Next-generation application security

Over 70 percent of successful Internet attacks now exploit vulnerabilities in the application or the application platform. NetScaler protects against a wide variety of threats with integrated security capabilities that protect application resources, augmenting existing network-layer security protections.

AppFirewall Security

The NetScaler AppFirewall secures web applications, prevents inadvertent or intentional disclosure of confidential information and aids in compliance with information security regulations such as PCI-DSS. The AppFirewall is available as a standalone security appliance or as a fully integrated module of the NetScaler application delivery solution and is included with Citrix NetScaler, Platinum Edition.

Key features include:

  • Rapid deployment: Includes a hybrid security model that combines attack signature detection with an advanced learning engine. Leveraging a comprehensive database of attack signatures allows AppFirewall to be deployed rapidly into any environment and begin protecting the application infrastructure immediately. Thousands of signatures can be automatically updated through cloud service support.
  • Proactive security measure: A positive security model complements the negative security model with a learning engine that automatically learns the legal and expected application behaviors for each app or service. It then generates human-readable recommendations to further customize and strengthen security policies.
  • Proven protection against attacks: Block all known and day-zero application-layer attacks, as well as web application behavior deviating from normal application use.
  • PCI-DSS compliance and simplified security audits: Help ensure Payment Card Industry Data Security Standards (PCI-DSS) compliance through the PCI-DSS compliance reporting tool, which shows AppFirewall settings relevant to PCI-DSS, how they should be configured and if they are being met.

Denial of Service (DoS) protection

NetScaler stops damaging denial of service attacks, such as SYN Flood, HTTP DoS, and Ping of Death, while still allowing legitimate users to maintain access to critical application resources. It implements an enhanced SYN cookie mechanism that operates at wire-speed to provide superior attack protection, even against broadly distributed clients causing traffic floods.

Key protection methods:

  • Resource allocation: NetScaler only allocates its own system resources to manage a connection once a client has fully completed the three-way TCP handshake, ensuring that the server is only handling fully completed and legitimate clients.
  • Non-forgeable connections: An enhanced SYN cookie protection scheme renders common forged connection techniques obsolete, yet remains fully compatible with the TCP protocol.
  • Rate limiting: NetScaler policies throttle back users or connections that exceed administrator-defined thresholds for maximum consumed bandwidth or request rates, thus preserving finite resources for users accessing applications within more normal parameter boundaries.
  • High-speed packet engine: NetScaler serves as a proxy for back-end server resources and processes TCP connections and traffic at wire speed. Even multi-gigabit rates of traffic do not overload NetScaler platforms, enabling the system to protect the entire environment from traffic floods.

Strong SSL application protection

NetScaler MPX and SDX appliances are performance optimized for the strongest SSL encryption levels, including 2048-bit and longer keys. NetScaler appliances integrate state-of-the-art cryptographic acceleration technology, and optimize these capabilities to deliver the fastest SSL performance in the industry.

  • Intelligent load balancing: NetScaler ADC architecture includes SSL offload and acceleration ASICs, and provides intelligent load balancing of these resources to provide the best processing performance and lowest latency.
  • Improved SSL transaction rate performance: NetScaler establishes multiple queues per integrated SSL chip to eliminate idle processing cycles and achieve maximum SSL transaction rate performance.
  • Prevent performance degradation: NetScaler SDX multi-tenant platforms provide full SSL resource isolation, preventing one ADC instance from consuming disproportionate processing capacity and thus degrading the performance of other tenants.

Support for XenMobile MDM

NetScaler provides three capabilities for XenMobile Device Manager Servers:

  • Front-end optimization to ensure scalability, security and resiliency for mobile clients. Users can now experience the same level of availability and performance as with traditional consumer-based mobile services and news portals. NetScaler and XenMobile supports over 100,000 concurrent users.
  • Enforcement point for granting and denying access to corporate mail services based on the mobile device state. NetScaler helps maximize the security of the application infrastructure by filtering Microsoft Exchange communications on a per transaction and per device basis with real-time policy updates provided by XenMobile. The XenMobile NetScaler Connector uses ActiveSync to control mail service access based on mobile device state.
  • Secure tunneling and policy driven access. NetScaler creates a secure tunnel via NetScaler Gateway and works with Citrix Cloud Gateway to ensure controlled, policy driven access to enterprise network resources. Control SSL VPN tunneling for mobile clients with application-level policies.

Secure Remote Access with NetScaler Gateway

Citrix NetScaler Gateway is a proven SSL VPN solution that delivers secure remote access for applications, and is the best SSL VPN solution to deliver secure virtual desktops. Citrix NetScaler Gateway protects data and empowers the user to work in any location by:

  • Enabling access from any device while reducing support overhead
  • Encrypting network and application traffic
  • Scanning remote devices to ensure a proper security configuration and prevent malware
  • Ensuring that users prove their identity before connecting to the organization's network
  • Providing access to the correct set of resources required by user
  • Enforcing access control and corporate security policies
  • Logging and reporting user activity

FIPS Compliance

Citrix offers NetScaler ADC solutions that are compliant with Federal Information Processing Standards (FIPS), and support more than 4.5 Gbps of SSL throughput.

Key PCI-DSS mandates met by AppFirewall Expand all sections

Section 1.2: Deny traffic from untrusted networks and hosts

AppFirewall, in conjunction with Citrix Access Gateway Enterprise Edition, restricts access to applications and data by allowing only the use of approved protocols and methods, only connections from trusted networks and only access to users who are authenticated and authorized. AppFirewall has obtained ICSA Labs Web AppFirewall Certification for additional assurance.

Section 3.3: Mask account numbers when displayed

AppFirewall is easily configured to mask or block PANs and otherwise prevent the leakage of sensitive cardholder data, regardless of programmer oversight, logic flaws or targeted attacks. Complete server responses with PAN data can be blocked from being transmitted to the requesting client.

Section 3.5: Protect encryption keys against disclosure and misuse

FIPS is a consideration within PCI DSS compliance. Four NetScaler appliances including the integrated AppFirewall module are FIPS 140-2 Level 2 compliant. These appliances securely maintain the certificates and encryption keys used for SSL/TLS and are all available in the FIPS versions of MPX 9700, MPX 10500, MPX 12500 and MPX 15500.

Section 4.1: Use strong cryptography and security protocols

AppFirewall can be used to SSL-enable applications that were not designed to use secure communication protocols and support strong SSL cryptography with key lengths up to 4096-bit. AppFirewall inspects the contents of SSL/TLS encrypted sessions, ensures session validity and blocks attacks.

Section 6.6: Audit and correct application code vulnerabilities or institute an application firewall

AppFirewall provides continuous protection against attacks with instantaneous attack blockage, dynamically adjusts to code changes and supports multiple applications simultaneously.

Take our short survey and enter to win your choice of an iPad Mini or a Nexus 7.

The survey will open in a new window so you can continue browsing the website.

Take the Survey No Thanks

Sweepstakes Rules