In a previous Citrix blog, Netscaler’s capabilities for protecting and securing the delivery of desktop, enterprise or SaaS based services to customers/employees over any network are highlighted. In addition, Cloud Gateway and Cloud Bridge are already highlighted in the blog. So, I thought it would be good to go into a little bit more detail on how some of the features in NetScaler can provide security over private, public or hybrid clouds.
With NetScaler handling many cloud providers’ traffic today, preventing and detecting malicious distributed denial-of-service (DDoS) attacks and other types of malicious attacks before they reach cloud providers’ servers have become essential tasks for NetScaler to do. This prevents attacks from impacting the cloud network and application performance. The NetScaler distinguish legitimate clients and prioritize them higher, this leaves culprit clients not able to utilize an unequal percentage of resources and halt a cloud site.
Hackers can bring down a network by a variety of means, including sending a surge of GET requests or other HTTP-level requests. NetScaler’s HTTP Denial-of-Service (HTTP DoS) Protection can stop such attacks against servers.
Using SYN cookies, NetScaler can also thwart SYN flood attacks and not keep half-open connections in the system memory stack. Each client gets a cookie from NetScaler that requests a TCP connection, only after NetScaler gets the final ACK from the client, before any system memory assignment for a connection. Hence, not keep the states of half-open connections. This avoids SYN attacks and usual TCP communications with clients to continue without issues.
Server response can become very slow and unresponsive to new requests if there is a surge in client requests or a surge attack overloading a server. However, with the Surge Protection feature, NetScaler can be setup for different connection rates and tracks the rate that the server can handle and rate limit as needed to prevent the server from being overloaded. Other application-level malicious attacks, but not limited to, that are protected by NetScaler:
- Fraggle attacks
- Zombie connection attacks
- Pipeline attacks
- Teardrop attacks
- Land attacks
And last but not least, my favorite topic – NetScaler has an easy to use and deploy Application Firewall (AppFW) that prevents data loss, security violations and illicit modifications to web sites, which handle sensitive customer or business info. This is accomplished by inspecting both requests and responses, fully examining all packets and blocking anything malicious. AppFW can provide protection from common types of attacks as well as new and unknown attacks. Admins can set up whitelists as well as use Snort signatures for a full hybrid-security model protection. Hybrid protection for private, public and hybrid clouds provides the flexibility that customers’ desire. Hybrid security model already discussed in a previous blog for more info. PCI compliance reports and full auditing capabilities as well as protections against web server software, OS, legacy CGI code or scripts, other web frameworks are also additional security features available on NetScaler.
And I can continue on but I think you get the jest that there many security features on NetScaler worth chatting about, such as SSL, other DDoS protections, AAA, Rewrite, URL transformation, ICMP based attacks protections, etc and how these handy dandy features can secure private, public and hybrid clouds. However, let’s leave some of these topics for next blogs or check out the NetScaler guides for the same details.