We announced the availability of the five Application Firewall appliances on the NetScaler MPX platform today. We tested the appliances for performance of the Application Firewall module for a custom website as well as benchmark tests (to show the maximum achievable results). The full report is available here.

Test results - Basic defaults

 The custom website is an set of pages created for test purposes and hosted on the testing tool. Details of the URLs and page sizes are included in the appendix. The Application Firewall was configured with basic default security settings (roughly request side security checks that do not require session creation).

Analysis of results

•    In Basic mode, NetScaler Application Firewall inspects only the content of HTTP requests. The higher end platforms (10500/12500) are limited by the Request/Sec that NetScaler Application Firewall can process, so there is no difference in the throughput of the 10500 and 12500.
•    The rated throughput limits on the 5500 and 7500 were reached.
•    A 5KB average response size is quite low for web sites today.  As seen below, the higher end platforms are capable of much higher throughputs.


 Note: The results are from two independent tests. For instance, the 5500 cannot simultaneously achieve 24K requests per second while handling 550 Mbps of traffic.

To maximize the request-per-second values, Citrix used a single request URL that generated a valid one byte HTTP response. Citrix used a single request that generated a 100KB HTTP response to maximize the throughput. Citrix reused the same TCP connection to send multiple requests. These benchmark tests are useful in determining the maximum performance achievable through the device and are extensively used in internal performance optimizations. All tests are CPU-bound and do not test the memory usage. These are extreme results and real-world results would be lesser than these numbers.

Analysis of results

•    The 7500 and 9500 have the same hardware platform (same number of CPU cores) as the 10500 and 12500, so the maximum requests-per-second (column 2) is identical for similar platforms.
•    The throughput results match the rated throughput of the NetScaler platforms. The Basic default configuration is set to request side checks only. The throughput numbers are limited by the platform limits and not by Application Firewall processing.

For Advanced protection features and other discussion, check out the full report. 

Over the last six or so months, we have refreshed the entire lineup of the NetScaler load balancer appliances moving to a multi-core architecture with high performance and scalability. Now these appliances are also available as a Web Application Firewall (WAF).

Citrix Systems, Inc. (NASDAQ:CTXS) today announced immediate availability of five new Citrix® NetScaler® Application Firewall appliances designed to bring a new level of security to public and private clouds and web applications. Each of the new appliances is built on the Citrix® NetScaler® MPX™ hardware platform, the application acceleration, load balancing and web-security system that powers thousands of enterprise datacenters and most of the world's largest clouds and websites. With the introduction of this new offering, Citrix now provides solutions ranging from the 10 Mbps Citrix® NetScaler® VPX™ virtual appliance to a record breaking 5 Gbps with the NetScaler MPX hardware appliance - meeting the needs of small and large enterprises, managed security services providers (MSSPs) and cloud providers. In fact, the new appliances outperform throughput levels from the nearest competitor by two times across multiple performance metrics.

Full press release is here.

The Web Application Firewall is available as an integrated module in NetScaler Platinum Edition and as an option on the Enterprise edition. You can also upgrade from the Application Firewall to the NetScaler Platinum edition by a license upgrade.

More Information

NetScaler Application Firewall datasheet
NetScaler Application Firewall product page
Product documentation

NetScaler 9.1 has been integrated with Siebel 8.1.1 Customer Relationship Management

Citrix NetScaler 9.1 is a Web application delivery controller that ensures that applications such as those in Siebel CRM 8.1.1 are always available, performing well and protected.

Integration Details

Citrix NetScaler 9.1 is an integrated Web application delivery controller appliance that provides advanced traffic management through Layer 4-7 content switching and rewrites and redirects. Secure Sockets Layer (SSL) offloading is also performed. NetScaler appliances are available in three editions running on a wide range of hardware platforms. NetScaler 9.1 is available both on hardware appliances (NetScaler MPX appliances) and as a virtual appliance (NetScaler VPX).

NetScaler 9.1 application delivery controllers are deployed in front of Oracle's Siebel Customer Relationship Management (Siebel CRM) 8.1.1.

NetScaler 9.1 performs:

• L7 content switching
• TCP multiplexing
• SSL termination
• Content rewriting
• Caching
• Compression

NetScaler 9.1 template for Siebel 8.1.1

NetScaler Application Templates - introduced in NetScaler 9.0 - provide an application centric view of the NetScaler's configuration. From a single place within the GUI NetScaler administrators can configure and view relevant application delivery policies such as content switching, Load Balancing, SSL Offload, Content Rewriting, Caching, Compression and Application Firewall.

A template was created and used for this NetScaler 9.1 integration with Siebel 8.1.1. It is available for download for free, and if you don't have any NetScaler or Siebel experience this is a great way to get your NetScaler pre-configured for Siebel application delivery.

Download Siebel 8.1.1 Application Template for NetScaler 9.1

Download NetScaler VPX here

If your not running XenServer yet, you should be, its free

Tap into the power of AppExpert!

If you currently manage a Platinum appliance, or are considering migrating to this platform in the future, it is recommended that you take the next step towards optimal Web application delivery with advanced NetScaler training: CNS-300-1I Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Upon successful completion of this course, you will have the expert knowledge required to:

• Identify common Web attacks and vulnerabilities
• Write PERL compatible regular expressions
• Configure Citrix Application Firewall 9.0 to protect Web applications
• Troubleshoot Citrix Application Firewall 9.0
• Install and configure Citrix EdgeSight for NetScaler to monitor Web application performance
• Install, configure and use Citrix Command Center to manage NetScaler devices
• Configure and use additional advanced features of NetScaler 9.0 including NetScaler Web
• Logging, HTTP Callout and AAA authentication for Web applications

Register Now
Cost: $4,995 USD
Duration: 5 days
Upcoming Q4 2009 Dates: November 2-6 (San Francisco, CA); November 2-6 (Instructor-led Online); December 14-18 (Instructor-led Online)

Questions? Contact a Citrix Education training specialist at 866-714-1260 or e-mail americaseducation@citrix.com

A new whitepaper describing the XML firewall features available in NetScaler version 9.x is available here.
It includes a concise summary of the feature capabilities and the types of applications that the Application firewall can secure. Security is a core component of the Application Delivery Controller (ADC) platform. For a broad overview of the security related features available in the NetScaler, get Citrix NetScaler - A Comprehensive Application Security Solution.

NetScaler Application Firewall devices are commonly deployed as a cluster of devices behind (hopefully) a NetScaler loadbalancer or Application Delivery Controller (ADC), as we like to call them now. Content Switching or URL based routing decisions are typically done on the load balancer, but some topologies require the flexibility of performing this action from the firewall tier itself. In this case, the firewall is directly connected to the web server tier without a loadbalancer in between.

The NetScaler Application Firewall can do content switching using the AppExpert policy engine based on any incoming request parameters to direct traffic to backend servers. Upgrading to the Platinum edition will make all NetScaler features available in an integrated platform enabling consolidation of server tiers. This feature is available in NetScaler 9.0 Build 69.x onwards as well as the 9.1 release.

Securing Web Applications with an Application Firewall

I have been working with Application Firewalls for quite a few years - many times to protect web applications published in languages and character sets that I didn't understand. Frequently, I have seen these Application Firewall deployment projects get bogged down in pursuit of the perfect policy set.

I have also seen many situations in which this process and application changes actually break these applications.

The NetScaler Application Firewall deployment can also be subject to these issues since the appliance provides extensive application firewall features. Even with the learning capabilities, creating the ideal set of security policies for any application can be a trial and error process that can take significant time.

In this blog, I would like to share an implementation methodology that shortens the deployment, and helps avoid breaking the applications to be protected. Experience has shown that approaching the configuration of the Application Firewall in stages is the key to timely success. This methodology is effective for all types of applications and their needs.

To alleviate the time and risk of varying degrees of policy complexity, break the task into stages. That is, separate the policy configuration into groups of ascending risk.  While some may raise the point that a simplified protection policy set is not complete, it must be remembered that protection stages will build upon each other, and will be better than allowing unfiltered access while all policies are in learning or logging/warning mode.

The benefit of staging is that a basic set of policies are made operational.  Then, the following stages will consist of conducting a repeatable process of "policy tightening" procedures as required by the application.

Stage I

When configuring the NetScaler Application firewall policies, start with some of the basic protections.  Activating the simple, generic policies almost never produce false positives.  These typically include:

• Protect against Cross Site Scripting (XSS) attacks
• Protect against SQL Injection attacks
• Protect against Buffer Overflow attacks
• Prevent Credit Card Leakage
• Prevent access to system files
• Alter the contents of the server headers

Activating these policies will typically not break applications.  As such, a small user community - with etc/hosts overrides - can be used to validate the configuration over a fairly brief validation period.

More importantly, this is a great start. These policies create security effectiveness that can typically be rated as a level seven on scale of zero though nine (you can never get to a perfect "10" in security).

Stage II

The next stage will include applying policies that require more application validation to determine the application specific relaxation adjustments ("policy overrides").

But first, don't forget to ask yourself if this application actually requires tightened policies.

If so, Stage II protections should be sequenced - Cookie Tampering prevention should be blocked first. Then, move on to blocking tampering with the values of parameter and/or hidden form fields.

Start with cookie poisoning prevention ("Cookie Consistency"). It will be likely require the least number of relaxations. This will build on the Stage I successes most rapidly.

To do this, use the learning process to identify the cookies that are legitimately altered between the response and request process. Minimally, relaxations will be required for cookies that are set and modified by third party monitoring services. Again, because of the staging, this learning can happen while the basic policies are in place and actively applying their protection mechanisms.

If further tightening is required, focus on creating policies that prevent users from tampering with the values of parameter and hidden form fields. This is achieved by activating "Field Consistency" learning in the NetScaler application firewall. Depending on the architecture of the application or a frequent use of client side scripting, these policies carry a higher risk of blocking legitimate requests. These policies thus require a more extensive learning period and associated relaxation overrides.

It should also be noted that these Stage II policies and their relaxations do have a tendency to be susceptible to producing false positives as applications change, and should be re-evaluated in conjunction with major application changes.

Stage III and Beyond

If the application is contains super sensitive information, and undergoes frequent changes, further security configuration may be required.

Stage III typically involves enforcing field formats and enforcing user navigation paths. Adding restrictions to field input types, such as date formats, and more, will require further time for learning these application attributes. Be aware that these policies will also be more likely to be sensitive to application changes.

Enabling the "Start URL" facility allows users to access only the specifically stated URL types. Due to the flexibility inherent in application architectures, however, these restrictions may require modification to include additional request types present in a particular application.

Lastly, carefully consider activating "URL Closure" to control the flow of access by users. Enforcement of this policy set disallows users from navigating to locations not previously offered by an application response. These policies may require significant application validation if client side scripts modify URLs, or if FLASH objects contain links.

The above policies tend to bend the needle towards the nine level and will be more likely to cause false positives during policy refinement or when the application changes. Leaving these to Stage III, however, allows continued protection afforded by the policies of Level I and Level II during the refinement, however.

Summary

Personally, when I plan my application firewall deployments, I always attack the assignment in the phases outlined above. I focus on the quick return policies first. Then I take time to consider if the sensitivities of the specific application even warrant the extra effort of going all the way to Stage III. This last question can produce some interesting answers that pit my application security ideals against the practicalities driven by the depth of my current to-do list.

And then, of course, this staged approach may be completely ignored in situations in which a specific application just suffered from an attack through a specific Level III vulnerability. Such situations may warrant overriding the staged approach and focusing on addressing the impacted vulnerability immediately.

Also, don't forget to sign on to MyCitrix and download the Application Hacking Kit and actually try some of the most common application attacks on the BadStore application!

Entity Templates

An entity template simplifies configuration by providing a set of configured defaults for a policy, service, action, or other configuration entity. After you create an entity template, it can be reused with specific instances of entities of the same type. For example, an entity template created for Load Balancing, can be used to create the same load balancing configuration on the same load balancer, or can be used on a different NetScaler or NetScalers to create the same load balancing configuration.

Entity Templates are most helpful when you have built your configuration for an entity such as load balancing and want to duplicate it across the organization's load balancers without having to re-type all of the configuration commands. In fact, the entity template manager, will allow you to prompt for certain configuration parameters to be input by the user, such as IP Address and port number, at the time of import, which might be specific to a certain locality.

Application Templates

The NetScaler includes the ability to create and manage application templates that provide the administrator a way to configure the NetScaler to handle application-specific traffic without directly configuring NetScaler entities. An application template is a reusable bundle of application's configuration information and can be exported after creation for use on other NetScalers. Also, these templates can be created once and then re-used across multiple NetScalers.

Application vs. Entity Templates

Entity Templates simplify configuration by providing a set of configured default for a specific configuration entity, such as load balancing, rewrite or content switching.

Application Templates simplify configuration by providing configuration details for all entities for an Application, such as Sharepoint, SAP, Oracle, or other web based applications. Application Templates are more comprehensive and contain configuration details for caching, compression, load balancing, ssl offload, rewrite, filtering, responder and application firewall. For one application you might have several policies in each of these categories that are saved into an Application Template.

Both Entity and Application Templates can be exported and imported for ease of use across different NetScalers. All of the configuration policies, including all expressions, pattern sets and policy labels are exported with the Entity or Application Template - once you define your policies, you don't have to define them again.

Watch how easy this is:

Tap into the power of AppExpert!

The #1 Web Filter by St.Bernard is now Citrix Ready. The Highest Performance Web Application Solution from Citrix Systems can now be deployed with the the #1 Web Filter by St. Berdard. IDC ranked them #1, SC Magazine gives them high ratings, and you will agree when you plug this thing in. The Citrix Web Application Firewall protects inbound traffic destined to Web and Application Servers without degrading throughput or response time. Now, with St.Bernard's iPrism h-Series high performance appliances, you can also do outbound Web filtering, IM/P2P filtering, and antivirus detection. The iPrism Web Filter is optimized for the datacenter infrastructure and sits behind the firewall while it monitors traffic. St. Bernard's platforms are hybrid so that Web filtering, antivirus and IM/P2P filtering are all contained within one box - unlike other point solutions.

St.Bernard's iPrism Web Filter is easy to use and easy to manage. If fact, it's so easy, we had the device up and running in Proxy mode and then in Bridge mode in a matter of seconds. The management software auto-discovers the box, so you don't have to plug in a console cable - very nice!

It is far better than a transparent proxy because St.Bernard has engineered their filtering technology at the kernel level, so their bridge mode really is a bridge between interfaces, and not just a transparent proxy like other solutions in the market.

We deployed the iPrism Web Filter behind our NetScaler, and had the NetScaler perform NAT (Reverse NAT) for outbound connections to the Internet. The iPrism Web Filter adds another level of security that IT organizations sometimes look for to complement their existing base of high-performance Citrix Gear.


Citrix & St.Bernard Deployment Guide!

You can try this product for free.


The product demo is awesome.


As a hybrid unit, this is a steal.












NetScaler Developer Network!