Secure virtual desktop infrastructure with Citrix NetScaler and Palo Alto Networks next-generation firewalls



Similar documents
Securing virtual desktop infrastructure with Citrix NetScaler

Securing virtual desktop infrastructure with Citrix NetScaler

Deploying NetScaler Gateway in ICA Proxy Mode

White Paper. The limitations of these legacy infrastructures are considerable, and include:

NetScaler: A comprehensive replacement for Microsoft Forefront Threat Management Gateway

Build a cloud network leveraging best-in-class security and application delivery

Trend Micro InterScan Web Security and Citrix NetScaler SDX Platform Overview

Citrix desktop virtualization and Microsoft System Center 2012: better together

Cisco and Citrix: Building Application Centric, ADC-enabled Data Centers

Provisioning ShareFile on Microsoft Azure Storage

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Optimizing with Citrix NetScaler. Three keys to building the best front-end network for virtual desktop delivery.

The falling cost and rising value of desktop virtualization

Secure remote access

Configuring Citrix NetScaler for IBM WebSphere Application Services

Top Three Reasons to Deliver Web Apps with App Virtualization

Guide to Deploying Microsoft Exchange 2013 with Citrix NetScaler

Design and deliver cloudbased apps and data for flexible, on-demand IT

Cisco and Citrix: Building Application Centric, ADC-enabled Data Centers

Advanced Service Desk Security

Websense Data Security Gateway and Citrix NetScaler SDX Platform Overview

Solutions Guide. Deploying Citrix NetScaler for Global Server Load Balancing of Microsoft Lync citrix.com

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

Effective hosted desktops

The Office Reinvented: Mobile Workspaces are the Future of Work

Windows XP Application Migration Checklist

Microsoft SharePoint 2013 with Citrix NetScaler

Citrix Lifecycle Management

icrosoft TMG Replacement with NetScaler

Defend hidden mobile web properties

Trend Micro Cloud Security for Citrix CloudPlatform

Desktop virtualization for all

Taking Windows Mobile on Any Device

White Paper. Optimizing the video experience for XenApp and XenDesktop deployments with CloudBridge. citrix.com

Desktop virtualization for all

Secure SSL, Fast SSL

How To Use Netscaler As An Afs Proxy

Securing Outlook Web Access (OWA) 2013 with NetScaler AppFirewall

Maximizing Flexibility and Productivity for Mobile MacBook Users

Citrix XenServer Industry-leading open source platform for cost-effective cloud, server and desktop virtualization. citrix.com

Data Center Consolidation for Federal Government

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

Microsoft Dynamics CRM 2015 with NetScaler for Global Server Load Balancing

Content-ID. Content-ID URLS THREATS DATA

Bring-Your-Own-Device Freedom

Solve the application visibility challenge with NetScaler Insight Center

Citrix Workspace Cloud Apps and Desktop Service with an on-premises Resource Reference Architecture

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

BlueCat Networks Adonis and Proteus on Citrix NetScaler SDX Platform Overview

Deliver the Next Generation Intelligent Datacenter Fabric with the Cisco Nexus 1000V, Citrix NetScaler Application Delivery Controller and Cisco vpath

Deployment Guide for Citrix XenDesktop

How To Get Cloud Services To Work For You

Enabling mobile workstyles with an end-to-end enterprise mobility management solution.

Solution Guide for Citrix NetScaler and Cisco APIC EM

Application Security WHY NETWORK FIREWALLS AND INTRUSION PREVENTION SYSTEMS AREN T ENOUGH

Mobility and cloud transform access and delivery of apps, desktops and data

COORDINATED THREAT CONTROL

Modernize your business with Citrix XenApp 7.6

Remote access to enterprise PCs

Easy and secure application access from anywhere

BlueCat IPAM, DNS and DHCP Solutions on Citrix NetScaler SDX Platform Overview

The top 5 truths behind what the cloud is not

NetScaler carriergrade network

Citrix ShareFile Enterprise technical overview

Solution Brief. Deliver Production Grade OpenStack LBaaS with Citrix NetScaler. citrix.com

Citrix ShareFile Enterprise: a technical overview citrix.com

VDI and Beyond: Addressing Top IT Challenges to Drive Agility and Growth

Secure Data Sharing in the Enterprise

White paper. Microsoft and Citrix VDI: Virtual desktop implementation scenarios

Optimizing service assurance for XenServer virtual infrastructures with Xangati

Powering Real-Time Mobile Access to Critical Information With Citrix ShareFile

Using Palo Alto Networks to Protect the Datacenter

Deliver Enterprise Mobility with Citrix XenMobile and Citrix NetScaler

White Paper. Optimizing your Microsoft application and infrastructure investments with Citrix CloudBridge. citrix.com

Does your Citrix or Terminal Server environment have an Achilles heel?

Deploying XenApp on a Microsoft Azure cloud

Features of a comprehensive application security solution

The Always-on Enterprise: Business Continuity Scenarios that Work

Building success in the cloud

SolidFire SF3010 All-SSD storage system with Citrix CloudPlatform Reference Architecture

Solutions Guide. Deploying Citrix NetScaler with Microsoft Exchange 2013 for GSLB. citrix.com

What is an application delivery controller?

Citrix OpenCloud Access. Accelerate cloud computing adoption and simplify identity management.

Run Skype for Business as a Secure Virtual App with a Great User Experience

Deploying NetScaler with Microsoft Exchange 2016

Citrix XenClient. Extending the benefits of desktop virtualization to mobile laptop users.

Mobilize with Enterprise-Grade Security and a Great Experience

Enterprise mobility management: Embracing BYOD through secure app and data delivery

Fullerton India enhances its employee productivity and efficiency with Citrix XenDesktop

Enterprise- Grade MDM

Deploying XenApp 7.5 on Microsoft Azure cloud

Citrix Solutions. Overview

Cisco ASA and Cloud Web Security: Best-in-Class Network Security Combined with Best-in-Class Web Security

Mobilizing Windows apps

Transforming Call Centers

Secure remote access

The fastest, most secure path to mobile employee productivity

Transcription:

Virtual desktop infrastructure Secure virtual desktop infrastructure with Citrix NetScaler and Palo Alto Networks next-generation firewalls

2 Today s enterprises are rapidly adopting desktop virtualization to reduce operating costs, enable workplace flexibility, increase business agility and bolster their information security and compliance posture. Actually realizing these benefits, however, depends upon ensuring the security and availability of the virtual desktop infrastructure (VDI). The combination of Citrix NetScaler and Palo Alto Networks next-generation firewalls secures virtual desktops and ensures their availability, performance and scalability. This solution not only preserves the benefits promised by VDI, it maximizes them. This joint solution is tested and validated for securing Citrix XenApp and Citrix XenDesktop VDI. The desktop virtualization security situation Migrating from traditional desktop deployment and management approaches to virtual desktop technologies is a top initiative for enterprises of all types and sizes worldwide. Indeed, Gartner expects adoption of hosted virtual desktops (HVDs) alone to reach 76 million users by 2016. 1 Driving this growth is a compelling set of benefits. With a full-featured desktop virtualization solution, enterprises can substantially and sustainably reduce desktop ownership and operating costs, enable complete workplace flexibility and increase business agility by providing rapid support for strategic initiatives such as mergers and acquisitions, geographic expansion and dynamic partnership arrangements. Desktop virtualization significantly strengthens information security and compliance by centralizing all data and applications in the corporate datacenter. Because users view and manipulate their desktops remotely, there is no need to distribute or store potentially sensitive material on the local device. VDI enhances desktop security because centralization of desktop applications and operating systems increases the IT administrators control over these crucial resources. Centralized control not only makes it easier to pursue standardization that reduces complexity, cost and an organization s attack surface, but also boosts the ease, speed and thoroughness of implementing updates and security patches. Another advantage of a centralized model is speed and efficiency when granting and revoking access rights and privileges. Moreover, there s no dependence on having users return distributed devices, software or data because, with desktop virtualization, there aren t any devices to return.

3 Security is a primary concern Desktop virtualization clearly has a lot to offer today s enterprises. However, fully realizing its benefits is not a given. To preserve potential gains, organizations must, among other tasks, ensure the security of their desktop virtualization implementations. This may sound a bit circular organizations must invest in one set of security measures to gain the full benefits of the second but that s exactly the point. To maximize the desktop and data security benefits of virtual desktops, the VDI must be secured. Remote access: With mobility and telecommuting initiatives on the rise, a substantial percentage of users are likely to require access to their desktops from a remote location, often over an insecure public network. Unlike a standard desktop scenario, where an attacker needs possession of the device to get local access, desktop virtualization attacks require access to the network. Device proliferation: Consumerization of IT is requiring IT to support diverse client devices with widely varying security characteristics and profiles. This task is further complicated by the fact that most of these devices are no longer owned or controlled by the enterprise. Although desktop virtualization can eliminate local retention of sensitive data, a compromised client device still poses a threat. Sensitive data could still be viewed and the rights attributed to the user/device could be exploited to launch a far more damaging attack. Extent of access: With desktop virtualization users have access to an entire desktop. In addition to their immediate applications and data, they can also get to all the downstream network resources accessible from their desktops. This elevates the importance of security in general, and access control in particular. Concentration of resources: A robust defense is important because desktop virtualization places many of an organization s eggs in a single basket. In contrast to the conventional, distributed model of desktop computing, a single, successful attack now has the potential to impact a substantial number of users and desktop systems. There is also the big picture to consider. Today s hackers are highly organized and motivated to cause damage and/or make off with valuable data. As a result, robust defenses are generally necessary, if for no other reason than to provide protection from an increasingly sophisticated and hostile threat landscape. How NetScaler and Palo Alto Networks next-generation firewalls can help NetScaler, an advanced solution for delivering apps and cloud and enterprise services, provides an extensive set of capabilities that make it an ideal choice for front-ending an organization s desktop virtualization infrastructure. Particularly relevant are the numerous security mechanisms and features that NetScaler delivers to help protect VDI.

4 Palo Alto Networks next-generation firewalls complement NetScaler capabilities by segmenting the VDI in the datacenter and protecting it from threats. By leveraging user authentication information from the VDI, the firewalls control access to applications and data based on security policies. The combination of NetScaler and Palo Alto Networks next-generation firewall is a best-in-class solution that effectively protects the underlying datacenter and keeps users highly productive from anywhere they happen to be. The solution facilitates security for virtual desktop deployments by enabling real-time orchestration of individual technologies and capabilities. A step-by-step deployment guide to securing Citrix XenApp and XenDesktop infrastructure using this joint solution is available. Secure remote access Citrix NetScaler Gateway is a full-featured SSL VPN and an integral component of NetScaler. It gives administrators granular, application-level control while empowering users with remote access to their virtual desktops from anywhere. With NetScaler Gateway, IT administrators can manage access control and limit actions within sessions based on both user identity and attributes of the endpoint device. The result is better application security, data protection and compliance management. Citrix NetScaler Palo Alto Networks NGFW Secure Access Application Security High-availability Next-gen Firewall Threat Protection High-availability Virtual Desktop Infrastructure Figure 1. Citrix NetScaler and Palo Alto Networks next-generation firewall secures VDI NetScaler Gateway enables secure remote access to virtual desktops by providing an encrypted tunnel and supporting a wide range of user authentication methods. Desktop sessions traversing public networks are protected from eavesdropping. Next up is granular and adaptive access control. With NetScaler Gateway, administrators can tightly control access to virtual desktops using policies comprised of both fixed and dynamic attributes, including user identity and role, strength of authentication, location, time of day, and identity and security status of the client device. In addition, NetScaler Gateway supports existing directory and identity management infrastructure. Supporting this capability is another important security feature: endpoint analysis. Integrated endpoint scanning can continually monitor client devices to determine if client security software such as antivirus, personal firewall or other mandatory programs is active and up-to-date. Devices that fail these checks can be denied access, granted limited access or quarantined by restricting their access to sites that provide the tools necessary to restore them to a compliant configuration.

5 Advanced action and data control capabilities provide yet another crucial layer of protection, particularly given the proliferation of client devices and growing tendency toward user ownership and self-management. Related features include: Enhanced split tunneling control, where users can access their desktop and the client s local subnet but are prevented from directly accessing the Internet Adaptive action control, where local printing, copy, paste and save-to-disk functionality can be restricted via adaptive policies Browser cache cleanup, where objects and data stored on the local browser are removed upon completion of the virtual desktop session Authentication, confidentiality and encryption NetScaler provides authentication, confidentiality and encryption for the VDI. NetScaler integrates with Citrix secure ticketing authority (STA) Kerberos-style ticketing to eliminate the possibility of session hijacking with cookie-based authentication schemes. The NetScaler proxy architecture, coupled with HTTP/ URL rewrite and Layer 7 (L7) and NetScaler Application Firewall content filtering capabilities, allows virtual desktop administrators to shield connection brokers and other downstream VDI components from direct TCP and UDP connections initiated by external users, thereby reducing their exposure to malware and other types of attacks. NetScaler provides cloaking and content security to effectively hide server error codes, real URLs and other pieces of information that could give hackers the details they need to formulate custom attacks automatically, and to thwart many types of denial of service (DoS) attacks that exploit gaps in common protocols. NetScaler ICA file encryption and AppExpert templates make it simple to configure a highly secure environment to protect XenApp and XenDesktop environments and StoreFront/AppController SSO authentication-based services. StoreFront enables you to create centralized enterprise stores to deliver desktops, applications and other resources to users on any device, anywhere. AppController enables single sign-on services for mobile applications. Network-layer protection NetScaler provides core, network-layer protection for VDI in several ways. To begin with, administrators can use NetScaler to enforce a basic level of access control using straightforward, Layer 3 and 4 access control lists (ACLs) to selectively permit legal traffic while blocking traffic deemed unsafe. In addition, a couple of key design features automatically protect any infrastructure front-ended by NetScaler. For example, NetScaler incorporates a high-performance, enhanced, standards-compliant TCP/IP stack that: automatically drops malformed traffic that could pose a threat to the entire VDI; prevents disclosure of low-level connection information (e.g., IP addresses, server port numbers) that could prove useful to hackers intent on perpetrating an attack; and automatically thwarts many types of DoS attacks that exploit gaps in common protocols.

6 Safe enablement for datacenter applications Users may have access to other applications in the datacenter besides their virtual desktop. Palo Alto Networks next-generation firewalls enable advanced, identitybased, granular application control, threat prevention and content leak protection for resources accessed from virtual desktops. This means virtual desktop users may only access applications allowed by their security policy. One of the key benefits of the Palo Alto Networks integration with XenApp and XenDesktop applications is the ability to integrate user identity information, which allows organizations to set up firewall policies based on an individual or group basis, and provides visibility into user activity via detailed reports and logs. The interaction between the VDI and the Palo Alto Networks next-generation firewall simplifies policy creation and management, allowing the firewall to dynamically identify users and enforce security policies. Using the integration organizations can: Establish segmentation by application, user and content in the datacenter Accurately identify and control the use of more than a thousand applications (including common social networking and cloud-based services), regardless of port, protocol or any evasive techniques used to mask their operation Dynamically identify users and enforce security policies for granular application access based on user or group, and generate logs and reports with user, application and content information for further analysis and forensic investigation Detect and respond to threats and sensitive data contained in employee communications Next-generation threat protection Attackers today have evolved into bona fide cybercriminals, often motivated by significant financial gain and sponsored by criminal organizations, nation-states or radical political groups. These groups have more time, resources and a higher level of motivation, which allows them to mount more-complex, long-term operations against bigger targets. As a result, a wide array of tactics, from targeted malware and spyware to phishing attacks and social engineering, in addition to exploits, are being observed at many organizations. This situation calls for protection against a variety of attacks at scale. Palo Alto Networks next-generation firewalls deliver a comprehensive suite of essential network security for preventing both known and unknown threats. They provide robust defenses designed to thwart app-specific threats, including zeroday attacks targeting app-layer vulnerabilities. In contrast, NetScaler Application Firewall protects against web application-layer attacks, such as SQL injection, cross-site scripting and buffer overflow threats.

7 The joint solution offers the following: Granular user and app-focused access control that reduces the scope of attack by controlling applications that may carry threats Complete, integrated threat framework with high-performance, stream-based protection against viruses, spyware and exploits Advanced protection against modern malware and targeted/zero-day attacks Comprehensive web application protection via the industry s highest-capacity firewall Equally important, however, is the ability to provide all of this protection at scale. Both NetScaler and Palo Alto Networks products are designed on purpose-built hardware platforms optimized for performance. Palo Alto Networks also features an innovative Single Pass Parallel Processing architecture that reduces latency by performing security functions only once. This software architecture, coupled with a multi-core hardware processing architecture, ensures delivery of high-performance protection under the most demanding conditions. Additional considerations Although critically important, network security is only one piece of a complete security strategy for VDI Besides network security, enterprises should consider the need for: Client security. Despite desktop virtualization s centralized operating model, accessing a virtual desktop from a compromised client device still poses a threat to the environment. NetScaler endpoint analysis, action control and data cleanup features can help organizations ensure that the client device is secure. Under certain high-risk access scenarios, however, it may also be necessary to implement a comprehensive suite of endpoint security software. Virtual system security. Maintaining good virtual machine hygiene means ensuring virtual desktops use the latest, fully patched versions of embedded apps and operating systems, and retiring virtual machines that are no longer in use. It also entails providing network isolation for all VDI components and potentially implementing encryption for associated storage volumes, given the concentration of resources involved. Beyond security By itself, adequately securing the VDI is not sufficient to fully preserve the benefits of desktop virtualization. Enterprises also need to ensure the availability, performance and scalability of whatever solution they decide to implement. After all, users will not be happy if the environment is not available when needed, or if it suffers from performance issues that make it unusable. NetScaler truly excels as a front-end solution for an organization s desktop virtualization infrastructure, helping ensure that organizations obtain both the performance and scalability they need. In addition to its compelling set of network security features, NetScaler delivers:

8 A combination of enterprise-class server load balancing, global server load balancing and health monitoring capabilities to ensure virtual desktop availability and business continuity An extensive collection of mechanisms that not only enhance virtual desktop performance over the network but also streamline the user experience Intelligent load distribution and server offload capabilities that enable seamless scalability of VDI Palo Alto Networks next-generation firewalls support active/passive and active/ active high availability configuration, complete with session and configuration synchronization. To ensure that management is accessible during periods of heavy traffic, the next-generation firewall separates the data plane and the control plane, each with dedicated processing and memory. The data plane houses dedicated processing and memory for networking, security and content inspection, while dedicated management processing and memory reside on the control plane. Conclusion By delivering a robust set of granular application identification and controls, remote access and threat protection capabilities, the combined NetScaler and Palo Alto Networks firewall solution not only preserves but also extends the benefits organizations have come to expect when embracing desktop virtualization. IT managers can substantially improve the availability, performance and scalability of their virtual desktop implementations while ensuring security and compliance for their virtual desktop users. 1 Forecast: Hosted Virtual Desktops, Worldwide, 2010-2016. Gartner, June 2012.

9 About Palo Alto Networks Palo Alto Networks, Inc. has pioneered the next generation of network security with our innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is our next-generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimized hardware and software architecture. Our platform uniquely offers you the ability to identify, control, and safely enable applications while inspecting all of your content for all threats all the time. These capabilities, combined with superior performance, surpass all traditional approaches including UTM and software blade. Our approach allows you to simplify your network security infrastructure and eliminate a variety of stand-alone and bolt-on security devices. Our platform can address a broad range of your network security requirements - from your datacenter to your enterprise perimeter, to the far edges of your network and more - including branch offices and mobile devices. Corporate Headquarters Fort Lauderdale, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA EMEA Headquarters Schaffhausen, Switzerland India Development Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China Latin America Headquarters Coral Gables, FL, USA UK Development Center Chalfont, United Kingdom About Citrix Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles empowering people to work and collaborate from anywhere, easily and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing, Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.. Copyright 2013 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, XenApp, XenDesktop, ICA and NetScaler Gateway are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies. 0813/PDF

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information