Citrix NetScaler Security

Johnny Dau

Recently, I had an opportunity to learn and work with one of Citrix’s flagship products called NetScaler. In this two-part article, I am writing a broad overview on the NetScaler’s functionalities. There are two NetScaler product lines: NetScaler Gateway and NetScaler ADC (Application Delivery Controller). NetScaler Gateway is a scaled down version of the NetScaler ADC that provides users with secure remote access. NetScaler ADC, on the other hand, is a full suite application delivery controller that also includes the NetScaler Gateway functionalities. This article only focuses on the overview of NetScaler ADC.

Citrix NetScaler ADC is an all-in-one networking appliance that improves performance, security, and resiliency of applications delivered over the Web. It has many functions to optimize, secure, and control the delivery of all enterprise and cloud services while maximizing end users’ experiences. A discussion on every function that the NetScaler ADC has to offer is beyond the scope of this paper. However, I will broadly categorize its many functions into two separate areas: security and traffic optimization and management. Part one of this paper will examine the core security features that NetScaler ADC has. The remaining functions will be discussed in part two of this series.

Security is one of the core features of the Citrix NetScaler ADC appliance. Its primary security function is the Web application firewall that operates from L4 to L7. The appliance sits between the clients on the Internet and the internal Web server farms. It protects the Web servers against known and unknown threats by employing a hybrid security model that encompasses both positive and negative models. A positive security model blocks all traffic by default and only allows good traffic identified by a set of rules to pass. It protects Web applications from buffer overflow, CGI-BIN parameter manipulation, form/hidden field manipulation, forceful browsing, cookie or session poisoning, broken ACLs, cross-site scripting, command injection, SQL injection, error triggering sensitive information leak, insecure use of cryptography, server misconfiguration, back doors and debug options, rate-based policy enforcement, well-known platform vulnerabilities, zero-day exploits, cross site request forgery, and leakage of credit card and other sensitive data.

A negative security model, on the other hand, allows all traffic to pass and only blocks traffic that is explicitly defined by a set of rules. It uses a rich set of signatures to protect against L7 and HTTP application vulnerabilities.

When an incoming client request is received on the NetScaler, the request is checked against the internal database of IP reputation-based signatures to prevent zero-day attacks and provide protection against malicious sources associated with Web attacks, phishing activity, and Web scanning. If the request passes signature inspections, then the application firewall applies the request security checks that have been enabled based on the positive security model. If the request passes the security checks, then they are forwarded to the destination Web servers. Similarly, responses from the Web servers are also checked to examine for leakage of sensitive private information, signs of website defacement, or other contents that should not be present before they are forwarded to the clients.

Other security functions of the NetScaler ADC include DNS security for protection against DNS cache poisoning, DNS DDoS, and random subdomain attacks; AAA for user authentication, authorization, and auditing; and NetScaler Gateway for secure remote access via ICA proxy and full-tunnel SSL VPN.

Related: Citrix Synergy — The Future of Work

In today’s market, there are many different network devices—such as network firewalls, network intrusion and prevention systems, and next-generation firewalls—that are used to protect, detect, and defend an organization’s network infrastructures against outside attacks. However, these devices have limitations and, deployed alone, fail to provide an adequate level of protection against the upper layers of network communications. The breadth and depth of coverage that these devices provide are simply not sufficient enough to protect most Web properties—especially custom ones—from the increasingly sophisticated and targeted attacks that now constitute a significant portion of the threat landscape. This is where the Web application firewall stands out. It picks up where other security technologies leave off, providing protection from threats that operate at the highest layers of the computing stack. Citrix NetScaler is certified by both ICSA Labs and NSS Labs.

Johnny Dau is a Senior System Engineer at Connection with over 15 years of experience in Cisco Unified Communications, Cisco routing and switching, and Cisco security. His certifications include Cisco CCIE Collaboration, Cisco CCNP Design, and Cisco CCNP Security.