NetScaler performs great acceleration and optimization for Mobile data and payload, and Security is top-of-mind for customers – especially mobile security. As users connect remotely from Mobile devices from different connectivity zones, it is difficult to ensure that they are following best practices without automating and enforcing security in the network. NetScaler MobileStream technology brings in the security value for Mobile communication and ensures the communication and data transfer is protected. Here is how we look at the complete security value chain for Mobile communication.
NetScaler MobileStream delivers enhanced mobile security by looking through every single aspect of protection and data leak prevention. If you logically break the communication into 2 segments, Connection Establishment and AAA Vs Application Access and Data Transfer, different technologies come together to enable security and protection throughout these 2 phases.
Connection Establishment and AAA
Security and protection needs to begin with the first packet you receive on the wire. There are several flood and DDoS attacks and their variants available which exploit your communication channel even before you are connected. We have extremely advanced protection and for such Layer 3 and Layer 4 attacks which can bring the whole system down via a single connection! We also have advanced ACLs and Listen policy to help with the network layer protection and filtering.
Once you get the connection going successfully, it is about getting the Mobile device access to the Application in a secured manner. Today many apps work over SSL and thus communication is encrypted but still could go over open networks. Being an Enterprise who is looking to ensure any access to enterprise resources be protected and containerized, it is important to provide a secure tunneled infrastructure. This is what NetScaler and XenMobile Micro-VPN technology brings to the table and Mobile devices can create Micro-VPN tunnel with enterprise infrastructure for application access. Micro-VPN works at the application layer which is unlike traditional VPN technologies working at the device level. Every time you open up your enterprise app on the device, it creates the Micro-VPN tunnel and the entire data transfer is secured and protected within the tunnel. That’s certainly the smarter and better way to deal with security on mobile devices, as the device would also have a bunch of personal apps too which you do not want to go through the enterprise tunnel. Hence this technology helps create secure and isolated environment which allows secure connectivity and data transfer.
Once you are securely connected, next big task is to efficiently use AAA, which provides all advanced authentication and authorization technologies to ensure we know who the user is and what level of access should be granted. We deal with so many different apps today and every app could go through different authentication channel. We have our old Windows based authentication protocols like NTLM and Kerberos extending into form based authentication for the Web Apps. With the Cloud Apps and services coming into picture we have many more authentication technologies to deal with and they are smarter and flexible too. SAML as an authentication mechanism is becoming the backbone of Service based model and hence we deal with all these mixed mode authentication technologies here. But the broader story does not finish at front end authentication because with so many apps, users are tired of authenticating individually. Hence the objective is to be able to authenticate the user once and then be able to single sign on behalf of the user to other Apps which user needs/has access to. The challenge does not stop there as you would need to perform SSO for user on different App specific technologies. This is what NetScaler MobileStream technology specializes in and technologies like Kerberos Constrained Delegation and SAML IDP help take care of broader SSO needs.
Application Access and Data Transfer
Once you are securely connected and authorized to access the Application and data, next is to ensure that the application data transfer channel is protected against DoS and various data privacy attacks. At this point becoming a Layer 7 proxy with complete intelligence on data flow and protocol semantic is a must. From Enterprise perspective, email is the most used app on mobile devices. While it is most widely used, it is also prone to attacks and attempts to steal the data on the fly. NetScaler supports native ActiveSync Proxy which enables NetScaler to serve as a termination and policy enforcement point for all inbound ActiveSync traffic used to enable native email services for mobile clients. This configuration provides an important layer of protection for back-end Exchange servers and allows administrators to control email access based on a wide variety of parameters, such as whether the associated device is jailbroken, in an undesirable geographic area, or out of compliance in some other way.
NetScaler supports various layers of protection for pure web Aaccess from mobile devices which is another critical use case for enterprise users. In mobile context, pretty much everything runs over Web and hence Layer7 DDoS is equally important for native Web attack protection. In the last couple years we have seen so many variants of the slow attacks at Web layer which are exploiting the goodness of protocol and the key is to differentiate in between good and legitimate requests versus bad requests which are aimed at resource consumption and bringing the service down. NetScaler has very rich Layer7 DDoS protection features which protects your Web/App access for such attacks and also ensures to dynamically check out if the client is a legitimate client. Most of the attack clients on the web tier are automated and hence intelligent ways to identify them and drop them out works really well. Along with core protection features, abilities like generating intelligent responses based on content parsing and doing rate limits on the incoming Layer 7 traffic always helps ensure legitimate clients are given right priority and resources.
- Prioritization of requests
- Prioritization at object level
- Controlled resource allocation
- Admission control for all clients
- Alternate content to keep client busy
- Priority order across multiple connections
- Request processing information visibility
- Advance expressions for traffic classification
- HTTP/L7 DDoS protection at Application layer
- Built-in responses to mitigate against DoS attacks
- Ability to generate custom response against DoS attacks
Beyond all we have to deal with the web vulnerabilities and attacks which are commonly dealt with Web Application Firewall. NetScaler has very deep implementation of Application Firewall which protects against known and unknown attacks on Web/XML layer. The model works well for all the connected as well as Mobile clients. We follow the below workflow to ensure best protection is provided:
Our model allows you to protect against known attacks quickly through signatures and you can be up and running in matter of couple of minutes. Then you can do application layer learning and deploy the learned rules and behavior for positive protection as well. While we apply all these protections, always remember there are a lot of logs being generated across all the features to assist application owners and developers with lifecycle management.
All in all Security remains the key focus area for enterprises and with users’ connecting remotely over Mobile devices; there are new flavors to the puzzle. Comprehensive solutions like NetScaler MobileStream help provide complete end to end security for Mobile users and communication.