Securing your network has never been more critical than it is now, and meeting security compliance can be challenging. With a FIPS 140-2 Level 2 compliant Citrix NetScaler SDX, you can achieve security compliance and easily deploy ADC instances to meet your performance requirements. Whether you are a service provider hosting ADC instances for clients, or securing your businesses network, the NetScaler FIPS SDX makes your deployment secure, easy, and scalable to meet demands.
For the administrator, deploying the NetScaler FIPS SDX may appear to be a challenge in itself but I can assure you that it is not as difficult as it seems. Once you take a look at the underlying components of the FIPS SDX appliance, the process becomes a bit clearer. The purpose of this article is to highlight the architecture of the FIPS SDX and provide a step by step setup guide of the FIPS HSM and deployment of a NetScaler HA pair that is FIPS enabled.
NetScaler FIPS SDX Overview
An SDX is built on top of the XenServer hypervisor and utilizes a service VM (SVM) instance for overall management. Using this SVM, you can deploy, manage, and monitor NetScaler instances. The difference with the FIPS-compliant SDX is the addition of the Cavium Hardware Security Module (HSM). This is often referred to as the FIPS card or module and is where all private PKI keys are stored. The HSM is also where all SSL transactions are performed on a FIPS- enabled instance. The SDX also contains an SSL card that is used for non-FIPS processes and can be used in a “hybrid” mode to meet even higher processing demands. An important item to note is that every instance you deploy does not need to be FIPS enabled. This can be useful if you are hosting multiple tenants or just want to separate workloads– you can have both types of instances on the same appliance.
NetScaler FIPS SDX Setup Guide
This document reviews the steps required to configure the NetScaler SDX FIPS appliance, starting with the out of box initial configuration of the SDX and hardware security module (HSM) initialization. Sections detailing instance setup include the initial instance creation as well as a secondary instance for a high availability (HA) pair setup. NetScaler feature configuration steps are not covered in this document and are described in the product documentation.
After completing the steps in this setup guide, you should have a NetScaler HA pair that is FIPS enabled and is now ready for feature configuration to complete your deployment.
Follow me on Twitter @CitrixShane