# this is the text which will end up within readme.pdf, when processed
# by readme.php.
#
# the syntax being used is fairly obvious:
#
# a line starting with '#' is a comment or a directive
# 1<title>  is a first level heading (text is 'title')
# 2<heading> is a second level heading (text is 'heading')
#
# the table of contents is automatically generated from the titles and headings.
#
# "#NP" starts a new page
# "#C" starts a code section (put this on a line by itself
# "#c" end the code section
# "#X" and "#x" surround a block which will be executed as php code.
#
# <b></b> <i></i> can be used within the text with gleeful abandon
#
# a link can be added within the text using <c:alink:url_here>label</c:alink>


1<<b>Description</b>>

	This report summarises NetScaler's AppFW relevant security measures to aid an auditor in PCI-DSS 4.0 compliance. It indicates various security measures enabled in this context and provides more suggestions wherever it is relevant.


1<<b>Firewall License and Feature status</b>>

#X
$noLicenseTxt="Firewall module is not licensed. Firewall rules, protection for credit cards, and masking of PIN/PAN numbers cannot be enforced.";
$noEnabledTxt="Firewall module is not enabled. Firewall rules, protection for credit cards, and masking of PIN/PAN numbers cannot be enforced.";
$noProblemTxt="Firewall module is licensed and enabled. Firewall rules, protection for credit cards, and masking of PIN/PAN numbers can be enforced.";
if (isset($_SESSION['licenseMap']) and $_SESSION['licenseMap']['appfw'])
{
     if (isset($appfw_feature_enabled) and $appfw_feature_enabled)
     	$pdf->ezText($noProblemTxt,$fontSize, array('left'=>20));
     else
     	$pdf->ezText("<b><c:colorit:\$r=1;>".$noEnabledTxt."</c:colorit></b>",$fontSize, array('left'=>20));
}
else
{
     $pdf->ezText("<b><c:colorit:\$r=1;>".$noLicenseTxt."</c:colorit></b>",$fontSize, array('left'=>20));
}

#x

1<<b>NetScaler</b>>

#X
  if (isset($ipaddress)) {
    $pdf->ezText("<b>IP: </b>".$ipaddress, $fontSize, array('left'=>20));
  }
  if (isset($hostid)) {
    $pdf->ezText("<b>Host ID: </b>".$hostid, $fontSize, array('left'=>20));
  }
  if (isset($netscaleruuid)) {
    $pdf->ezText("<b>Netscaler UUID: </b>".$netscaleruuid, $fontSize, array('left'=>20));
  }
#x


1<<b>Executive Summary</b>>


#X
	displayEntity($appfwProfileExecutiveSummary, "appfwProfileExecutiveSummary");
#x


1<<b>Requirement 2: Apply Secure Configurations to All System Components</b>>

#X
$pwdChangeHead = "<b>2.1 Have you changed the password for the nsroot account? NO </b>";
$pwdNoChangeHead = "<b>2.1 Have you changed the password for the nsroot account? YES </b>";
$pwdChange="To bring this appliance into compliance, change the password for the nsroot account.";

if (isset($nsdefaultpasschanged) and $nsdefaultpasschanged == "0")
{
         $pdf->ezText($pwdChangeHead,$fontSize, array('left'=>20));
         $pdf->ezText("<b><c:colorit:\$r=1;>".$pwdChange."</c:colorit></b>",$fontSize, array('left'=>20));
}
else
{
         $pdf->ezText($pwdNoChangeHead,$fontSize, array('left'=>20));
}
#x

	<b>2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. </b>

		<b>CLI configuration. YES </b>
#X
        if (isset($sshAccess) and $sshAccess == "ENABLED")
        {
                 $pdf->ezText("CLI accessed via SSH.",$fontSize, array('left'=>40));
        }
        if (isset($telnetAccess) and $telnetAccess == "ENABLED")
        {
                 $pdf->ezText("CLI accessed via Telnet",$fontSize, array('left'=>40));
                 $pdf->ezText("<b><c:colorit:\$r=1;>"."Disable Telnet access, enable access only through SSH."."</c:colorit></b>",$fontSize, array('left'=>40));
        }
#x
#X
$Both="The GUI configuration tool can be accessed via both HTTP and via HTTPS (SSL).";
$OnlyHTTPS="The GUI configuration tool can be accessed only via HTTPS (SSL).";
$enableOnlyHTTPS="To bring this appliance into compliance, enable GUI access only through secure mode.";
if (isset($guiAccess) and ($guiAccess == "ENABLED" or $guiAccess == "SECUREONLY"))
{
         $pdf->ezText("<b>GUI configuration. YES</b>",$fontSize, array('left'=>40));
         if($guiAccess == "SECUREONLY")
         {
                $pdf->ezText($OnlyHTTPS,$fontSize, array('left'=>40));
         }
         else
         {
                $pdf->ezText($Both,$fontSize, array('left'=>40));
                $pdf->ezText("<b><c:colorit:\$r=1;>".$enableOnlyHTTPS."</c:colorit></b>",$fontSize, array('left'=>40));
         }
}
else
{
         $pdf->ezText("<b>GUI configuration. NO</b>",$fontSize, array('left'=>20));
}
#x

1<<b>Requirement 3: Protect Stored Account Data</b>>

	<b>3.2 Storage of account data is kept to a minimum.</b> 
	<b>3.2.1 Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:</b> 
		Coverage for all locations of stored account data. 
		Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization.
		Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. 
		Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. 
		Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. 
		A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.
		
		NetScaler does not store any sensitive cardholder data.

	<b>3.2.2 Does the Application Switch or any protected application store credit card verification codes after authorization? </b>
		To bring your Application Switch and protected web applications into compliance with this security measure, configure a rule that uses the Confidential Fields Logging feature for any form field in any web form on a protected application that accepts verification codes.

	<b>3.2.3 Does the Application Switch or any protected application store Personal Identification Numbers (PINs) or PIN block after authorization? </b>
		To bring your Application Switch and protected web applications into compliance with this security measure, configure a rule that uses the Confidential Fields Logging feature for any form field in any web form on a protected application that accepts PINs or PIN block.

	<b>3.3 Sensitive authentication data (SAD) is not stored after authorization. </b>
	<b>3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography. </b> 
		NetScaler does not store sensitive authentication data. To bring your Application Switch and protected web applications into compliance with this security measure, configure a rule using the Confidential fields logging feature for any form field in any web form on a protected application. The information typed into a web-form field designated as confidential is not logged.

	<b>3.4 Access to displays of full PAN and ability to copy PAN is restricted. </b>
	<b>3.4.2 When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need. </b>
		The Application Switch will mask display of any credit card numbers that you have configured as "protected". See the Credit Card Protection Status table below to determine which credit card types are protected on your Application Switch. To mask display of any credit card type not included in the list, configure a Safe Object rule that uses the x-out feature for each form field that accepts the PAN for that type of credit card.

	<b>3.5 Primary account number (PAN) is secured wherever it is stored. </b>
		NetScaler does not store sensitive authentication data. To bring your Application Switch and protected web applications into compliance with this security measure, configure a rule using the Confidential fields logging feature for any form field in any web form on a protected application. The information typed into a web-form field designated as confidential is not logged.

#X

    displayEntity($creditcard, "creditcard");
    if(!isset($appfwconfidfield))
        $pdf->ezText("\n");

    displayEntity($appfwconfidfield, "appfwconfidfield");

#x


1<<b>Requirement 6: Develop and Maintain Secure Systems and Software</b>>

	<b>6.2 Bespoke and custom software are developed securely. </b>
	<b>6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following: </b>

		<b>Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. </b>
		Injection flaws can be prevented by enabling HTML SQL Injection, Cookie Consistency, XML SQL Injection, XML Path Injection, XML Message Validation. Customization is also allowed to prevent any kind of injection by setting custom injection prevention patterns in the Signature's SQL Injection section.

		<b>Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data. </b>
		Maximum URL/Cookie/Header length can be configured as Buffer overflow parameters.
		
		<b>Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF). </b>
		Cross-site scripting can be prevented by enabling HTML Cross-site scripting and XML Cross-site scripting. Cross-site Request Forgery can be prevented by enabling CSRF Form Tagging.
		
		<b>Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms. </b>
		Improper Access Control can be prevented by adding Start URLs which make sure only those URLs specified are allowed. A negative list can also be specified in the Deny URLs. 
		
		<b>Attacks via any "high-risk" vulnerabilities identified in the vulnerability identification process. </b>
		Defense against vulnerabilities can be attained by NetScaler WAF Signature updates.

	<b>6.4 Public-facing web applications are protected against attacks. </b>
	<b>6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: </b>
		Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. 
		Actively running and up to date as applicable. 
		Generating audit logs. 
		Configured to either block web-based attacks or generate an alert that is immediately investigated.

		NetScaler WAF provides a suite of protection checks that can be used to protect public facing web applications from attacks. WAF Recommendation scanner available on ADM can scan your web apps and suggest recommendation protection checks as well. Please use the link for more reference.
		https://docs.netscaler.com/en-us/citrix-application-delivery-management-software/current-release/analytics/security/unified-security-dashboard.html#waf-recommendation-scanner
		NetScaler WAF Signature updates can help block both known and unknown (the positive security model) attacks. Known attacks can be blocked using Signatures. The latest Signatures can be downloaded from the NetScaler website and can be applied to the Application Firewall. Enabling auto-update ensures that timely updates are applied as soon as they are made available.

	<b>6.4.3 All payment page scripts that are loaded and executed in the consumer's browser are managed as follows: </b>
		A method is implemented to confirm that each script is authorized. 
		A method is implemented to assure the integrity of each script. 
		An inventory of all scripts is maintained with written justification as to why each is necessary.

		Rewrite configuration can be added to configure a Content-Security policy.

#X
    $appfwCofigurationLinkTxt="Please review the section on details of Application Firewall Configuration.";
    if(isset($creditcard))
    {
        $ip = getenv("HTTP_HOST");
		$ip = preg_replace("/[^a-zA-Z0-9 _.:\\-]/", "", $ip);
        if ($g_pargs['which_report'] == "main")
        $pdf->ezText($g_pargs['tabChars'] ."<c:alink:http://$ip/pcidss/launch_report?type=fwconfig>".$appfwCofigurationLinkTxt."</c:alink>");
     }
#x


1<<b>Requirement 8: Identify Users and Authenticate Access to System Components</b>>
	
	<b>8.2 Are users required to use unique usernames and passwords to access the Application Switch? </b>
		Create user accounts and passwords for each system administrator or other person who accesses the Application Switch.

	<b>8.4 Does the Application Switch require users to authenticate using either a password or passphrase or a two-factor authentication? YES </b>
		The Application Switch requires all users to use a password for authentication.


1<<b>Requirement 10: Log and Monitor All Access to System Components and Cardholder Data </b>>

	<b>10.4 Audit logs are reviewed to identify anomalies or suspicious activity. </b>
	<b>10.4.1.1 Automated mechanisms are used to perform audit log reviews. </b>
		Customer can make use of ADM & external log SEIM to manage all the system logs and alerting.
	
	<b>10.6 Are system clocks and times synchronized? </b>
#X
$ntpNoConfig="Please configure a known, stable NTP server to synchronize the system clock with the rest of your network.";
$ntpConfiguredAndEnabled="NTP configuration is present and synchronization is enabled.";
$ntpSyncDisabled="NTP configuration is present and synchronization is disabled.";
if (isset($ntpServers) and intval($ntpServers) > 0)
{
    if (isset($ntpsync) and $ntpsync == "ENABLED")
    {
         $pdf->ezText($ntpConfiguredAndEnabled,$fontSize, array('left'=>40));
    }
    else
    {
         $pdf->ezText($ntpSyncDisabled,$fontSize, array('left'=>40));
         $pdf->ezText("<b><c:colorit:\$r=1;>"."Enable NTP Synchronization"."</c:colorit></b>",$fontSize, array('left'=>40));
    }
}
else
{
    $pdf->ezText("NTP configuration is not present",$fontSize, array('left'=>40));
    $pdf->ezText("<b><c:colorit:\$r=1;>".$ntpNoConfig."</c:colorit></b>",$fontSize, array('left'=>40));
}
#x

1<<b>Requirement 11: Test Security of Systems and Networks Regularly </b>>

	<b>11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed. </b>
	<b>11.3.1.1 All other applicable vulnerabilities (those not ranked as high-risk or critical per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: </b>
		Addressed based on the risk defined in the entity's targeted risk analysis. 
		Rescans are conducted as needed. 

		NetScaler WAF Signature updates can help block both known and unknown (the positive security model) attacks. Known attacks can be blocked using Signatures. The latest Signatures can be downloaded from the NetScaler website and can be applied to the Application Firewall. Enabling auto-update ensures that timely updates are applied to address the external & internal vulnerabilities as soon as they are made available. 
		Customers can also add custom signatures/3rd party scan reports to protect against bespoke components.


	<b>11.6 Unauthorized changes on payment pages are detected and responded to. </b>
	<b>11.6.1 A change- and tamper-detection mechanism is deployed as follows: </b>
		To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser. 
		The mechanism is configured to evaluate the received HTTP header and payment page. 
		The mechanism functions are performed as follows: 
			- At least once every seven days 
				OR
			- Periodically

		Using rewrite signed verification, cookie consistency checks and form-field consistency checks may help prevent unauthorized modifications.


