As organizations move enterprise services and applications to the cloud, a larger segment of their user traffic is going to the internet. Users within enterprises are accessing internet websites and company’s resources as cloud services. The increasing sophistication of cybersecurity attacks, along with the emergence of diverse endpoints, mobile devices, and BYOD policies, led to the rapid evolution of content-inspection technology to protect the modern enterprise. There’s a much greater need now than ever before for enterprise IT to closely monitor traffic going in and out of a secure enterprise.
In this blog post, I’ll cover Citrix ADC’s content inspection capabilities and how they can help enterprises monitor their traffic.
What Is Content Inspection in Citrix ADC?
First, let’s take a look at Citrix ADC’s content inspection functionality. It enables you to send traffic to third-party inspection devices like an IPS, an IDS, and much more. Citrix ADC sends the data to the security devices for inspection and helps to remove security blind spots so you can examine data for malware or viruses and analyze for sensitivity.
When you need to inspect the content before uploading or downloading data from an application server, you can integrate Citrix ADC with a security device that is deployed in ICAP, inline, or detection-only (mirror) mode. Citrix ADC also helps to offload security devices from SSL processing.
Key capabilities of Citrix ADC’s content inspection module include:
- Integration with IPS/NGFW and more using inline-service chaining
- ICAP to communicate with devices hosting ICAP servers
- Support to mirror HTTP/HTTPS traffic to passive devices
Content Inspection Use Cases
Let’s use the diagram below to consider a few use cases you can solve with content inspection in Citrix ADC.
When Citrix ADC receives HTTP traffic, it is sent directly to third-party devices for inspection. If it’s HTTPS traffic, as shown above, Citrix ADC decrypts the traffic and sends it in plain text to the third-party devices. This functionality enables Citrix ADC to solve the following use cases:
- Plug and play of DLP, AV, and devices that can speak ICAP: Citrix ADC can send traffic in plain text over ICAP to any security device that is capable of acting as an ICAP server. With this capability, you can add DLP, AV, or any security device to your deployment without making vital changes. ICAP protocol support is available from version 12.0 onward. Learn more about configuring an ICAP client.
- Plug and play of IPS, NGFW, etc., eliminating the need for having them inline: Citrix ADC can send traffic in plain text to any security device that is connected in its Layer 2 network. It can steer the traffic to a device like IPS or NGFW, get the response, and send the traffic to the backend server or drop/reset the connection based on the response. Citrix ADC can also chain different security devices like IPS and NGFW so that traffic goes to these devices in a specified order. There are provisions to skip a specific device for certain types of traffic using policy infrastructure. This support is available from version 12.1 onward. Learn more about configuring inline service chaining on Citrix ADC.
- Plug and play monitoring devices like IDS to get visibility: Citrix ADC can send a copy of HTTP traffic to any passive device connected to it using its mirroring capability. In this deployment, Citrix ADC doesn’t expect a response from the passive device. This support is available from version 13.0 onward. Learn more about configuring HTTP mirroring.
- Reduce AV, DLP and IPS costs with TLS termination on Citrix ADC for incoming traffic to your servers: Citrix ADC provides TLS termination for SSL connections incoming to the server and enables admins to gain visibility in to the traffic to make sure incoming traffic is secure and can gain entry. With TLS termination offloaded to Citrix ADC, other devices in the network can save CPU resources, saving costs around device capacity.
- Securing app servers by eliminating encrypted attacks with content inspection: Citrix ADC provides visibility in to SSL traffic by using SSL interception. This equips admins to identify encrypted attacks and protect infrastructure. Learn more about configuring SSL interception.
- Reduce AV, DLP, and FW costs with TLS termination on Citrix ADC for your employees accessing the internet: Citrix ADC provides visibility for SSL connections going outside from the data center and enables admins to gain visibility in to the traffic to ensure outgoing traffic complies with your security regulations.
Citrix ADC’s content inspection functionality gives you the enhanced visibility you need without compromising flexibility. Learn more here.