The recent NSS Labs Web Application Firewall (WAF) test puts NetScaler Application Firewall as a leader in the recommended list. As an Architect and the Director of Products responsible for NetScaler AppFirewall, here are the underlying principles that make Citrix Application Firewall awesome.
All HTTP Traffic is Treated Like First Class
For layer 7 (HTTP) processing, all traffic across protocol layers in NetScaler is by default on the fast path and optimized uniformly in software. Because of this design, we are able to extract the greatest value out of the x86 processor and get consistently high performance. Everyone once in a while we see alternative approaches where the first few bytes are inspected before trying to short-circuit data forwarding to hardware, however we’ve consistently seen mis-leading results. Concocted marketing performance tests look good, but reality doesn’t match. For us, it’s about making the one way we do it the best way possible.
Power of Small Batches
When working with HTTP processing, the traditional approach of breaking up the stages into a series of distinct steps that operate in different processes or stages is inefficient. Among others, one reason for this inefficiency comes from having to revisit the parsing of the requests multiple times which adds a ton of overhead for no good reason. What we we’ve architected the NetScaler to do instead is take a chunk of requests and run them through the entire chain of actions (parsing, inspection etc.) in one pass over the payload. This is part of the reason we get significantly higher speeds on an x86 than other solutions.
A side effect of approaching data processing this way is data locality. Because we keep the requests in the CPU cache, all of the code that needs to access it never has to wait on a cache miss. The result is a super-fast series of actions. We’re pretty fussy about this approach and when adding new features, we make sure that we stick to handling every transaction this way. Consistent application of this method yields great performance.
More Speed and Scale
By end of this year, we will release even more significant performance/scalability improvements. In terms of performance we will further optimize our single pass request stream processing mechanisms to further improve performance! Additionally, we’re taking these optimizations and leveraging them over the NetScaler cluster which means crazy big numbers for real-world testing.
Security trumps speed – always. Our approach to security has always been to offer a secure posture out of the box while making it easy to fine tune in a way that minimizes errors. This tight focus on correctness is best reflected in the NSS Labs report where NetScaler blocked 100% of the attack types during testing.
So there you have it… the secret sauce that makes the NetScaler AppFirewall awesome!