The need for robust data center security has never been greater. Traditional challenges and concerns—including extensive regulatory requirements, the rise of targeted attacks, and the continuing erosion of perimeter-centric security models—are now being joined by the need to account for highly dynamic enterprise cloud architectures and flat networks with fewer, natural ‘choke points.’ Add the ever-present budgetary pressures to do more with less, and it becomes clear that the foundation for stronger security must be built using existing data center infrastructure.
NetScaler for application security
Security practitioners are justifiably investing substantial time, effort, and money on application layer security. After all, attacks against vulnerable application-layer services, faulty business logic, and valuable data have proven quite fruitful. Accordingly, NetScaler incorporates numerous app layer protections, including a full-featured application firewall, data loss protection, and countermeasures for thwarting denial-of-service (DoS) and other Layer 7 attacks.
NetScaler application firewall
Traditional network firewalls lack the visibility and control required to protect against the more than 70 percent of Internet attacks that target application-layer vulnerabilities. This is the rationale behind the NetScaler Application Firewall, a comprehensive ICSA-certified web application security solution that blocks known and unknown attacks against web and web services applications. Employing a hybrid security model and analyzing all bi-directional traffic, including SSL-encrypted communications, Application firewall counteracts a broad range of security threats without requiring any modifications to applications.
Hybrid security model. A combination of both positive and negative security models provides the most complete protection against all modes of attack. To defeat new, unpublished exploits, a positive-model policy engine that understands permissible user-app interactions automatically blocks all traffic falling outside this scope. Complementing this, a negative model engine uses attack signatures to guard against known threats to applications.
XML protection. In addition to blocking common threats that can be adapted for attacking XMLbased apps (e.g., cross-site scripting, command injection, etc.), Application Firewall incorporates a rich set of XML-specific protections. These include: schema validation to thoroughly verify SOAP messages and XML payloads, the ability to block XML attachments containing malicious executables, defense against XPath injection techniques for gaining unauthorized access, and the ability to thwart related DoS attacks (e.g., excessive recursion).
Advanced protection for dynamic elements. Augmenting the default protection profile, an advanced profile provides essential security for applications that process user-specific content multiple, session-aware protections secure dynamic application elements such as cookies, form fields, and session-specific URLs, thereby thwarting attacks that target the trust relationship between client and server (e.g., cross-site request forgery). Application dynamism is handled by the positive security engine, and secured without explicitly defining each dynamic element in the policy. Because only exceptions need to be learned, configuration is easier and change management is simplified.
Tailored security policies. An advanced learning engine automatically determines the expected behavior of enterprise web applications and generates human-readable policy recommendations. Administrators can then tailor the security policy to the unique requirements of each application, and avoid potential false-positive events.
Data Loss Protection
Unexpected leakage of sensitive data in application server responses results from a successful attack against the application, a flaw in the application’s design, or misuse by an authorized user. A prudent step for enterprises to take, and an essential part of a defense-in-depth security strategy, is to actively guard against such leakage. NetScaler facilitates this requirement with a straightforward, easy-to-use data loss protection capability.
Safe Object data checks, an integral feature of the NetScaler Application Firewall, provide administrator-configurable protection for sensitive business information, such as social security numbers, order codes, and country/region-specific telephone numbers. An administrator-defined regular expression or custom plug-in tells the application firewall the format of this information and defines the rules to be used to protect against leakage. If a string in a user request matches a safe object definition, the application firewall can then take appropriate action, including:
- Block the response.
- Mask the protected information.
- Remove the protected information from the response before sending it to the user.
NetScaler for network and infrastructure security
NetScaler also incorporates several network and infrastructure-oriented security capabilities. Most notable among these are extensive support for SSL-based encryption, DNS security, and Layer 4 attack protection.
Establishing a security fabric with NetScaler partner products
NetScaler’s value as a datacenter security solution is strengthened by a rich ecosystem of partner products. Key examples include:
- Reporting and analytics – A standards-based technology, NetScaler AppFlow® extends the TCPlevel information already captured by IPFIX—the IETF standard for NetFlow—to include per flow application-layer data records. Completely non-intrusive, AppFlow eliminates the need for proprietary taps, software agents, or additional devices by leveraging an organization’s existing NetScaler infrastructure to provide insight into who is using which resources, when, and to what extent. Splunk, a Citrix Ready® Partner, consumes AppFlow data in its Splunk for NetScaler with AppFlow solution to enable analysis and reporting of security related details such as: SSL VPN and application firewall events, policy violations, and resources under attack.
- Security information and event management (SIEM) – NetScaler AppFirewall™ also supports the Common Event Format (CEF) and syslog for data output to third-party solutions. One common use case is the processing of NetScaler event and log information by leading SIEM platforms (e.g., HP ArcSight and RSA enVision) for operational security and compliance management purposes.
- Vulnerability management – HailStorm and Click To Secure from Citrix Ready Partner Cenzic provide dynamic, black-box testing of web sites to generate vulnerability information. In this instance, the partnership has led to simplified import of Cenzic scan results into the NetScaler Application Firewall for configuring rules to protect against threats that target vulnerabilities discovered in applications and services.
A handful of other representative partners and their technologies include: RSA (Adaptive Authentication), Qualys (vulnerability management), Sourcefire (IPS and real-time network awareness), TrendMicro (AV and web security), and Venafi (key/certificate management). The bottom line is that these, and a host of other available partner solutions, enable enterprises to build on the foundation provided by NetScaler to establish a complete datacenter security fabric.