Skip to content

Instant Protection for Shellshock – NetScaler App Firewall

by on October 8, 2014

I’ve been getting hammered with clients asking about Shellshock. Are the various products they have implemented vulnerable? Is there a fix yet? How can we implement the fix? What is the work effort?

While all external facing Linux servers should definitely be patched, the NetScaler can be used to provide protection for your Linux servers now. Even if no fix has been made available yet for your Linux-hosted web application, the NetScaler Application Firewall feature has the ability to look for attempts to exploit the vulnerability and block them before they reach the web server.

The NetScaler Application Firewall has been around a long time (Citrix acquired Teros in 2005 for this functionality). Until a few years ago, the app firewall primarily used a positive security policy engine. The AppFw learned the normal behavior and allowed it, and blocked negative behavior automatically. This has been a great way to block zero-day vulnerabilities as the requests are typically abnormal compared to regular traffic.

But they have added signature-based attack detection too. That allows standard attack signatures (e.g., Qualys) to be imported and used for protection of web services. After the first day that Shellshock made waves through the media, a signature was available to download.

To protect a Linux web server, you would need to:

1) Create a server, service/service group, and virtual server for the web application (if it isn’t hosted on the NetScaler already)

2) Ensure the signatures are updated (can update through the GUI)

3) Use the AppFw wizard to set up a policy and enable the web-shell-shock signature

4) Click Finish in the wizard to bind the policy globally

You’re done! With a global policy, all VIPs going through the NetScaler will be protected from Shellshock.

Keep in mind the NetScaler Application Firewall requires NetScaler Platinum licensing.

Enjoy!

From → Security

Comments are closed.

%d bloggers like this: