Citrix ADC (formerly NetScaler) is well known for its load balancing and SSL capabilities. But did you know Citrix ADC also has modular firewall capabilities that can be useful for securing enterprise deployments?
Let’s look at use cases where Citrix ADC is helping customers to secure their environments with its modular firewall capabilities.
Enterprises use Citrix ADC to act as a forward proxy for their back-end servers to reach out to other local environments and the internet. In these cases, Citrix ADC must have access controls on these connections and some degree of logging to meet security regulations. These enterprises look for Layer 3 filtering capabilities like ACLs in stateful mode, which are a common part of modular firewall deployments.
Why look at stateful ACLs? Citrix ADC should be able to allow/block traffic based on the configured ACL and ensure that the traffic is part of a conversation to block an attacker, crafting packets that may match an ACL based on the 4 tuple but that are not part of an existing connection. The enterprise doesn’t want to decrypt the traffic at the Citrix ADC (or use it as an app firewall), but they do want to control which traffic is allowed based on ACLs.
All enterprise customers with multiple tiers (database tier, web tier, etc.) at the back end need stateful ACLs in their environment. When an IP session such as TCP, UDP, or ICMP is started from inside the network to outside the network, a stateful ACL generates an entry that will allow traffic (that is part of current initiated session) coming from outside to get in. For example, a database server that wants to communicate to a web server over port 80 will get a response only if there is an entry in the table.
The temporary added entry is removed after the last packet of the session comes in or when a configured timeout timer expires.
You can learn more about stateful ACLs here.
Stateful ACL are supported for TCP and UDP sessions. Citrix ADC creates an entry in a table (NATPCB) for both TCP and UDP traffic types type to maintain the sessions. When RST/FIN is received, the session is removed in the case of TCP. If not, timeout is triggered to remove idle sessions.
Timeout is common for TCP and UDP; “set ns timeout” can be used to set the timeout. Timers applicable for NATPCBs will be applicable for these sessions, as well. To accommodate this use case, Citrix ADC now has state tables to provide enhanced security, which is enabled today through stateful ACLs.
Citrix ADC: ICSA-Certified as a Modular Firewall
Enterprises with these kinds of firewall deployments want ICSA certification. Did you know that Citrix ADC is officially certified by ICSA Labs as a modular firewall? This is the industry-accepted standard for all ADC products with firewall capabilities and ensures their networking equipment has been validated as a modular firewall. ICSA tests the product for a wide variety of use cases that fall under the areas of security, management, and high availability. Once the device is validated with the test scenarios, enterprises can use it with confidence as a modular firewall in their network.
Citrix ADC’s ICSA certification involved baseline, corporate, and HA modules. Each module contains a list of standard test cases to validate the product as a firewall under different scenarios. For more details on the ICSA certification, check out these ICSA resources:
- Firewall Certified Product List
- Citrix Systems page
- Citrix ADC MPX 8920 page
- Citrix ADC MPX 8920 testing report
- ICSA Firewalls Document Library