Citrix NetScaler App Firewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications. Deployed in the application data path, directly in front of web servers, the solution analyzes all bi-directional traffic between the application and user, including SSL-encrypted traffic, without requiring any modification to applications.

Hybrid Security Model

NetScaler App Firewall enforces both positive and negative security models to provide the most complete and comprehensive security against all modes of attack. Its powerful positive security policy engine understands what user-to-application actions are considered permissible, and automatically blocks application requests that fall outside the bounds of this model. The positive security model is the only proven approach to detect and defeat new, unpublished exploits (i.e. zero-day attacks).

NetScaler App Firewall also integrates signature-based attack detection to efficiently thwart known attacks using documented attack signatures. This negative security model provides the perfect complement to the positive security engine, enabling security administrators to deploy application security out-of-the-box for any HTML or XML-based application.

Ensured Compliance

NetScaler App Firewall provides an important tool for meeting data security mandates and governmental compliance requirements. It provides intelligent analysis of all application response data to prevent the leakage of sensitive user information such as credit card and social security numbers. When the presence of unauthorized information is included in application responses, the solution can automatically block the entire transmission or mask the data object individually.

Detailed PCI reporting facilities satisfy specific PCI DSS criteria by explicitly documenting enabled security protections, and provide recommendations on how to enhance the security policy to improve the overall compliance posture.

Advanced Security Protections

The App Firewall includes multiple session-aware protections to secure dynamic application elements such as cookies, form fields and session-specific URLs. Attacks that target the trust between the client and server, including cross-site request forgery, are stopped; requests are fully validated before they are sent to the application server by first checking for a unique ID inserted by the App Firewall. Such protection is imperative for any application that processes user-specific content, such as an e-commerce site.

Tailored security policies for each application

NetScaler App Firewall incorporates an advanced and proven adaptive learning engine that discovers aspects of application behavior that might be blocked by the positive security model even if the behavior is intended by the web application. This would include, for example, modifications made by client-side application scripting that legally modifies HTML form fields. Once application behavior is learned, the application firewall generates human-readable policy recommendations, which bring to security managers a clearer understanding of actual application behavior. Tailored security policies may then be applied to each application.