Over 70 percent of successful Internet attacks now exploit vulnerabilities in the application or the application platform. NetScaler protects against a wide variety of threats with integrated security capabilities that protect applications resources, augmenting existing network-layer security protections.
Application Firewall Security
The NetScaler App Firewall secures web applications, prevents inadvertent or intentional disclosure of confidential information and aids in compliance with information security regulations such as PCI-DSS. The App Firewall is available as a standalone security appliance or as a fully integrated module of the NetScaler application delivery solution and is included with Citrix NetScaler, Platinum Edition.
Key features include:
Rapid deployment: Includes a hybrid security model that combines attack signature detection with an advanced learning engine. Leveraging a comprehensive database of attack signatures allows the App Firewall to be deployed rapidly into any environment and begin protecting the application infrastructure immediately. This negative security model is complemented by a learning engine that automatically learns the legal and expected application behaviors for each app or service. It then generates human-readable recommendations to further customize and strengthen security policies.
High performance web application security: Protect web servers without degrading throughput or application response times, and block attacks at multiple gigabytes per second rates.
Proven protection against attacks: Block all known and day-zero application-layer attacks, as well as web application behavior deviating from normal application use.
PCI-DSS compliance and simplified security audits: Help ensure Payment Card Industry Data Security Standards (PCI-DSS) compliance through the PCI-DSS compliance reporting tool, which shows Application Firewall settings relevant to PCI-DSS, how they should be configured and if they are being met.
A cross-site scripting attack (XSS), sends a web application an unvalidated script that activates when it is read by the browser or application to steal user identities, hijack user sessions, poison cookies, redirect users to malicious web sites, access restricted sites and even launch false advertisements. Application Firewall has dynamic context sensitive XSS attack protections that looks for anything that looks like an HTML tag and checks against allowed HTML attributes and tags to detect XSS attacks. Custom XSS patterns can be stored to modify this default list of tags and attributes. Both HTML and XML payloads are inspected. Field format protection and form field consistency is included. A cross-site scripting attack (XSS), sends a web application an unvalidated script that activates when it is read by the browser or application to steal user identities, hijack user sessions, poison cookies, redirect users to malicious web sites, access restricted sites and even launch false advertisements. Application Firewall has dynamic context sensitive XSS attack protections that looks for anything that looks like an HTML tag and checks against allowed HTML attributes and tags to detect XSS attacks. Custom XSS patterns can be stored to modify this default list of tags and attributes. Both HTML and XML payloads are inspected. Field format protection and form field consistency is included.
Cross-site request forgery (CSRF) attacks post an executable script that will run on a browser. An unsuspecting user will download the page and the script sends a forged HTTP request, including the victim's session cookie and any other authentication information, to a vulnerable web application. To block such attacks, Application Firewall provides CSRF form tagging where a unique token is added to each form sent to the client and requests are checked to see if it contains the unique tag ID provided by NetScaler. In addition, referrer header protection is included whereby CSRF attacks are blocked by checking if the referrer header is coming from an authorized site.
Web applications have database access privileges and are used to get to the SQL database. Fragments of SQL commands are sent to the web applications which in turn are passed to databases for execution. Application Firewall protects against SQL injection by monitoring for a combination of SQL key words and punctuation. Custom injection patterns can be stored to protect against any type of injection attack including XPath and LDAP. Field format protection features allow the administrator to restrict any user parameter to a regular expression. Form fields are checked for consistency to validate user forms against the user session form signatures to ensure validity of all form elements.
Application Firewall includes a rich set of XML-specific security protections and secures all flavors of XML. These include schema validation to thoroughly verify SOAP messages and XML payloads, and a powerful XML attachment check to block attachments containing malicious executables or viruses. Application Firewall also thwarts a variety of DoS attacks, including external entity references, recursive expansion, excessive nesting and malicious messages containing either long or a large number of attributes and elements. Advanced XML Protections include WSDL Scanning prevention and blocking of XPath injection attacks.
Buffer overflow attacks, among the most common application-layer exploits (Code Red and Nimda are well-known examples), attempt to overflow an input buffer with excessive data, enabling it to run a remote shell on the machine and gain the same system privileges granted to the application being attacked. Application Firewall performs a deep stream inspection on all HTTP traffic to block buffer overflows anywhere in a client request and limits input parameter sizes for URLs, headers and cookies.
Application Firewall business object protection prevents the unauthorized and inadvertent leakage of sensitive customer or corporate information. If a sensitive data object is detected in a server response, Application Firewall can block the page, strip or mask the object. Application Firewall ensures that no information is sent from the web server that would compromise customer data and result in potential identity theft. Citrix Business Object Protection modules are ideal for achieving regulatory compliance with Gramm-Leach-Bliley, the California Database Breach Act and other privacy mandates.
Denial of Service (DoS) protection
NetScaler stops damaging denial of service attacks, such as SYN Flood, HTTP DoS, and Ping of Death, while still allowing legitimate users to maintain access to critical application resources. It implements an enhanced SYN cookie mechanism that operates at wire-speed to provide superior attack protection, even against broadly distributed clients causing traffic floods.
Key protection methods:
Resource allocation: NetScaler only allocates its own system resources to manage a connection once a client has fully completed the three-way TCP handshake, ensuring that the server is only handling fully completed and legitimate clients.
Non-forgeable connections: An enhanced SYN cookie protection scheme renders common forged connection techniques obsolete, yet remains fully compatible with the TCP protocol.
Rate limiting: NetScaler policies throttle back users or connections that exceed administrator-defined thresholds for maximum consumed bandwidth or request rates, thus preserving finite resources for users accessing applications within more normal parameter boundaries.
High-speed packet engine: NetScaler serves as a proxy for back-end server resources and processes TCP connections and traffic at wire speed. Even multi-gigabit rates of traffic do not overload NetScaler platforms, enabling the system to protect the entire environment from traffic floods.
Secure Remote Access with Access Gateway
Citrix Access Gateway is a proven SSL VPN solution that delivers secure remote access for applications, and is the best SSL VPN solution to deliver secure virtual desktops. Citrix Access Gateway protects data and empowers the user to work in any location by:
Enabling access from any device while reducing support overhead
Encrypting network and application traffic
Scanning remote devices to ensure a proper security configuration and prevent malware
Ensuring that users prove their identity before connecting to the organization's network
Providing access to the correct set of resources required by user
Enforcing access control and corporate security policies
Logging and reporting user activity
Strong SSL application protection
NetScaler MPX and SDX appliances are performance optimized for the strongest SSL encryption levels, including 2048-bit and longer keys. NetScaler appliances integrate state-of-the-art cryptographic acceleration technology, and optimize these capabilities to deliver the fastest SSL performance in the industry.
NetScaler ADC architecture includes SSL offload and acceleration ASICs, and provides intelligent load balancing of these resources to provide the best processing performance and lowest latency.
NetScaler establishes multiple queues per integrated SSL chip to eliminate idle processing cycles and achieve maximum SSL transaction rate performance.
NetScaler SDX multi-tenant platforms provide full SSL resource isolation, preventing one ADC instance from consuming disproportionate processing capacity and thus degrading the performance of other tenants.
FIPS Compliance
Citrix offers NetScaler ADC solutions that are fully compliant with Federal Information Processing Standards (FIPS), and support more than 4.5 Gbps of SSL throughput.
Application Firewall, in conjunction with Citrix Access Gateway, Enterprise Edition, restricts access to applications and data by allowing only the use of approved protocols and methods, only connections from trusted networks and only access to users who are authenticated and authorized. Application Firewall has obtained ICSA Labs Web Application Firewall Certification for additional assurance.
Application Firewall is easily configured to mask or block PANs and otherwise prevent the leakage of sensitive cardholder data, regardless of programmer oversight, logic flaws or targeted attacks. Complete server responses with PAN data can be blocked from being transmitted to the requesting client.
FIPS is a consideration within PCI DSS compliance. Four NetScaler appliances including the integrated Application Firewall module are FIPS 140-2 Level 2 compliant. These appliances securely maintain the certificates and encryption keys used for SSL/TLS and are all available in the FIPS versions of MPX 9700, MPX 10500, MPX 12500 and MPX 15500.
Application Firewall can be used to SSL-enable applications that were not designed to use secure communication protocols and support strong SSL cryptography with key lengths up to 4096-bit. Application Firewall inspects the contents of SSL/TLS encrypted sessions, ensures session validity and blocks attacks.
Cross-site scripting (XSS) attacks
