This post shows how to configure location based access and IP reputation feature for Web Apps delivered through NetScaler.
Key takeaways
Increase Security level on business applications, by using location based access and/or with IP Reputation.
Security – limit exposure of business apps to a geo location and block known anonymous vpn proxies, botnet, malware etc.
Low cost – Free GeoIP database or subscription based GeoIP database both available
Flexibility – control access to ressources based on country and/or city.
Note that IP Reputation feature requires Platinum license. Where location based access via GeoIP uses AppExpert Responder engine which is available in standard edt.
Use Case
Typically, clients that operates from within one or more countries and/or cities, and wishes to reduce exposure of business applications by defining access based on location criteria’s.
This use case can be combined with IP Reputation feature on NetScaler, to block access, from known “Bad IPs” to prevent DenialOfService, scanners, Malware attacks etc.
GeoIP database can be downloaded from e.g. MaxMind or several other public services at no cost.
A Subscription Based license at MaxMind can be purchased for dynamically updates of changes to GeoIPs.
Configuration Guideline – Location Based Access via GeoIP
Note. In Part 2 – a HTTP Callout will be used to dynamically update GeoIP DB!
Pre-req:
Download GeoIP DB CSV and Upload CSV to /var/geoip/ via SFTP
https://dev.maxmind.com/geoip/legacy/geolite/#Downloads
Location Based Access can be configured by following NS CLI:
Add download GeoIP
|
1 2 |
add locationFile "/var/geoip/GeoIPCountryWhois.csv" -format geoip-country |
Add MessageAction to log any blocks
|
1 2 |
add audit messageaction audit_act_location_access WARNING ""Access from ClientIP has been blocked by location based access policy: "+CLIENT.IP.SRC+" This client IP issued a "+HTTP.REQ.METHOD+" request for "+HTTP.REQ.HEADER("Host")+HTTP.REQ.URL.HTTP_URL_SAFE+" User-agent was registered as: "+HTTP.REQ.HEADER("User-Agent")" -logtoNewnslog YES -bypassSafetyCheck YES |
Add Responder Policy and trigger MessageActions
|
1 2 3 4 5 6 7 |
add responder action resp_act_location_deny respondwithhtmlpage html_location_deny -responseStatusCode 200 add responder policy resp_pol_drop_none_allowed_countries "CLIENT.IP.SRC.MATCHES_LOCATION("_.DK._._._.*").NOT && CLIENT.IP.SRC.IN_SUBNET(192.168.0.0/24).NOT && CLIENT.IP.SRC.IN_SUBNET(172.16.0.0/12).NOT && CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8).NOT" resp_act_location_deny -logAction audit_act_location_access bind vpn vserver "LB-vip or NSG-vip"-policy resp_pol_drop_none_allowed_countries -priority 100 -gotoPriorityExpression END -type REQUEST |
Configuration Guideline – IP Reputation
Low hanging fruit for tighten security.
IP Reputation can be utilized from Responder or Application Firewall engine. Reponder has a lower CPU footprint.
Citrix integrates with Webroot public cloud service as source for IP reputation, in order to troubleshoot IP Reputation then analyze this log file:
cat /var/log/iprep.log
NS CLI
|
1 2 3 4 5 6 7 |
enable ns feature Rep add responder policy resp-pol-drop-maliciosIPs-ipreputation CLIENT.IP.SRC.IPREP_IS_MALICIOUS DROP'' bind cs vserver cs-vs-443-default-ext -policyName resp-pol-drop-maliciosIPs-ipreputation -priority 100 -gotoPriorityExpression END -type REQUEST |