NetScaler 10 has already created a lot of buzz thanks to some amazing capabilities – TriScale, Action Analytics, DataStream Enhancements and more – that have been introduced. And indeed our marketing team has done a fantastic job of creating the buzz using multitude of mediums. Beyond the entire buzz, there are plenty of features that usually go unnoticed but are very much part of the real meat that NetScaler offers. With cloud era ushering to even greater heights – apart from all the cloud enablement technologies, security becomes a key component too. NetScaler has a full featured WAF (Web Application Firewall) that offers protection against L7 attacks for Web Applications and Databases.
There are plenty of more security features like SSL, DOS Protection, Authentication etc. that complement the WAF in providing holistic approach to security. NetScaler 10 comes with many security enhancements (other than WAF) that we will cover in this blog.
1. Simple ACLs: Simple ACLs are used to block traffic based on combination of IP, Port and Protocol and always take effect on the new sessions. Now we have added a “flush” command to make your new ACLs effective on existing sessions as well – just in case you need to make sure that you completely block traffic from bad sources
2. Extended ACLs: We have increased the limit of extended ACLs that can be created on NetScaler to 10K from existing 1K
3. SSL Renegotiation Attack: Secure Socket Layer (SSL) and Transport Layer Security (TLS) renegotiations are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. NetScaler 10 now provides protection against these attacks by cryptographically binding renegotiation handshakes to the enclosing TLS cryptographic parameters, thus allowing the server to differentiate renegotiation from initial negotiation, as well as preventing renegotiations from being spliced in between connections.
4. Authentication – NTLMv2: The choice of security negotiated between client and server affects:
• The level of authentication protocol used by clients
• The level of session security negotiated
• The level of authentication accepted by servers
NetScaler now advertises the capabilities to support NTLMv2 Session Security and signing support for type 3 message.
5. Authentication – SAML: NetScaler 10 has also added the SAML consumer support. We can now accept client authentication using third party Identity Providers (IdP). As a Service Provider in SAML, NetScaler supports both model of authentication – Service Provider initiated and IdP initiated. Supported IdP on NetScaler 10 are – Secureauth, Shibboleth, ADFS and Cloud Gateway.
6. TCP Syn Cookie: Before NetScaler 10, there was no way to disable Syn Cookie support – but now you can
7. Slow HTTP DOS Protection: NetScaler employs Adaptive Request Timeout to counter slow HTTP DOS attacks. We take into consideration factors like payload length, MSS, inter-packet delay and RTT to adapt the timeout used for requests. And when the timeout occurs one of the possible configured actions is taken – DROP and RESET.
Please check out our AppFW blog for what’s new in Application Firewall!