NetScaler
NetScaler Application Delivery Controller
What is NetScaler?
• NetScaler is an enterprise grade application delivery controller, or ADC. So, what does that mean?
• NetScaler is the appliance that sits between external users and your back-end resources. The list of features and use cases for the NetScaler is so long, it would be easier to explain what it
doesn’t do. But where’s the fun in that? • Let’s start off with the basics.
• The primary features of the appliance are load balancing, AAA traffic management, traffic
optimization, SSL offload and security protection against application attacks
NetScaler Licensing Offerings
• Comprehensive L4-7 load balancing and optimizes
expensive server and network resources to
reduce cost
• Web application delivery solution providing advanced
traffic management and powerful application
acceleration
• Web application delivery solution designed to deliver mission-critical applications with web application firewall
security, fastest performance, and lowest
cost
Standard
Edition
Enterprise
Edition
Platinum
Edition
Virtual
Run AnywherePlatform
Physical
80 40 15 5
1 20 80
Maximum Tenants per Platform 1 Multi-tenant Capable FIPS Platforms Single-tenant MPX/SDX 22040-22120 40Gbps – 120Gbps 80 Instances 160
Platform Lineup: NetScaler
MPX 5550-5650 500Mbps-1 Gbps 120 5 MPX/SDX 24100-24150 100Gbps – 150Gbps 80 Instances 40 P erfo rma n ce (HTTP) / Gbp s MPX 9700-15500 FIPS 3Gbps – 15Gbps VPX 10Mbps – 3Gbps MPX/SDX 8005-8015 5Gbps – 15Gbps 5 Instances MPX/SDX11515-11542 15Gbps – 42Gbps 20 Instances MPX 25100T-25160T 100Gbps – 160Gbps No HW SSL MPX 14060-14080 (40G) 60Gbps – 80Gbps 180 MPX 25160-25180 (40G) 160Gbps – 180Gbps
Authentication
Authorization
Auditing
Features
• Authentication
ᵒ All Major Authentication Servers
• Active Directory, LDAP, ADFS, IDP
• RADIUS, • OTP ( ID, SMS,.. ), • TACACS+, • NTLM, • Smart Card • Kerberos KCD
ᵒ SAML 2 SSO support
ᵒ Certificate Based Authentication
ᵒ Multiple Authentication Servers • Two Factor & Dual Passwords
• Cascading
ᵒ Flexible Policy Based Rules
• Authorization
Features
• Auditing
ᵒ Full Audit Trail of TM End-Users
• by TCP, UDP, HTTP
ᵒ SYSLOG & High Performance TCP Logging supported ᵒ Full Audit Trail of System Administrators
• All commands logged
• Roles Based Administration
ᵒ All System Events Logged ᵒ Rich Detail
ᵒ Scriptable log format
ᵒ Fine Grained Policy Based Auditing
• Security
ᵒ Brute Force Attack Protection – account lock issue blocking ᵒ Authentication Offloading – more secure log-in with sso
Various SSL focused attacks in last years
• Heartbleed –
OpenSSL only, stealing cert private key, passwords,.. from server memory read, existed very long time – more then 2 years -need to replace private key even after bug fix• Beast –
TLS 1.0, browser exploit – needs js ( via CSRF for example ) , steals ssl session id -use TLS 1.1/1.2 only• Crime –
using optional https compression - DEFLATE, browser exploit – needs js, Google SPDY has compression by default –don’t use compression or old browser ver with SPDY like Google, Firefox• Poodle –
SSL 3.0 & TLS 1.0 with fall back on, man-in-the-middle, killed SSL 3.0 –disable SSL 3.0 or use TLS_FALLBACK_SCSV with TLS 1.0• Freak –
weak ciphersuite export ON feature forced to use by US gov, can be used to force export of strong ciphers too, man-in-the-middle forcing to use RSA <512 to export –turn off ciphersutie export• SSL renegotiation –
older SSL/TLS renegotiation vuln, man-in-the-middle injects key renegotiation, acts as a client not server –old fix was to turn off renegotiation on server, now patchedQualys SSL Labs Report
Latest Cipher Support
• AES-GCM/SHA-2
ᵒ Front-end on MPX (PX, N3) ᵒ TLSv1.2 only.• ECDHE
ᵒ Back-end on MPX (PX, N3) ᵒ ECDHE on front-endSecurity Improvements
• TLS_FALLBACK_SCSV Support (Poodle)
ᵒ Signaling-Cipher-Suite-Value (SCSV)
ᵒ TLS clients should include the value {0x56, 0x00} (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites. ᵒ TLS servers, whenever an incoming connection includes {0x56, 0x00} in ClientHello.cipher_suites, compare
ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection with a fatal alert (preferably,
inappropriate_fallback(86)
ᵒ use of TLS_FALLBACK_SCSV will ensure that SSL 3.0 is used only when a legacy implementation is involved, attackers can no longer force a protocol downgrade.
• Secure Renegotiation (RFC 5746)
ᵒ MPX/SDX, VPX, FIPS (FW2.2)
• Disable SSLv3 by default in 11.0
DEFAULT Cipher Alias Re-ordering (Front-end)
New Cipher Re-Order List
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
TLS1.2-AES-256-SHA256 (0x003d)
TLS1.2-AES-128-SHA256 (0x003c)
TLS1.2-AES256-GCM-SHA384 (0x009d)
TLS1.2-AES128-GCM-SHA256 (0x009c)
TLS1-ECDHE-RSA-AES256-SHA (0xc014)
TLS1-ECDHE-RSA-AES128-SHA (0xc013)
…………...
………
……… 28 ciphers…
Old Cipher Re-Order List
SSL3-RC4-MD5 (0x0004)
SSL3-RC4-SHA (0x0005)
SSL3-DES-CBC3-SHA (0x000a)
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
SSL3-EDH-DSS-DES-CBC3-SHA (0x0013)
TLS1-DHE-DSS-RC4-SHA (0x0066)
TLS1-DHE-DSS-AES-256-CBC-SHA
(0x0038)
…………...
………
………28 ciphers…
Integration with
Thales nShield
SDX
VPX
MPX
Tamper response mechanisms - mechanisms that wipe out keys and “critical security parameters” if the cover is opened or if physical probing is detected
• Network-attached hardware security module (HSM)
• FIPS 140-2 Level 3 and Common Criteria EAL 4+ certified
• Protects and manages private keys
• Identity-based authentication mechanisms
• Strong separation of duties
Fixing the Code is expensive
Every 1000 lines of code averages 15 critical
security defects
–
US Department of Defense
Develop
Deliver
Secure
• Develop
• Secure
• Deliver
For Every Application
More Trends
75 % of attacks are driven by financial
motivations
Almost 80% of the initial intrusions were
relatively easy
Internet Web App Users
Legitimate traffic allowed through Application Attacks Blocked
Citrix NetScaler
Application
Infrastructure
Network Firewalls• Blocks dozens of day zero attack vectors
o Includes CSRF, xPath Injection, XML attachment checks
• Bi-directional inspection: advanced attack prevention • SSL traffic supported
• Sustained protection up to 40 Gbps • ICSA certified
• OWASP 10
ICSA Labs Web Application Firewall (WAF) Certification
• ICSA Labs Web Application Firewall (WAF) certification requirements structured with these statistics in mind
• Testing divided up into 6 areas - Documentation review, Functional Security, Product Functionality, Logging, Administration, and Persistence
• Most of the testing is in the Functional Security and Product Functionality area
• Verify security policy enforcement, protection and prevention against web-based attacks, CSRF protection
• Verify the WAF product will hide internal application structure and can accommodate application changes
• Require WAF products support the Positive Security model and has Active Learning support • Subject the WAF product to a number of attacks – including various exploits, port scanning,
DoS, predictable sequence numbers, etc.
Application Firewall Characteristics
Deep Stream Inspection
• Bi-directional analysis
• Header and payload inspection
• Full parsing
• Semantic extraction
• Sessionization
Strong Hybrid Security Model
• Positive & Negative Security Model
• Signature scanning
• Unique Response Tagging Functionality Easy Deployment
• Learning Mode to ease deployment
• Visualizer to manage rules
1100101100 0001101100 10000000111 11001
100001000111 110001
NetScaler Advantage: Hybrid
Security Model
• Signatures for known attacks – Negative Model
• Easy deployment, Quick PoC
• Checks request headers (URL, cookies, etc) and body (form fields) • Integrates with scanning tools
• Wizard to ease configuration
• Mix-and-match with positive security – Positive Model
• Defense against zero-day attacks • Defense against custom attacks • Strongest security posture
Signature Maintenance/Updates
• Based on SNORT
• Partnership with SourceFire to
provide signatures
• Open format for signature files
• Signature versioning
• Automatic identification of “new”
signatures
Integrates with Scanner tools
Protected website
Run periodic scans
•
Cenzic
•
Qualys
•
Whitehat
•
IBM AppScan
•
TrendMicro
Resources: blogs.citrix.com, Citrix Ready links
•
XML Security•
Threat Protection•
Content Validation•
Data Leak Prevention•
Reporting and Monitoring•
WSDL/Schema validation•
Secures all flavors of XML Applications•
Single devices for XML, HTML and Web 2.0 applications security•
Check types are categories as HTML, XML or Common•
Block, Log and Statistics can be enable for all checks.•
Data Leak protection
•
Credit Card Number
•
Pattern Matching
•
Personal Identity Info
•
Reporting and Logging capabilities for Audits
•
Analyze AppFirewall configuration against PCI-DSS requirements
•
Executive summary of AppFirewall configuration
NetScaler Web Application Firewall
Differentiatons
•
“Pay as you grow” capability
•
Broadest lineup of standalone AppFirewalls on MPX
•
Increased performance: 500 Mbps to 40 Gbps (basic) throughput
•
All fully eligible for upgrades to NetScalerPlatinum/Integrated software
-comprehensive
•
Superior price/performance and feature advantage
NetScaler Security Announcements
- NetScaler Application Firewall recognised as the leader by NSS labs.
- The most compelling value to security effectiveness of any products
NetScaler Security Announcements
After the NSS labs report – Code changes in AppFW drove a
performance increase of 100-200%
Available now in latest 10.5.e or 11 build.
Other enhancements include location based detection
and protection plus request capturing (trace) for
AppFirewall Basic Tput (Gbps) Prior 10.5.9010.e / 11.0 MPX 5550 .5 .5 MPX 5650 5 5.3 MPX 8005 5 5.4 MPX 8015 4.2 10 MPX 11515 5 14 MPX 11520 6.5 17 MPX 11530 7 18.4 MPX 11540 7.8 20 MPX 11542 9 22 MPX 22040 8 24.5 MPX 22060 10.5 33 MPX 22080 12 36 MPX 22100 13.5 38 MPX 22120 14.1 40 MPX 24100 17.8 33 MPX 24150 17.9 40 100% to 200% improvement
