Defend web properties from modern threats with Citrix ADC

Defending your organization’s web properties has never been more challenging. In the past, IT security teams had just a handful of enterprise web apps to defend. Now they must protect the web backends of many mobile apps, SaaS apps and other cloud- delivered solutions.

At the same time, the number and diversity of threats are increasing. For example, modern defenses must account for far more than just the most prominent part of the threat landscape, advanced malware. Other targeted threats that require diligence include web-specific application-layer attacks, denial and distributed denial of service (DoS/DDoS) attacks and security-induced usability issues.

Citrix ADC complements advanced malware protection and other high-profile security products to provide an ideal solution for defending against new threats and protecting more targets. The benefits of utilizing Citrix ADC in this capacity include:

  • Reduced security risk by thwarting not only advanced malware but also DoS and targeted application-layer attacks.
  • Reduced business risk as security automation, enhanced usability and improved performance increase customer utilization and retention rates.
  • Increased business agility from IT’s ability to fully embrace transformative mobile, web and cloud solutions without fear of compromise or other types of infrastructure-related failures.

Figure 1: A complete solution for defending web properties.

Modern web properties: Not just your typical web apps

In the beginning, web properties involved little more than a browser—typically Internet Explorer—interacting with a corporate website. Fast forward to the present, however, and it is an understatement to say that web solutions have wildly evolved. Now, enterprise web properties entail diverse components, including:

  • Numerous browsers interacting with numerous web app components and sites.
  • Cloud-hosted web apps/sites and content delivery networks.
  • SaaS and other cloud delivery options, such as platform as a service (PaaS) and infrastructure as a service (IaaS), where the enterprise owns and controls progressively less of the solution.
  • Mashups, where content is dynamically pulled together from numerous external sites.
  • Powerful APIs for enabling supply chain integration and greater automation.
  • Mobile solutions where device-side micro apps communicate to sophisticated web-based backends.

As a result, defending web properties is no longer simply a matter of protecting enterprise web apps. The scope of resources needing protection has expanded considerably, most notably to include mobile and cloud solutions.

What about APTs?

Although vendors of advanced malware protection often lump them together, advanced persistent threats (APTs) and advanced malware are by no means the same thing. In reality, APTs are more about the threat actor—who is well-organized, well-funded and persistent—than the specific class of threat mechanism being employed. In fact, APTs typically employ multiple attack methods and techniques over their duration, including not only advanced malware but also app-layer and DoS elements, for example, to gain access to data and then create a diversion as that data is being exfiltrated.

Figure 2: Complex world of web properties

Modern threats: Sophisticated malware is only the tip of the iceberg

Advanced malware is commanding a lot of attention these days, and rightly so. Commonly deployed signature-based defenses are no match for the new generation of malware that is designed specifically to evade them—for example, by targeting previously undisclosed vulnerabilities, leveraging compromised credentials or using polymorphism and other techniques to rapidly change the malicious code’s footprint or capabilities.

The result is a clear and present need for today’s organizations to invest in advanced malware protection solutions that are not dependent on signature-based mechanisms limited to only detecting previously identified threats—also referred to as known threats. However, advanced malware is only one class of threats that pose significant risk to an organization’s web properties. In particular, DoS attacks, web-specific app-layer attacks and usability issues also require threat mitigation.

Figure 3: Modern threats landscape  

DoS attacks – Over the past couple of years there has been a marked resurgence of DoS attacks, along with significant changes in the nature of the threat itself. No longer are only the largest Internet properties coming under fire. Thanks to the widespread availability of inexpensive toolkits and botnets—for DoS creation and execution, respectively—now every business, regardless of size or industry affiliation, is at risk. Detecting these attacks is also much harder than in the past, as stealthy, low-bandwidth, application-layer variants focused on exhausting backend resources have now joined the ever-familiar, high-volume attacks intended to flood your Internet pipes or knock over frontend network devices such routers, firewalls or basic ADCs.

Web-specific, app-layer attacks – The threat in this case is not new, but continues to be significant. Faced with a plethora of commonly deployed defenses operating at the network layer, hackers have logically chosen to focus their efforts at the higher layers of the computing stack to achieve more-favorable results. The outcome is a substantial percentage of attacks targeting weaknesses discovered in both widely distributed web technologies and components—such as the HTTP protocol itself, Java or popular web servers and apps—and an organization’s own custom web apps. Common threats that fall into this category include cross-site scripting, cross-site request forgery, SQL injection and buffer overflow attacks, just to name a few.

Usability threats – Degraded usability is often overlooked or discounted on the basis that it is technically more of a performance problem than a true security threat. However they are classified, though, usability issues introduced by security solutions are still a very real threat, at least as far as the business is concerned. Poor performance resulting from compute-intensive inspection routines, SSL overload, convoluted logon processes and inconsistent access capabilities can lead users to pursue insecure workarounds and prompt customer dissatisfaction and, ultimately, defection. In addition, compensating for these conditions may require organizations to purchase considerably more or higher-capacity hardware than originally planned. IT security teams, therefore, need to be mindful that security solutions themselves can become a threat if not architected to avoid or otherwise compensate for these types of usability problems.

The bottom line is that defending modern web properties requires accounting for all of these classes of threats, not just advanced malware. The risks incurred by failing to do so include greater potential for data loss or exposure, customer defection, higher total cost of ownership (TCO) and non-compliance liabilities.

Modern defenses: The role of Citrix ADC

Citrix ADC, the best ADC for building enterprise cloud networks, is also the ideal solution for defending modern web properties. Already a strategic component in thousands of enterprise datacenters and cloud provider networks, Citrix ADC delivers extensive web defense capabilities that perfectly complement advanced malware protection solutions, such as those available from FireEye and Palo Alto Networks. With Citrix ADC, enterprises obtain everything they need to ensure the availability, security, usability and agility of their web properties while successfully thwarting DoS and app-layer attacks intended to disrupt the business and exfiltrate valuable data. Moreover, all of these essential capabilities are available as a tightly integrated solution on a single, highly scalable platform. As a result, enterprises no longer need to invest in and incur the added complexity of operating multiple, standalone security products.

Keeping the lights on

Web properties that are not accessible due to outages are next to worthless, and can even cause damage to a company’s reputation. Therefore, Citrix ADC defenses for web properties start with an extensive set of capabilities for protecting against threats that can disrupt operations and render key services unavailable.

In the event that a web server or other key component of a web property fails for any reason, core load balancing algorithms dynamically route affected traffic to alternate instances configured as part of a pool managed by Citrix ADC. In this way, Citrix ADC provides continuous availability during scheduled maintenance and unanticipated failures, as well as attack-induced outages.

Citrix ADC health checks monitor the status of key components and engage core load balancing features to proactively avoid trouble spots. Unlike many competing solutions that merely confirm that a network connection is available and the underlying server is online, Citrix ADC provides extended content verification checks to further establish that key system-level services and individual software routines are also in proper working order.

A robust global server load balancing (GSLB) feature set provides seamless disaster recovery for modern web properties. If an entire site becomes unavailable for any reason, affected traffic is automatically directed to an alternate datacenter. A consistently positive user experience can also be ensured by taking advantage of intelligent monitors and policies to regularly route sessions to the optimal site based on administrator-selected priorities such as proximity, resource utilization levels or overall performance.

With Citrix ADC, organizations obtain a powerful, first line of defense against all types of DoS threats. Coverage is provided not only for volumetric attacks intent on consuming all of your Internet bandwidth, but also for more insidious ones looking to exhaust device state tables, abuse infrastructure or application layer services (e.g., DNS, SSL and HTTP), or somehow misuse application-specific features in a way that substantially degrades performance (for example, by repeatedly issuing requests that lead to complex calculations, backend queries or search operations).

Major spikes in utilization for a web property can have the same impact as a DoS attack. Citrix ADC addresses this situation with surge protection, a capability that gracefully handles intermittent traffic surges by basing the rate at which new connections are presented to backend servers on the servers’ capacity for handling them. Significantly, no valid connections are dropped with this mechanism. Instead Citrix ADC caches and delivers connections in the order in which they were received, but only when the backend servers are ready to handle them.

Thwarting advanced threats

Overcoming availability-oriented threats is only a starting point—albeit a critically important one. With Citrix ADC, organizations also benefit from a solution capable not only of directly thwarting targeted application-layer attacks, but also of working alongside leading third-party products to counteract the latest generation of sophisticated malware.

Enforcing RFC compliance and best practices for HTTP use is a highly effective method used by Citrix ADC to eliminate an entire class of attacks based on malformed requests and illegal HTTP protocol behavior. Custom checks can also be added to the security policy by taking advantage of integrated content filtering, custom response actions and bi-directional HTTP rewrite capabilities. The result is broad-spectrum protection against reconnaissance (e.g., by removing information from server responses that could be used to perpetrate an attack), HTTP-based malware (e.g., Nimda, Code Red), and other application-layer threats.

Traditional network firewalls lack the visibility and control required to protect against the more than 70 percent of Internet attacks that target application-layer vulnerabilities. In comparison, Citrix Web App Firewall is an ICSA-certified security solution that analyzes all bi-directional traffic, including SSL-encrypted communications, to counteract both known and unknown application-layer threats without requiring any modifications to an organization’s web properties. Key capabilities include:

  • Attack protection – A combination of positive and negative security models provides the most comprehensive protection against all modes of attack. To defeat new, unpublished exploits, a positive-model policy engine understands permissible user-app interactions and automatically blocks all traffic falling outside this scope. A negative model engine simultaneously employs attack signatures to guard against and report on known threats to applications.
  • Data theft protection – Safe Object data checks protect against unexpected leaks of sensitive business information—such as intellectual property or credit card numbers—whether the associated event is due to an actual attack, misuse by an authorized user or a flaw in a web application’s design. A combination of administrator-defined regular expressions and custom plug-ins tell Citrix Web App Firewall the format of this information, while associated rules specify the appropriate action to take, such as masking the protected field or blocking the entire response from the application.
  • Compliance protection – Citrix Web App Firewall enables enterprises to achieve compliance with the Payment Card Industry Data Security Standard (PCI-DSS), which explicitly encourages the use of web app firewalls for public- facing applications that handle credit card information. Citrix ADC produces detailed reports to document all protections defined in the firewall policy that pertain to PCI-DSS or other applicable governance and compliance mandates.

While Citrix ADC does not provide direct detection of all forms of advanced malware, its extensive set of security features nonetheless offers a considerable measure of protection against this ever-growing class of threats. In particular, Citrix ADC can diminish the impact of malware, for example, by stopping any blended components utilizing common web attack techniques, any components that cause or rely on abnormal application behavior and attempts by malware to exfiltrate sensitive business data. The corresponding network and app-layer event data generated by Citrix ADC can also be used, typically in conjunction with other event streams, to initially reveal and subsequently help pinpoint the presence of malware. In addition, solutions from Citrix Ready partners explicitly designed to address advanced malware provide threat-specific protection to high-profile enterprises.

Ensuring usability

The need to avoid outages for modern web properties is a given. Less obvious, but arguably more impactful due to their increased likelihood, are usability issues such as poor performance and convoluted or inconsistent processes for gaining access to web properties. Unlike most security solutions, which tend to exacerbate these problems, Citrix ADC actively works to overcome them through a combination of intelligent design decisions and numerous features specifically focused on accelerating application performance.

Citrix ADC features that help enterprises overcome security-, network- and application-induced performance obstacles include:

  • Embedded TCP optimizations such as advanced buffering, window scaling and congestion control techniques increase system capacity, lower packet loss rates and improve response times by more efficiently utilizing available bandwidth and server resources.
  • In-memory caching of both static and dynamic content (Citrix Web App FirewallCache), combined with aggressive data compression routines (Citrix Web App FirewallCompress) reduce network and server congestion while significantly accelerating application response times.
  • By incorporating dedicated SSL acceleration hardware and support for large encryption keys (2048-bit and larger), Citrix ADC delivers essential encryption capabilities that avoid the need to make tradeoffs between stronger security and a high-performance user experience.
  • Priority queuing provides a QoS mechanism for prioritizing incoming requests based on the relative importance of the associated applications.
  • By incorporating a SPDY gateway, Citrix ADC enables use of this increasingly popular protocol that optimizes how HTTP requests and responses are sent over the network without having to modify server-side applications.
  • Citrix ADC ActionAnalytics feature enables fully automated monitoring and response to degraded performance conditions, while Citrix Networking Insight Center provides administrators with in-depth visibility to help identify and remedy emerging issues before they become full-blown problems.

Citrix ADC features that help mitigate the threat of poor usability by enhancing the user experience in other, non-performance-related ways include support for:

  • Single sign-on (SSO) – Users need only sign in once, as Citrix ADC transparently logs them in to all resources within a given domain.
  • Centralized authentication and authorization – The same extensive set of access control services can be leveraged across all of an organization’s web properties, and for all of a user’s devices. This capability not only simplifies administration of mobile users and web property, but also ensures a consistent user experience.

Delivering affordability and agility

Another way that a security solution can effectively be a threat—at least from the perspective of business management—is by costing too much or failing to align with key business objectives. Citrix, however, has purposely developed and packaged Citrix ADC to mitigate these challenges, too.

Citrix ADC is the only application delivery solution that combines load balancing, GSLB, SSL VPN connectivity and more on an integrated, highly scalable platform. Competing solutions force organizations to purchase, implement and integrate multiple, separate products and devices to obtain a similar set of capabilities for thoroughly defending and delivering web properties. With Citrix Networking SDX, IT departments also gain the ability to consolidate their ADC infrastructure by implementing up to 80 isolated Citrix ADC instances on a single platform.

The ongoing move to enterprise cloud networks is facilitated by the availability of cloud-ready Citrix Networking VPX virtual appliances. A full-featured, software-only version of the Citrix Web App Firewall Delivery Controller, this solution provides the flexibility to implement Citrix ADC threat defense and performance optimization capabilities on demand, anywhere within either the enterprise or a third-party cloud datacenter. Citrix Networking VPX enables organizations to securely run their web applications and services in whatever location is best for them.

When it comes to supporting enterprise mobility initiatives, Citrix ADC does not stop at defending and optimizing associated web properties. It also provides the same services for related management infrastructure, in particular Citrix Endpoint Management. A comprehensive solution for managing mobile devices, apps and data, Citrix Endpoint Management gives users the freedom to experience work and life their way. While IT gains full control and the ability to protect the entire mobile environment, users gain single-click access to all of their mobile, web, SaaS and Windows apps from a unified corporate app store. Combining Citrix ADC with Citrix Endpoint Management delivers:

  • High availability for key components of the enterprise mobility infrastructure.
  • Additional layers of protection for mobile devices, apps and data.
  • The ability to scale mobile operations without disrupting employees or requiring forklift upgrades.


Defending your organization’s web properties entails far more than protecting a handful of enterprise web applications from the scourge of advanced malware. Defenses must also be mounted for web backends supporting native mobile apps, SaaS solutions and other cloud-delivered services. Moreover, these defenses must provide coverage for other, equally troublesome classes of threats, including application layer attacks, DoS attacks and security induced usability issues.

Citrix ADC is an ideal complement to today’s high-profile, advanced malware solutions. Citrix ADC:

  • Reduces security risk by mitigating other top classes of threats to web properties, including DoS and app-layer attacks.
  • Reduces business risk by enhancing web property usability and performance to increase user attraction and retention.
  • Lowers total cost of ownership by providing extensive opportunities for infrastructure consolidation and optimization of resource utilization.
  • Increases business and IT agility by providing organizations the security and other critical capabilities they need to confidently pursue initiatives in user mobility, IT consumerization and enterprise cloud networks.

Next step