate Control Pool 6–26
6–26
Contents
7. Web Address Translation 7–1
Overview 7–1
Configuring URL Translation 7–2
Configuring Request Rewrite 7–4
Configuring Response Rewrite 7–9
Configuring Response Body Rewrite 7–12
8. User Access Control 8–1
Overview 8–1
Authenticating users 8–3
Internal Authentication Database 8–3
LDAP Authentication Database 8–4
RADIUS Authentication Database 8–6
SiteMinder Authentication Database 8–8
RSA AM Authentication Database 8–10
Authenticating Users 8–12
Create a Login Page 8–13
Configure Authentication 8–14
SiteMinder SSO 8–17
RSA AM SSO 8–19
Configuring Access Control 8–20
NetContinuum OS 6.1 Contents v
Contents
Multiple Application Authentication 8–20
Troubleshooting 8–21
9. Load Balancing 9–1
Overview 9–1
Configuring Load Balancing 9–2
Configuring Redirection 9–4
Configuring Persistence 9–5
Configure Cookie Persistence 9–6
Configure Source IP/Netmask Persistence 9–9
Using Multiple Load Balancers 9–9
Configure the NC-Gateway 9–10
Configure the Load Balancer 9–10
Configuring Backup Servers 9–11
10. Caching 10–1
Overview 10–1
Configuring Caching 10–1
Purging Cache 10–3
Caching Considerations 10–4
Rule Groups and Dynamic Pages 10–4
Object Freshness 10–5
11. Rules 11–1
Overview 11–1
Creating a Rule Group 11–3
Configuring Bridged Rule Group 11–6
Adding Rules 11–7
Configuring Policies 11–7
12. Creating an FTP Application 12–1
Overview 12–1
Creating an FTP Application 12–2
Configuring PASV Mode 12–3
Configuring SSL 12–4
Configuring FTP Attack Prevention 12–5
Configuring Command Blocking 12–6
Configuring FTP ACLs 12–7
Configuring Load Balancing 12–9
13. Creating a Mail Application 13–1
Overview 13–1
vi Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Creating Mail Application 13–2
Creating Bridged Mail Applications 13–4
Configuring SSL 13–4
Configuring Authentication (SMTP Only) 13–5
Configuring Load Balancing 13–6
Configuring Persistence 13–7
14. Creating a Custom Application 14–1
Overview 14–1
Creating a Custom Application 14–1
Configuring SSL 14–3
Configuring Load Balancing 14–4
Creating Bridged Custom Application 14–5
15. Dynamic Application Profiling 15–1
Overview 15–1
Configuring Learning 15–2
Configuring Learn Rules 15–3
Configuring Application Profile 15–5
Configuring URL Profile 15–7
Configuring Parameter Profile 15–13
Configuring Extended Validation 15–18
Configuring Validation Expressions 15–19
Enforcing the Application Profile 15–19
Contents
16. Compression 16–1
Overview 16–1
Configuring Compression 16–2
Compression Support 16–3
Encoding types 16–3
Content-types 16–3
Caching 16–4
Server communication 16–4
Granularity of configuration 16–4
Browser variations 16–4
Response size 16–5
Compression quality 16–5
17. Templates 17–1
Overview 17–1
Creation of Template 17–2
Configuring Custom Template 17–2
Using Configured Add Template 17–2
NetContinuum OS 6.1 Contents vii
Contents
Using Configured Patch Template 17–3
18. Policy Wizard 18–1
Overview 18–1
Creating a Rule 18–1
View the Web Firewall Logs 18–2
Appendix A. Configuration Containers A–1
Appendix B. Syntax Rules B–1
Logical Expressions B–1
Success Condition B–3
Request Rewrite Condition B–4
Response Rewrite Condition B–6
Regular Expression Notation B–7
Regular Expressions of Web Application Firewall B–11
Appendix C. Usage Guidelines C–1
Passive versus Active Mode C–1
Passive Mode C–1
Web Firewall Passive Mode C–1
URL ACLs and Passive Mode C–2
Profile Passive mode C–2
URL Policy Passive Mode C–2
Request Limit Considerations C–2
Cookie Security Considerations C–3
TCP/IP Connection Pooling C–4
No Name Parameters C–5
Domain Names C–6
Macro Definitions C–6
Error Responses C–8
robots.txt Access C–8
Appendix D. Evaluation Policy and Flow D–1
Evaluation Policies D–1
Request Policy Order D–1
Response Policy Order D–4
Execution Flow D–5
HTTP Request D–5
HTTP Response D–7
URL ACL Policies D–8
Rule Matching D–8
viii Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Rule Match Algorithm D–8
Hierarchial Match D–9
Sequential Match D–11
Priority Rules D–13
Appendix E. Metacharacters and Keywords E–1
Blocked Metacharacters E–1
Misused Metacharacters E–1
Misused Keywords E–2
Appendix F. Data Types F–1
Overview F–1
Identity Theft Data Types F–1
Attack Data Types F–3
Input Data Types F–6
Modifying Default Data Types F–7
Creating Additional Data Type F–8
Data Type Patterns F–10
Input and Attack Patterns F–10
Identity Theft Patterns F–11
Contents
Appendix G. Application Wizard G–1
Web Application with proxy network configuration G–1
Web Application with bridged network configuration G–6
Glossary Glossary–1
NetContinuum OS 6.1 Contents ix
Contents
x Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Figure 1-1. Simple Data Center Configuration 1–2
Figure 4-1. Instant SSL Diagram 4–13
Figure 5-1. Web Application Attacks 5–2
Figure 5-2. Normalizing Traffic 5–11
Figure 8-1. Authentication Process Diagram 8–2
Figure 9-1. Load Balancer Configuration 9–10
Figure 4-1. Request Policy Order Flowchart D–4
Figure 4-2. Response Policy Order Flowchart D–5
Figures
NetContinuum OS 6.1 Figures xi
Table 2-1. Vsite Parameters 2–2
Table 2-2. Private Interface Parameters 2–4
Table 2-3. Web Server Parameters 2–8
Table 2-4. Server Redirection Parameters 2–13
Table 2-5. Server In-Band Health Check Parameters 2–15
Table 2-6. Server Out-of-Band Health Check Parameters 2–17
Table 2-7. Out-of-Band HTTP Monitor Parameters 2–18
Table 2-8. Response Page Parameters 2–20
Table 2-9. Trusted Hosts Container Parameters 2–21
Table 2-10. Session Identifier Container Parameters 2–23
Table 2-11. Custom Parameter Classes Parameters 2–24
Table 2-12. CRLs Parameters 2–28
Table 2-13. Update Schedule Parameters 2–30
Table 3-1. Web Applications Parameters 3–4
Table 3-2. Default Route Parameters 3–10
Table 4-1. SSL Parameters 4–5
Table 4-2. Client Auth Parameters 4–9
Table 4-3. Allow or Deny Client Parameters 4–11
Table 4-4. Instant SSL Parameters 4–14
Table 5-1. Global URL ACLs General Parameters 5–3
Table 5-2. Global URL ACLs container Parameters 5–5
Table 5-3. Request Limits Parameters 5–9
Table 5-4. Double-Encoding variation of the \ character 5–12
Table 5-5. URL Normalization Parameters 5–13
Table 5-6. Cookie Security Parameters 5–15
Table 5-7. Default URL Protection Parameters 5–17
Table 5-8. Default Parameter Protection Parameters 5–20
Table 5-9. Website Cloaking Parameters 5–24
Table 5-10. Data Theft Protection Parameters 5–27
Table 0-1. Attack Action Parameters 5–32
Table 5-11. General Parameters 5–35
Table 5-12. Session Tracking Parameters 5–37
Table 5-13. Sample URL ACL Configuration 5–39
Table 5-14. URL ACLs Parameters 5–42
Table 6-1. URL Policy General Parameters 6–4
Table 6-2. Bruteforce Prevention Parameters 6–7
Table 6-3. Entry Control Parameters 6–9
Table 6-4. Anti Crawl Trigger Parameters 6–12
Tables
NetContinuum OS 6.1 Tab le s xii
Table 6-5. Access Control Parameters 6–15
Table 6-6. SOAP Security Parameters 6–20
Table 6-7. Header ACLs Parameters 6–21
Table 6-8. Rate Control Parameters 6–24
Table 6-9. Preferred Clients Parameters 6–25
Table 6-10. Rate Control Pool Parameters 6–26
Table 7-1. URL Translation Parameters 7–3
Table 7-2. Request Rewrite Parameters 7–6
Table 7-3. Response Rewrite Parameters 7–10
Table 7-4. Response Body Rewrite Parameters 7–13
Table 8-1. LDAP Authentication Database Parameters 8–5
Table 8-2. Radius Authentication Database Parameters 8–7
Table 8-3. SiteMinder Authentication Database Parameters 8–9
Table 8-4. RSA AM Authentication Database Parameters 8–11
Table 8-5. Authentication Parameters 8–16
Table 8-6. SiteMinder SSO tab Parameters 8–18
Table 8-7. RSA AM SSO tab Parameters 8–20
Table 9-1. Load Balancing General Parameters 9–3
Table 9-2. Load Balancing Redirect Parameters 9–5
Table 9-3. Load Balancing Persistence Parameters 9–7
Table 10-1. Caching Parameters 10–2
Table 10-2. Object Freshness Calculations 10–5
Table 11-1. Sample Rule Configuration 11–2
Table 11-2. Rule Group Parameters 11–4
Table 12-1. FTP Applications Parameters 12–2
Table 12-2. FTP PASV Mode Parameters 12–4
Table 12-3. FTP Attack Prevention Parameters 12–5
Table 12-4. FTP Command Blocking Parameters 12–6
Table 12-5. FTP ACLs Parameters 12–8
Table 13-1. E-mail Application Parameters 13–3
Table 13-2. SMTP Authentication Parameters 13–6
Table 13-3. Load Balancing General Parameters 13–7
Table 13-4. Load Balancing Persistence Parameters 13–8
Table 14-1. Custom Application Parameters 14–2
Table 15-1. Learning Container Parameters 15–3
Table 15-2. Learn Rules Container Parameters 15–4
Table 15-3. Application Profile Parameters 15–6
Table 15-4. URL Profile Parameters 15–9
Table 15-5. Parameter Profiles Parameters 15–15
Table 15-6. Extended Validation Parameters 15–18
Table 15-7. Validation Expressions Parameters 15–19
Table 16-1. Compression Parameters 16–2
Table 16-2. Compression Quality 16–5
Table 18-1. Web firewall Logs Parameters 18–4
Table A-1. Vsite and Application Containers A–1
Table s
NetContinuum OS 6.1 Tab le s xiii
Tables
Table B-1. Regular Expression Values B–7
Table B-2. Operators to support regex in header rules B–11
Table C-1. Macro Definitions C–6
Table D-1. Sample Hierarchical Rule Match D–10
Table D-2. Sample Sequential Rule Match D–11
Table E-1. Blocked Metacharacters E–1
Table E-2. Misused Metacharacters and Keywords E–2
Table E-3. Misused Keywords E–3
Table F-1. Pattern Parameters F–9
xiv CLI Reference Manual (449-000006-00) NetContinuum OS 6.1
This guide describes how to create, configure, and protect Web sites and applications
through the NetContinuum Application Security Gateway (NC-Gateway).
NOTE
Unless otherwise noted, the information in this guide
applies to all models of the NC-Gateway.
Revision Information
This is the eleventh edition of the NetContinuum Application Security Gateway
Application Configuration Guide (449-000018-00). This document (for NetContinuum
OS release 6.1.0) incorporates the following changes:
• Chapter 1: Server group updated with other application specific server group
details. Configuration tree image moved to Appendix A.
• Chapter 2: Added the procedure to configure the Response Page, Trusted Host,
CRLs and Custom Parameter Classes sections.
Preface <Preface>Preface
• Chapter 3: Added Special Web Applications section.
• Chapter 5: Many parameter names modified. Added Web Firewall Policies section.
• Chapter 6: Added URL Policies, Session Tracking, Learning and Application Profile
sections.
• Chapter 8: Added SiteMinder authentication database section.
• Chapter 15: Added Learning section.
• Chapter 17: Describes how to create Templates, use of saved Add and Patch
templates for further custom configuration.
• Appendix A: Configuration tree image added.
• Appendix B: Describes logical and regular expression syntax rules.
• Appendix C: Describes usage guidelines.
• Appendix D: Describes evaluation rules and process flow.
• Appendix E: Lists susceptible metacharacters and keywords.
NetContinuum OS 6.1 Preface xv
Audience
• Appendix F: Describes the new data types.
• Appendix G: Describes the Web Application wizard.
• Appendix H: Describes the default web-firewall-policies. Attack groups and
associated attack actions.
Audience
This document is intended for administrators and developers who create or manage
Web applications and security. Users should have a background in the following:
• TCP/IP protocol
• Application protocols (HTTP, FTP, SMTP, POP3, IMAP)
• Secure Socket Layer (SSL)
• Certificate management
• Network management
Notation Conventions
This document uses the following conventions and symbols:
• Screen text (not in a menu) is presented in a display:
This is display text
Displays do not include any system prompts (for example, a $ sign) as part of the
text unless explicitly noted in the accompanying general text.
• The following font conventions apply both to general text and to text in displays:
— Courier represents display text:
Broadcast Message from ...
— Courier bold represents user input and Courier italic represents
variables:
show command
• Palatino represents all window titles, fields, and menu names, and menu items in
the GUI system:
Select
xvi Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Contents from the Help menu.
Notation Conventions
• Bold emphasizes words in text:
…does not support…
• Italic introduces or defines new terms and is used in book titles:
A rule group is …
• The notation [Ctrl]–[char] indicates a control–character sequence. For example,
[Ctrl]–[c] means hold down the [Ctrl] key while pressing the [c] key; the letter c does
not appear on the screen.
• Document citations include the document name followed by the document part
number in parentheses:
NetContinuum Application Security Gateway Application Configuration
Guide (449-000018-00)
• Note, Caution, Warning, and Danger notices call attention to essential information.
NOTE
Notes call special attention to essential information, such
as important tips or advice on using a program, device, or
system.
CAUTION
Cautions alert you to conditions that could damage a
program, device, system, or data.
WARNING
Warning notices alert the reader to conditions that are
potentially hazardous to people. These hazards can
cause personal injury if the warnings are ignored.
DANGER
Danger notices alert the reader to conditions that are
potentially lethal or extremely hazardous to people.
NetContinuum OS 6.1 Preface xvii
Product Documentation
Product Documentation
An NC-2000 comes with a documentation CD-ROM, online help, and selected printed
documents. To order documentation (or provide comments about the documentation),
contact customer support (see ‘‘Customer Support”). The CD-ROM includes the
following documents:
Licenses
• Notices and License Agreement (449-000037-00)
Quick Start Guide
• Quick Start Guide (449-000038-00)
Overview and Installation
• NetContinuum Application Security Gateway Overview (449-000019-00)
• NetContinuum Application Security Gateway Installation Guide (449-000035-00)
Administration and Configuration
• NetContinuum Application Security Gateway System Administration
Guide (449-000016-00)
• NetContinuum Application Security Gateway PKI Administration
Guide (449-000017-00)
• NetContinuum Application Security Gateway Application Configuration
Guide (449-000018-00)
• NetContinuum Application Security Gateway Web Services Configuration
Guide (449-000029-00)
• NetContinuum Application Security Gateway Logging Guide (449-000028-00)
• NetContinuum Application Security Gateway Command Line Interface (CLI)
Reference Manual (449-000006-00)
• NetContinuum Application Security Gateway Command Line Interface (CLI)
Procedures Guide (449-000036-00)
xviii Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Customer Support
Contact customer support to request assistance or when you need to report a problem.
You can contact customer support in any of the following ways:
Method Enter
phone 1-800-831-2050
E-mail support@netcontinuum.com
Web http://www.barracuda.com/netcontinuum
Click on
support page.
To expedite a support request, have the following information available:
• Serial number: This is located on both the back of the NC-2000 and the packing slip.
• Customer identification (ID): This is located on the packing slip.
NOTE
Keep the packing slip. It has the NC-2000’s serial number
and customer ID number.
Customer Support
Support to access the technical
NetContinuum OS 6.1 Preface xix
Customer Support
xx Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Chapter 1
This chapter provides an introduction to configuring Web Application. It includes the
following topics:
• Overview
• Configuration Areas
• Application Configuration Features
• Application Objects
Overview
The NC-Gateway is a network security solution intended to secure web applications
and accelerate communication among devices on a network. The NC-Gateway can be
configured within the heart of a data center to provide communication and security
between front-end clients and back-end resources (Figure 1-1). The NC-Gateway is
designed so that it can be seamless positioned in a network.
The NC-Gateway acts as a proxy server, where each TCP/IP connection is fully
terminated, inspected, and then forwarded, dropped, or redirected as determined
through the inspection. The NC-Gateway processes and analyzes the
application-specific protocols that run over a TCP/IP packet. Supported protocols
include HTTP, HTTPS, FTP, POP3, SMTP, and IMAP. NC-Gateway applications
support these protocols with custom policies used to protect and expedite user traffic.
For example, an application for transmitting POP3 e-mail traffic can be created to
include policies for encrypting and load balancing the traffic.
Introduction
1-
NetContinuum OS 6.1 Introduction 1-1
Overview
(Front-end Users)
Server Farm
(Back-end Applications)
Router Switch
Internet
Figure 1-1. Simple Data Center Configuration
Configuration Areas
After system initialization (see the NetContinuum Application Security Gateway
Installation Guide (449-000035-00)), the NC-Gateway is ready to be configured.
Configuration falls into three areas:
• Application Configuration: This relates to the application protocols that are
included in an IP packet, including Hypertext Transfer Protocol (HTTP and HTTPS),
File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Post
Office Protocol (POP). This guide describes how to configure applications.
• PKI Configuration: This is performed on the Public Key Infrastructure (PKI)
objects, which are used for SSL encryption. Objects such as digital certificates and
key pairs are created in a separate PKI administration mode and then exported to
the general administration side for use in encrypting transmission between clients
and Web servers. See the NetContinuum Application Security Gateway PKI
Administration Guide (449-000017-00) for information about creating certificates
and other PKI objects.
Firewall
Switch
Switch
NC-Gateway
• System Configuration: This relates to general processing, that is global to the
NC-Gateway or a virtual site (vsite). Procedures include setting TCP/IP and other
system parameters, configuring NTP and SNMP, configuring network firewalls and
features (ACLs, NATs, Routes, ARPs, and VLAN Ports), performing system
maintenance, and initiating redundancy between two NC-Gateways. See the
NetContinuum Application Security Gateway System Administration
Guide (449-000016-00) for information about configuring and maintaining the
system. See the NetContinuum Application Security Gateway Logging
Guide (449-000028-00) for information about logging.
1-2 Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Application Configuration Features
You can customize and protect an application in a number of areas. The following
features are specific to application configuration:
• Web Firewall Protection: The NC-Gateway provides a variety of Web firewall
protections that you can customize for each Web application:
— URL Normalization and Request Limits: The Web firewall provides various
format controls including normalizing URL strings and enforcing size limits on
request header fields.
— Cookie Security: The Web firewall can apply security features to cookies sent
from back-end servers.
— Data Theft Protection: The Web firewall can protect (by blocking or masking)
outgoing sensitive data such as credit card and social security numbers.
— Rate Control: The Web firewall supports setting the rate control pool limiting
client requests.
— Web Address Translation (WAT): The Web firewall can translate internal
codes, headers, and cookies in responses so that the actual message is
concealed to external users. WAT is an extension of the Network Address
Translation (NAT) implementation (RFC 1631).
Overview
— URL Policies: The Web firewall supports two types of Web access control
lists: URL and header. URL Policies provide numerous controls (entry, format,
failure response, data theft) based on the access location (URL). In addition,
URL Policies can activate Access Control. Header ACLs provide strict
limitations for parameters (such as form fields) and headers to prevent SQL or
operating system command injection, cross site scripting, and other types of
attacks.
— Web Services: The Web firewall supports various parameters which decide
how SOAP requests will be validated.
• SSL and Instant SSL: The NC-Gateway can be used to create and then
incorporate a complete set of digital certificates and key pairs to provide Secure
Socket Layer (SSL) encryption. In addition, the Instant SSL feature provides a
mechanism to convert existing HTTP (port 80) applications into HTTPS (port 443)
applications without having to change back-end resources. See the NetContinuum
Application Security Gateway PKI Administration Guide (449-000017-00) for
information on digital certificates and other SSL objects.
• Authentication: The NC-Gateway can enforce access controls with associated
authentication databases as specified for each application.
• Load Balancing, Caching and Compression: Traffic management settings for
load balancing, caching and Compression can be specified for each application.
NetContinuum OS 6.1 Introduction 1-3
Overview
• Web Logging: Events and errors that occur on a Web site can be collected and
sent to a Web application logging server. (The NC-Gateway also supports system,
network firewall, and Web firewall logging.) See the NetContinuum Application
Security Gateway Logging Guide (449-000028-00) for information about logging.
Application Objects
Each application is built around several objects that you configure. The following are
objects that you must create to enable an application.
Vsite
A virtual site (vsite) is created as a portal to a data center that processes all
application-specific traffic sent over a TCP/IP connection. You can create multiple
applications within the vsite to handle various protocols and security requirements. It is
designed to function as an administrative domain that controls access and content to
and from back-end servers.
Private Interface
A private interface is created to define the back-end connection point between the
NC-Gateway and the Web servers. This access point is defined by assigning an IP
address, mask, and back-end port. This interface is a logical exit point that allows traffic
to safely and securely travel between the NC-Gateway and the Web servers.
Server Group
A Web server group is created to associate a set of Web servers (one or more)
accessed through the NC-Gateway. These servers provide the content and other
resources for your applications. Servers that load balance the same content for a Web
site should be members of the same server group, and a vsite can contain multiple
server groups for varying purposes.
The other server group contains the following application specific server groups:
• FTP Server Group: An FTP server group is created to associate a set of FTP
servers (one or more) accessed through the NC-Gateway.
• SMTP Server Group: An SMTP server group is created to associate a set of SMTP
servers (one or more) accessed through the NC-Gateway.
• POP3 Server Group: A POP3 server group is created to associate a set of POP3
servers (one or more) accessed through the NC-Gateway.
• IMAP Server Group: An IMAP server group is created to associate a set of IMAP
servers (one or more) accessed through the NC-Gateway.
• Custom Server Group: A Custom server group is created to associate a set of
custom servers (one or more) accessed through the NC-Gateway.
1-4 Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Overview
Web Server
A Web server entry is created for each server in the server group that specifies
addressing, flow management, health, and security settings for traffic between that
Web server and the NC-Gateway.
Web Application
Controls a Web application (Web site or Web-based program), including Web firewall,
SSL encryption, load balancing, Web logging, authentication, access control, and
caching options.
Other Application
An application is created to define the front-end connection point for clients attempting
to access the back-end servers for a Web or other application. This access point is
defined by assigning a virtual IP (VIP) address, port, server group, front-end port, and
other connection-related parameters. The following applications can be created:
• FTP Application: Controls an FTP application, including PASV mode, attack
prevention (command blocking), SSL encryption, and load balancing options.
• SMTP Application: Controls an SMTP application, including SSL encryption,
authentication, and load balancing options.
• POP3 Application: Controls a POP3 application, including SSL encryption and
load balancing options.
• IMAP Application: Controls a IMAP application, including SSL encryption and load
balancing options.
• Custom Application: Controls an unspecified TCP/IP application. This type of
application simply forwards data from a client to the back-end server; the
NC-Gateway does no parsing. However, you can configure SSL encryption and
load balancing options.
Virtual Site (vsite): Holds both application-specific configuration information and
some system configuration such as network firewall settings. No vsites exist by default;
you must create them.
A vsite (virtual site) is an admin defined portal to a data center. It is similar in concept
to setting up a database view, where users can access only that part of the database
built into the view. In the case of a vsite, you define the resources that control traffic to
and from the data center through the vsite. You can create multiple vsites to address
different conditions, applications, and users. You can configure a vsite to manage any
number of applications and server groups.
Some containers, such as Network Firewall, appear automatically when you create a
vsite. Others, such as a server group or application, must be created explicitly.
NetContinuum OS 6.1 Introduction 1-5
Overview
The following resources can be configured under a vsite:
Vsite level containers: Network Firewall, Private Interface, Server Group, Application,
and Authentication Database.
Web Application level containers: Web Firewall, Instant SSL, SSL, Load Balancing,
Web Logging, Authentication, Access Control, Caching and Rule Group.
After creating the vsite the admin creates a private interface to provide a virtual path to
the back-end resources. Then the admin creates a server group to define the actual
Web servers that will be used to support the created vsite. The next step is to create a
Web application and provide the front-end connection for clients attempting to access
the Web site. The Network firewall is configured to protect the network layer attacks by
creating ACL, ARP, static route entry and so on. Web firewall is configured to prevent
the Web attacks. SSL protocol is configured to provide data encryption and server/
client authentication for transmitting private information over the Internet. Syslog server
is configured to allow the user to centrally store and view logs sent from the
NC-Gateway.
Applications are created and configured under a vsite. No applications exist by default;
you must create each application within the appropriate vsite.
NOTE
Containers under the root node are accessible by the
admin user (and optionally other created administrative
users) only; containers under the SSL root node are
accessible by the pkiadmin user only.
Bridged Vsite: In bridge mode, NC-Gateway uses same IP address for the VIP
(application) and the back-end server. The NC-Gateway can be deployed in bridge
mode without any network restructuring and it supports all the application firewall
features. It supports all applications except FTP Application.
The bridged vsite has limitations in comparison to the proxy vsite. The following
features are not available in bridge-mode:
• PIFs
• Network Firewall (No ACLs, No NATs, No Routes, No ARPs)
• TCP Pooling
• OOB Monitoring
• Server Groups
• active-active failover support
1-6 Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Overview
• Backup Rule Group
There is delay in failover/failback for bridged vsites based on the network devices.
Active-Active configuration is not supported for bridged vsites, therefore all bridged
vsites have to be active on the same NC-Gateway so that they failover together.
The "failback" policy can be manual or automatic. It is recommended that the
"failback" set to be manual (especially in the case of active/passive pairing). Otherwise,
the L2 switches on the front and back have to relearn before it can process requests
(delay of 15 seconds or more) again.
Rule groups under bridged-vsite allow you to route your requests to different servers.
By using rule groups, you can also change the behavior of the application with respect
to the following:
a. Caching: For example, disable caching for /dynamic/*
b. Web Logging: For example, disable logging for /*.gif
c. Compression: For example, do not compress /zips/*
In bridged mode, an application for wild card can be created. In this application, an IP
address of 0.0.0.0 is allowed for VIP that represents multiple applications in back-end
which is running on same port as specified in the application.
1. A router is required in the front-end of NC-Gateway to avoid bridging of packets
that are destined for other parts of the network.
2. The parameter ‘bridge-all’ under cluster should be set to ‘yes’.
3. All the wild card applications must be configured in the same bridged vsite.
4. No two wild card applications can have the same port.
NetContinuum OS 6.1 Introduction 1-7
Overview
1-8 Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Chapter 2
Creating a Vsite
A virtual site (vsite) represents a Web traffic control center that includes private
interface, server group, server, and application definitions. This chapter provides
instructions for creating a vsite. It includes the following topics:
• Creating a Vsite
• Creating a Bridged Vsite
• Creating a Private Interface
• Creating a Server Group
• Configuring a Web Server
• Configuring a Bridged Web Server
• Configuring Response Pages
• Configuring Trusted Hosts
• Configuring Session Identifiers
• Configuring Custom Parameter Classes
• Configuring CRLs
2-
Procedures for creating applications within a vsite are discussed in subsequent
chapters.
Creating a Vsite
A vsite is an administrator-defined portal to a data center. You define the resources and
rules that control traffic to and from the data center through the vsite. You can create
multiple vsites to address differing conditions, applications, and user populations. The
vsite processes all application-specific traffic that is sent over the TCP/IP connection.
You can create separate applications within a vsite to handle HTTP, HTTPS, FTP,
SMTP, IMAP, and POP3 traffic.
To create a vsite, do the following:
1. From the Configuration Home page, select Vsite from Add drop-down list located
in Vsites table. The Create page opens. In this page, do the following (in the
specified parameter fields).
NetContinuum OS 6.1 Creating a Vsite 2-1
Creating a Vsite
a. Name: Enter a name for the new vsite.
b. Primary Gateway: Keep the default setting to the current NC-Gateway. This
c. Redundancy Enabled: Keep the default setting of On. This parameter has no
2. Click Add to save and activate the new settings.
3. Repeat step 1 to add additional vsites.
parameter can be changed only if there is a peer NC-Gateway configured in a
redundant environment (see Chapter 7, “Redundancy Configuration,” in the
NetContinuum Application Security Gateway System Administration
Guide (449-000016-00)).
effect on a standalone system.
4. To make a change, select one of the vsites from Vsite
s table, click Edit... button.
The Edit page opens. In this page, enter the desired value (or select the alternate
value from the drop-down list) for that parameter and then click Update to save and
activate the new setting(s).
The following table lists the vsite container parameters. These parameters can be
changed after a vsite is created.
Table 2-1. Vsite Parameters
Parameter Description Options
Name Sets the name for the vsite. (Names cannot contain
spaces, slashes, punctuation, or special characters.)
Primary
Gateway
Redundancy
Enabled
Sets the NC-Gateway where this vsite will be active,
that is, the NC-Gateway where the
application-specific traffic will be processed. By
default, this is assigned to the current NC-Gateway
where the vsite was created. However, if there is a
peer NC-Gateway in a redundant environment, this
parameter can be set to the peer.
Enables redundancy for this NC-Gateway. It has no
effect on a standalone system. In a redundant
configuration, it has the following effect:
User defined
(default is vsite)
Any
NC-Gateway in
cluster
On (default)
Off
• On: Services will normally be active on the gateway
specified by primary-gateway. If this gateway fails,
services will be taken over by the other gateway.
• Off: Services will only be active on the gateway
specified by primary-gateway. If this gateway fails,
services will NOT be taken over by the other
gateway, and the services will be unavailable till the
first gateway is rebooted.
2-2 Application Configuration Guide (449-000018-00) NetContinuum OS 6.1
Loading...