Citrix offers a broad line of FIPS compliant NetScaler appliances. Each model is software upgradable via Citrix’s “Pay as You Grow” plan to higher performance models for SSL throughput needs exceeding 4.5 Gbps. But what may not be obvious beyond the typical feeds and speeds and FIPS compliance is the list of extensive feature support provided.
Sure, the models are FIPS 140-2 Level 2 compliant. They protect against unauthorized physical access as per NIST specifications (see http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.) This includes tamper-evident coatings and seals placed on the cryptographic module (HSM) so that these coatings and seals must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the HSM. CSPs, mainly the server’s private-key, are thus securely stored and generated inside this module. Any operation using the CSP is done by giving the appropriate payload to the module and the reference to the CSP (key handle) and the CSP is never accessed outside the module boundary.
These models include mandated security Level 2 compliance for role-based authentication (RBA); here the HSM authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services. On NetScaler, only administrators with “superuser” (nsroot) privileges can provide RBA with the capability to access and modify keys stored inside the HSM. RBA can be used to restrict the execution rights for many sets of commands including: set fips-initHSM, create fipskey, rmfipskey, show fipskey, and create wrapkey, export sslfipskey and dozens of others.
The NetScaler models expand upon this to add FIPS 140-3 Level 3 hardware security by providing a host of extra capabilities. A bezel opening for a USB key prevents intruders from gaining access to CSPs held within the cryptographic module. The USB key is important since Level 3 requires the entry or output of plaintext CSPs (including the entry or output of plaintext CSPs using split knowledge procedures) be performed using ports such as USB that are physically separated from other ports, or interfaces that are logically separated using a trusted path from other interfaces. The FIPS appliances go further and support tamper detection and response circuitry that zeros all plaintext CSPs when the removable covers/doors of the cryptographic module are opened. Identity-based authentication techniques are included to enhance the security provided by the role-based authentication mechanisms. A cryptographic module authenticates the identity of an operator and verifies that the identified operator is authorized to assume a specific role and perform a corresponding set of services.
But enough with the hardware FIPS support, what about the secret sauce hidden in the software. Where is the “edge” an IT administrator gains by using NetScaler MPX FIPS boxes? Well, there are quite a few security related functions that address real needs for industry best practices.
DNSSEC is supported in software. I don’t need to tell you how valuable that is. The FIPS appliances support Secure DNS to accept certificate-based resolutions and exchanges as dictated by the edict: http://www.whitehouse.gov/OMB/memoranda/fy2008/m08-23.pdf.
Some administrators would like to rewrite the ICA file directly via the NetScaler rather than using Citrix Smart Access. This option allows them to control ICA features from the NetScaler without having to create policies on the Citrix XenApp servers for each application. Such rewrite is supported in NetScaler.
Customizable VPN Pages
To comply with mandatory requirementsin some environments, administrators must display, prior to authentication, a “message of the day” or “warning/legal” banner. Previously the NetScaler vServer, with its integrated Citrix Access Gateway, Enterprise Edition (CAG-EE) SSL VPN function, could not exhibit these personalized pages or provide a user acknowledgement action that could be logged. Well, that limitation has been resolved.
VPN Portal Customization
There are scenarios where the NetScaler CAG-EE function requires multiple CAG VPN vServers, and the administrator would like to customize the look-and-feel of the portal and resource pages independently. This means the ability to host multiple portals and have a different look for each. Previously, CAG-EE VPN portal pages were too static and fragile to allow customization; a single view needed to be applied to all VPN vServers. NetScaler now provides a method whereby the administrator can customize pages via the GUI; that is flexible and independent of other existing CAG-EE VPN vServers. User-friendly methods now allow one to customize every page for the CAG-EE VPN vServer portals using SAC, ActiveX, and Java/embedded.
LDAP and Radius Discovery/Browse
Previously when using Authentication on NetScaler for LDAP or RADIUS, there was a significant amount of manual configuration required. The administrator had to know all the containers in LDAP and where the users are located. For RADIUS, there was no tool to discover the groups and other elements. Now NetScaler provides the ability to use the GUI to browse the Active Directory (AD) once the user enters the IP, username and password. By reading the AD, the administrator can select what containers, groups, or machines to use for authentication. In the case of RADIUS, once the IP and shared secret is entered and validated on NetScaler, the administrator is able to search groups and select from a list.
NetScaler MPX FIPS appliances cleanse memory that was used to process SSL requests. The private keys that reside in the cryptographic module are shielded so if the user imports a key to the module from a storage disk, the disk has to be protected by the user. Private keys don’t reside in memory when running the NetScaler in FIPS mode. Hence, overall security is enhanced.
Back to the Hardware Future
OK, features are great but without a lot of horsepower, they don’t mean much. It was mentioned at the outset that FIPS SSL throughput exceeds 4.5 Gbps. Doesn’t every vendor make outlandish performance claims? Just how is this done? Well, NetScaler MPX FIPS appliances leverage a new SSL card with eight state-of-the-art processors on board. Each of these ICs has four command queues for a total of 32 queues. With Citrix NetScaler nCore technology, these SSL IC processing elements are split into multiple queues and distributed among the NetScaler packet processing engines (PPE). On the MPX appliances, there are up to seven PPEs available. The 32 queues are evenly distributed across the seven PPEs resulting in a balanced distribution for maximum efficiency. Scalable and secure gigabit throughput is ensured. Key support ranges to 4096-bits with multiple algorithms including ECC, SHA-2, AES and 3DES ciphers available for FIPS traffic. So you can have you hardware cake and feature icing too. While they are all RoHS compliant, we don’t recommend you eat them!
Update (March 12, 2012): With recent changes to how ICA files are generated, the practice of rewriting them is not recommended. Using SmartAccess is the best way to use your NetScaler to accessing XenApp and XenDesktop.