NetScaler. Web Service Availability and Security

NetScaler Web Service Availability and Security

NetScaler Application Delivery Controller What is NetScaler? NetScaler is an enterprise grade application delivery controller, or ADC. So, what does that mean? NetScaler is the appliance that sits between external users and your back-end resources. The list of features and use cases for the NetScaler is so long, it would be easier to explain what it doesn t do. But where s the fun in that? Let s start off with the basics. The primary features of the appliance are load balancing, AAA traffic management, traffic optimization, SSL offload and security protection against application attacks

NetScaler Flexible Deployment Options

NetScaler Licensing Offerings Standard Edition Enterprise Edition Platinum Edition Comprehensive L4-7 load balancing and optimizes expensive server and network resources to reduce cost Web application delivery solution providing advanced traffic management and powerful application acceleration Web application delivery solution designed to deliver mission-critical applications with web application firewall security, fastest performance, and lowest cost

Physical Price-Performance Virtual Run Anywhere Platform Multi-Service Multi-Tenant

Platform Lineup: NetScaler Performance (HTTP)/ Gbps 180 160 120 MPX 25100T-25160T 100Gbps 160Gbps No HW SSL MPX/SDX 24100-24150 100Gbps 150Gbps 80 Instances MPX 25160-25180 (40G) 160Gbps 180Gbps 80 40 15 MPX/SDX11515-11542 15Gbps 42Gbps 20 Instances MPX 14060-14080 (40G) 60Gbps 80Gbps MPX/SDX 22040-22120 40Gbps 120Gbps 80 Instances 5 1 MPX 9700-15500 FIPS 3Gbps 15Gbps VPX 10Mbps 3Gbps MPX 5550-5650 500Mbps-1 Gbps MPX/SDX 8005-8015 5Gbps 15Gbps 5 Instances Single-tenant Multi-tenant Capable FIPS Platforms 1 5 20 40 80 Maximum Tenants per Platform

Authentication Authorization Auditing AAA

Features Authentication ᵒ All Major Authentication Servers Active Directory, LDAP, ADFS, IDP RADIUS, OTP ( ID, SMS,.. ), TACACS+, NTLM, Smart Card Kerberos KCD ᵒ SAML 2 SSO support ᵒ Certificate Based Authentication ᵒ Multiple Authentication Servers Two Factor & Dual Passwords Cascading ᵒ Flexible Policy Based Rules Authorization ᵒ User/group level at LB/CS vserver

Features Auditing ᵒ Full Audit Trail of TM End-Users by TCP, UDP, HTTP ᵒ SYSLOG & High Performance TCP Logging supported ᵒ Full Audit Trail of System Administrators All commands logged Roles Based Administration ᵒ All System Events Logged ᵒ Rich Detail ᵒ Scriptable log format ᵒ Fine Grained Policy Based Auditing Security ᵒ Brute Force Attack Protection account lock issue blocking ᵒ Authentication Offloading more secure log-in with sso

SSL / TLS

Various SSL focused attacks in last years Heartbleed OpenSSL only, stealing cert private key, passwords,.. from server memory read, existed very long time more then 2 years - need to replace private key even after bug fix Beast TLS 1.0, browser exploit needs js ( via CSRF for example ), steals ssl session id - use TLS 1.1/1.2 only Crime using optional https compression - DEFLATE, browser exploit needs js, Google SPDY has compression by default don t use compression or old browser ver with SPDY like Google, Firefox Poodle SSL 3.0 & TLS 1.0 with fall back on, man-in-the-middle, killed SSL 3.0 disable SSL 3.0 or use TLS_FALLBACK_SCSV with TLS 1.0 Freak weak ciphersuite export ON feature forced to use by US gov, can be used to force export of strong ciphers too, man-in-the-middle forcing to use RSA <512 to export turn off ciphersutie export SSL renegotiation older SSL/TLS renegotiation vuln, man-in-the-middle injects key renegotiation, acts as a client not server old fix was to turn off renegotiation on server, now patched.

Qualys SSL Labs Report http://blogs.citrix.com/2015/05/22/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-the-sequel/

Latest Cipher Support AES-GCM/SHA-2 ᵒ Front-end on MPX (PX, N3) ᵒ TLSv1.2 only. ECDHE ᵒ Back-end on MPX (PX, N3) ᵒ ECDHE on front-end

Security Improvements TLS_FALLBACK_SCSV Support (Poodle) ᵒ ᵒ ᵒ ᵒ Signaling-Cipher-Suite-Value (SCSV) TLS clients should include the value {0x56, 0x00} (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites. TLS servers, whenever an incoming connection includes {0x56, 0x00} in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection with a fatal alert (preferably, inappropriate_fallback(86) use of TLS_FALLBACK_SCSV will ensure that SSL 3.0 is used only when a legacy implementation is involved, attackers can no longer force a protocol downgrade. Secure Renegotiation (RFC 5746) ᵒ MPX/SDX, VPX, FIPS (FW2.2) Disable SSLv3 by default in 11.0 ᵒ Via SSL profile *

DEFAULT Cipher Alias Re-ordering (Front-end) Old Cipher Re-Order List SSL3-RC4-MD5 (0x0004) SSL3-RC4-SHA (0x0005) SSL3-DES-CBC3-SHA (0x000a) TLS1-AES-256-CBC-SHA (0x0035) TLS1-AES-128-CBC-SHA (0x002f) SSL3-EDH-DSS-DES-CBC3-SHA (0x0013) TLS1-DHE-DSS-RC4-SHA (0x0066) TLS1-DHE-DSS-AES-256-CBC-SHA (0x0038)... 28 ciphers New Cipher Re-Order List TLS1-AES-256-CBC-SHA (0x0035) TLS1-AES-128-CBC-SHA (0x002f) TLS1.2-AES-256-SHA256 (0x003d) TLS1.2-AES-128-SHA256 (0x003c) TLS1.2-AES256-GCM-SHA384 (0x009d) TLS1.2-AES128-GCM-SHA256 (0x009c) TLS1-ECDHE-RSA-AES256-SHA (0xc014) TLS1-ECDHE-RSA-AES128-SHA (0xc013)... 28 ciphers

Integration with Thales nshield Network-attached hardware security module (HSM) FIPS 140-2 Level 3 and Common Criteria EAL 4+ certified Protects and manages private keys Identity-based authentication mechanisms Strong separation of duties FIPS 140-2 Level 3 Tamper response mechanisms - mechanisms that wipe out keys and critical security parameters if the cover is opened or if physical probing is detected SDX VPX MPX

Web Application Firewall

Fixing the Code is expensive For Every Application Change Every 1000 lines of code averages 15 critical security defects US Department of Defense Develop Deliver Secure Develop Secure Deliver

More Trends 75 % of attacks are driven by financial motivations Almost 80% of the initial intrusions were relatively easy

Where Is the Application Firewall Deployed? Application Attacks Blocked Legitimate traffic allowed through Web App Users Internet Network Firewalls Blocks dozens of day zero attack vectors o Includes CSRF, xpath Injection, XML attachment checks Bi-directional inspection: advanced attack prevention SSL traffic supported Sustained protection up to 40 Gbps ICSA certified OWASP 10 Citrix NetScaler Application Infrastructure

ICSA Labs Web Application Firewall (WAF) Certification ICSA Labs Web Application Firewall (WAF) certification requirements structured with these statistics in mind Testing divided up into 6 areas - Documentation review, Functional Security, Product Functionality, Logging, Administration, and Persistence Most of the testing is in the Functional Security and Product Functionality area Verify security policy enforcement, protection and prevention against web-based attacks, CSRF protection Verify the WAF product will hide internal application structure and can accommodate application changes Require WAF products support the Positive Security model and has Active Learning support Subject the WAF product to a number of attacks including various exploits, port scanning, DoS, predictable sequence numbers, etc. Verify the admin interface is secure and not susceptible to all of the areas outlined above

Application Firewall Characteristics Deep Stream Inspection Bi-directional analysis Header and payload inspection Full parsing Semantic extraction Sessionization Strong Hybrid Security Model Positive & Negative Security Model Signature scanning Unique Response Tagging Functionality Easy Deployment Learning Mode to ease deployment Visualizer to manage rules 1100101100 0001101100 10000000111 11001 100001000111 110001 HTML/XML

NetScaler Advantage: Hybrid Security Model Signatures for known attacks Negative Model Easy deployment, Quick PoC Checks request headers (URL, cookies, etc) and body (form fields) Integrates with scanning tools Wizard to ease configuration Mix-and-match with positive security Positive Model Defense against zero-day attacks Defense against custom attacks Strongest security posture Learning mode

Signature Maintenance/Updates Based on SNORT Partnership with SourceFire to provide signatures Open format for signature files Signature versioning Automatic identification of new signatures

Integrates with Scanner tools Run periodic scans Protected website

3 rd party Vulnerability Tools integration Cenzic Qualys Whitehat IBM AppScan TrendMicro Resources: blogs.citrix.com, Citrix Ready links

Integrated HTML and XML Security XML Security Threat Protection Content Validation Data Leak Prevention Reporting and Monitoring WSDL/Schema validation Secures all flavors of XML Applications Single devices for XML, HTML and Web 2.0 applications security Check types are categories as HTML, XML or Common Block, Log and Statistics can be enable for all checks.

PCI Compliance Data Leak protection Credit Card Number Pattern Matching Personal Identity Info Reporting and Logging capabilities for Audits Analyze AppFirewall configuration against PCI-DSS requirements Executive summary of AppFirewall configuration

NetScaler Web Application Firewall Differentiatons

Citrix Web AppFirewall Differentiation Pay as you grow capability Broadest lineup of standalone AppFirewalls on MPX Increased performance: 500 Mbps to 40 Gbps (basic) throughput All fully eligible for upgrades to NetScaler-Platinum/Integrated software - comprehensive Superior price/performance and feature advantage

NetScaler Security Announcements - NetScaler Application Firewall recognised as the leader by NSS labs. - The most compelling value to security effectiveness of any products tested.

NetScaler Security Announcements After the NSS labs report Code changes in AppFW drove a performance increase of 100-200% Available now in latest 10.5.e or 11 build. Other enhancements include location based detection and protection plus request capturing (trace) for blocked requests.

NetScaler Security Announcements AppFirewall Basic Tput (Gbps) Prior 10.5.9010.e / 11.0 MPX 5550.5.5 MPX 5650 5 5.3 MPX 8005 5 5.4 MPX 8015 4.2 10 MPX 11515 5 14 MPX 11520 6.5 17 MPX 11530 7 18.4 MPX 11540 7.8 20 100% to 200% improvement MPX 11542 9 22 MPX 22040 8 24.5 MPX 22060 10.5 33 MPX 22080 12 36 MPX 22100 13.5 38 MPX 22120 14.1 40 MPX 24100 17.8 33 MPX 24150 17.9 40

Additional Security Features L4 DOS/DDOS L7 DOS/DDOS TCP & HTTP profiles Content Filtering Priority Queuing Sure Connect Surge Protection Rewrite Responder Rate-Limiter