This PDF slide deck contains slides with animation.

It is recommended that the deck is viewed alongside the accompanying webinar recording located here: https://www1.gotomeeting.com/register/325602920

NetScaler Master Class

August 2012

Remember. You can contact the NetScaler Master Class Team by email NetScalerMasterClass@Citrix.com

Whos online today?

2012 Citrix

Top 10 Countries represented

USA

Turkey

2012 Citrix

Russia

Denmark

Top 10 Countries represented

Ireland

The Netherlands

Italy

2012 Citrix

Top 10 Countries represented

France

Germany

2012 Citrix

Top 10 Countries represented

United Kingdom

2012 Citrix

Todays running order

NetScaler 101 NetScaler and Security: An introduction and reminder
Ronan OBrien

In the Spotlight NetScaler Application Firewall

Lena Yaravaya

Whats new NetScaler Security eco-System

Prakash Sinha

News and Views

2012 Citrix

Security on NetScaler
NetScaler MasterClass August, 2012

Core Security Features

Layer 2 Cloak your downed VServers Respond to ARP based on VServer Health. Per Virtual IP Configuration. Same logic and functionality for ICMP.
Layer 2

ARP Response

2012 Citrix

Core Security Features

Layer 3 non TCP Limits for ICMP and UDP packets per 10ms (NetscalerSystem SettingsGlobal Sys Settings

Layer 3 Layer 2

ICMP\UDP Limit ARP Response

2012 Citrix

Core Security Features

Layer 3 TCP Syn Flood Protection ACL Surge Protection
Layer 2 Layer 3 DNS Security Syn Flood Attack ICMP\UDP Limit ARP Response Extended ACL Surge Protection

DNS Security
2012 Citrix

Access Control List

ACL's are oldest security and firewalling mechanism Used to match each inbound packet and trigger action
Source IP/Port Destination IP/Port TTL SourceMAC Protocol VLAN ICMP Type/Code

ACL Logging can be configured for further Audit trails

2012 Citrix

ACLs

2012 Citrix

Core Security Features

Upper Layers Rewrite and URL Transform can be used to mask internal URLs TLS Man in the Middle attack. HTTP Cookie Encryption / proxying & XML Encryption SlowPost & Slowloris Attack
Layer 2 Layer 3 Upper Layers App Firewall HTTP Responder Authentication Action Analytics SSL Syn Flood Attack ICMP\UDP Limit ARP Response HTTP DOS HTTP Callout SSL FIPS SQL Responder HTTP Rate Limit Extended ACL Surge Protection

2012 Citrix

SYN Attack Protection

Protects against over 20 M SYN / Sec SYN
SYN Cookie

SYN+ACK ACK GET Resource Allocated

Client

Server

2012 Citrix

HTTP DDoS Protection

GET/ POST
JS: Refresh Refresh Request

DDoS Policy

Client

DOS Q

SQ

Server

2012 Citrix

SSL Security
SSL Offloading
SSL HTTP

SSL

SSL

SSL Backend Encryption

SSL Bridge

SSL_BRIDGE

SSL_BRIDGE

2012 Citrix

NetScaler - Optimized for 2048-bit RSA Keys

2048-bit RSA Key

http://www.verisign.com/ssl/ssl-information-center/express-renew-ssl-certificate/ index.html You must submit a minimum 2048bit CSR to qualify for Express Renewal. 2012 Citrix

SSL Cert Renewals

NetScaler can notify you of invalid certificates Notice notification when a certificate nears expiry CSRs for submission to certificate authorities can be generated on-box using a wizard. Hooks into Command Center.
2012 Citrix

TLS-Reneg MITM Attack Protection

Man in the Middle Attack Prevented by cryptographically binding renegotiation handshakes to the enclosing TLS cryptographic parameters Transport Layer Security (TLS) Renegotiation Indication Extension 5746

2012 Citrix

Responder
First module any incoming request hits on NetScaler Can internally invoke Rate Limiting and Callout objects
GET /secure/index.asp Respondwith: 200 OK Redirect: 302 Found DROP RESET HTTP.REQ.URL.CONTAINS(secure)

2012 Citrix

DataStream - Responder
Allows NetScaler to respond to a MySQL or MS-SQL Request without any input from the back end servers.

Drop Not Allowed through VServer!

#CitrixSummit
2012 Citrix

22

Drop Invalid HTTP requests & Slow* Protections

Drop Invalid Requests Custom Actions

#CitrixSummit
2012 Citrix

23

Slowloris Attack
Idle timeout reached

Legitimate Client

Attack Client
Attack Client sends few bytes of Header before idle Client timeout keeping the connection always opened.
2012 Citrix

SlowPost Attack
Header POST Body Idle timeout reached Legitimate Client

Attack Client

2012 Citrix

Attack Client sends Header completely but POST body in few bytes before idle Client timeout keeping the connection always opened

Authentication

?
2012 Citrix

Authentication types (Dual Auth Supported)

(S)LDAP (includes Microsoft Active Directory, Novell NDS) Radius TACACS Certificate Kerberos SAML (New in NetScaler 10!) Local
27 2012 Citrix

Authorisation
Two key elements WHO has access to WHAT. Two outcomes Allow & Deny Who = Authenticated User Authorisation Policies MUST be bound to Users or Groups

What = granular, easily defined object e.g.

IP address HTTP URL Group etc..
28 2012 Citrix

Accounting

Records who, when & 1.1" 200 105 "http://10.90.196.150/menu/neo" "Mozilla/ from where AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0 SYSLOG server (open standard format).

10.90.41.25 [30/Apr/2012:13:07:15 +0200] "GET /config

NetScalers own syslog server Syslog server outside the appliance 10.90.41.25 [30/Apr/2012:13:07:16 +0200] "GET /views HTTP/1.1" 304 - "-" "Mozilla/4.0 (Windows 7 6.1) Java/1 Command Center

There is also the NSLOG format which is NetScaler proprietary 10.90.41.25 [30/Apr/2012:13:07:17 +0200] "GET /views

HTTP/1.1" 304 - "-" "Mozilla/4.0 (Windows7 6.1) Java/1

29

2012 Citrix

10.90.41.25 [30/Apr/2012:13:07:17 +0200] "GET /nsip? HTTP/1.1" 200 103 "http://10.90.196.150/menu/neo" "M AppleWebKit/535.19 (KHTML, like Gecko)

Work better. Live better.

Citrix NetScaler Web Application Firewall

NS WAF Overview and Update

Problem Solution
86% of the attacks are attacks to the applications WAF Protection No Apps protection

Session Layer Transport Layer : : Network AppFW

2012 Citrix

Convergence of Application Security Functions

DDos SSL SSL/VPN WAF XML FW AAA SSO Reporting

4th Gen Web App Firewall Fastest App Firewall (12 Gbps) Best Price-Performance

First to implement learning (Teros) First to implement positive security Fine-grained policy driven

NetScaler MPX and VPX

2012 Citrix

Logical Deployment

Interfaces connected to different networks

Untrusted Network

Trusted Network

Internet

Network Firewall

Citrix Application Firewall (in the DMZ)

Network Firewall

Application Infrastructure

Logical Deployment
2012 Citrix

Hybrid Security Model

Signatures for known attacks

Easy deployment, Quick PoC Checks request headers (URL, cookies, etc) and body (form fields) Integrates with scanning tools Wizard to ease configuration

Mix-and-match with positive security

Defense against zero-day attacks Defense against custom attacks Strongest security posture

2012 Citrix

Signatures

2012 Citrix

Signature Maintenance/Updates
Based on SNORT Partnership with SourceFire to provide signatures Can be updated without changing build Open format for signature files Signature versioning Automatic identification of new signatures

2012 Citrix

How Does It Work SNORT signatures?

NetScaler provides SNORT signatures converted into NetScaler native format Import into NetScaler Click and choose which application rules apply and whether to block or log Deploy

2012 Citrix

Integrates with Scanner tools > NetScaler and Cenzic integration

Run periodic scans

Protected website

Import Vulnerability file into NetScaler

2012 Citrix

Positive Security Model

2012 Citrix

Vulnerable Websites

Copyright WASC, White Hat Security

2012 Citrix

Cross-site Scripting (XSS) Attacks

Attacking trust relationships
1

Hacker posts <malicious script> to vulnerable Web application

Script captures credential info and sends to hacker

Innocent user downloads script and executes

Cross-Site Scripting: Inserting a malicious script that compromises the trust relationship between a user and a Web application, resulting in sending an attacker confidential information that can be used to steal that users identity.
2012 Citrix

SQL Injection Attacks

Accessing databases via Web applications

SQL Injection Attack

http://shop/index.asp?category=books' or 1=1

SQL Injection Attacks: Sending SQL commands to a Web application that when passed to databases execute and allow hacker to gain access or change customer and sensitive information.
2012 Citrix

Cookie Poisoning defense prevents identity theft and session hijacking

Web server sends client cookie

Client returns cookie to server

Application Firewall verifies that cookies have not been modified by client
2012 Citrix

HTML Form Field Protection

Protect applications by blocking malicious and illegal input parameters
Application sends form to client

Client completes and returns form

2012 Citrix

For each user session AppFw ensures that: 1. Each field is returned 2. No fields were added by client 3. Read-only and hidden fields are unaltered 4. Data in drop-down list or radio button field conforms 5. Max length of form fields is adhered to

Cross Site Request Forgery Attacks

Blog.net makes request to application using users session credentials

Blog.net
2

User visits blog.net in another browser window

1

User logs in and creates session with web application

2012 Citrix

CSRF

Denial of Service

Scan Tool Integration

Business Object Protection Modules

Prevent the inadvertent disclosure of customer or corporate data
Server: Msg 547, Level 16, State 1, Procedure error_demo_sp, Line 2 UPDATE statement conflicted with COLUMN FOREIGN KEY constraint 'fk7_acc_cur'. The conflict occurred in database 'bos_sommar', table 'currencies', column 'curcode'. The statement has been terminated. Mastercard XXXXXXXXXXXXXXXX 5168701720999598 XXXXXXXXXXXXXXXX 5487106695039822 XXXXXXXXXXXXXXXX 5374247346295037 XXXXXXXXXXXXXXXX 5229226821960783 XXXXXXXXXXXXXXXX 5120772245608565 XXXXXXXXXXXXXXXX 5418244166026814 XXXXXXXXXXXXXXXX 5214846392378060 XXXXXXXXXXXXXXXX 5593219822414122 XXXXXXXXXXXXXXXX 5302495774841718 XXXXXXXXXXXXXXXX 5141463445796112 VISA XXXXXXXXXXXXXXXX 4532804852500010 XXXXXXXXXXXXXXXX 4328380488186126 XXXXXXXXXXXXXXXX 4532740912246923 XXXXXXXXXXXXXXXX 4716318594729561 XXXXXXXXXXXXXXXX 4916022347049263 XXXXXXXXXXXXXXXX 4929693453925879 XXXXXXXXXXXXXXXX 4916392627322353 XXXXXXXXXXXXXXXX 4485495924283904 XXXXXXXXXXXXXXXX 4532203936162055 XXXXXXXXXXXXXXXX 4916164014266109

Financial Theft Prevention Credit Card Numbers Configurable Protections Customer-defined Data Objects

2012 Citrix

Integrated HTML and XML Security

XML Security

Threat Protection Content Validation Data Leak Prevention Reporting and Monitoring

Secures all flavors of XML Applications

(not just SOAP)

Single devices for XML, HTML and Web

2.0 applications security XML or Common for all checks.

Check types are categories as HTML, Block, Log and Statistics can be enable
2012 Citrix

Auditing

Full administrative audit trail

All management operations logged

Full user activity audit trail

All session activity All network flows

All system events logged Support for external logging servers

2012 Citrix

Manageability and Ease of Use - Learning

Rule Recommendation Engine in learning mode

2012 Citrix

Manageability/Ease of Use Rule Visualizer

2012 Citrix

Reporting
Dashboard of top AppFirewall information for quick security summary Ability to create custom reports for specific violations, client IPs, profiles etc.

2012 Citrix

Visibility and Reporting with Splunk for NetScaler

Splunk App for NetScaler Available at SplunkBase
http://www.splunkbase.com/apps/All/4.x/ Add-On/app:Splunk+for+Citrix+NetScaler

Case Study: FreshDirect

http://www.splunk.com/view/case-studyfresh-direct/SP-CAAACDB

2012 Citrix

Full PCI v1.2 compliance report

Analyze App

Firewall configuration against PCIDSS requirements Executive summary of Application Firewall configuration

2012 Citrix

Demo - Prevent Web Application Attacks with Citrix NetScaler Application Firewall
AppFw and Cenzic Integration - http://support.citrix.com/article/CTX133285 AppFw and Qualys Integration - http://support.citrix.com/article/CTX133269
2012 Citrix

Application Attack Demonstration

These Attacks Are Illegal To avoid going to jail never run these attacks:
Against any web site without written permission by a corporate officer Across a corporate network Across a public network

2012 Citrix

 2012 Citrix

NetScaler Technology Partnership Update

Prakash Sinha July 2012

Expanding Mindshare with Ecosystem Partners

Log Management SIEM Network Monitoring Network Infrastructure Identity Management

Improves security of Citrix NetScaler Integration with leading technology vendors improves security time to protect
Reduces Web App Firewall Proof of Concept (PoC) and time-to-deployment SIEM integration improves compliance, reporting, and monitoring in the Enterprise

VA / Scanning

access

a t

Anti Virus

threat URL Filtering

Provides enhanced security through technology partners

Certificate Mgmt

Secure Browsing

2012 Citrix

NetScaler Technology Ecosystem Partners

Provides net new security through tech partners Integration with leading vendors reduces insecure time
App Scan integration reduces Proof of Concept (PoC) and time-todeployment SIEM integration improves compliance, reporting, and monitoring in the enterprise Network Monitoring, Scalability and Virtualization creates differentiation
2012 Citrix
Browser Security Security Events Certificate Mgmt Network Infra

access

a t

Antivirus/ URL Filter

threat

Penetratio n Testing

App Visibility

Identity Mgmt

Intrusion Detection

Integration with Application Scanning & Penetration Testing Tools

Web App Security with Cenzic and NetScaler

Run periodic scans to keep website secure

Web vulnerability scan results from Cenzic Import into NetScaler Application Firewall
2012 Citrix

Website is now protected

How Does It Work?

Vulnerabilities are found during a Cenzic Hailstorm software or SaaS security scans Development team logs into Cenzic Hailstorm and/or receives vulnerability report with details Remediation process begins
Export Cenzic Hailstorm vulnerability report to a NetScaler Application Firewall The XML file of scan results is imported into NetScaler Application Firewall The imported, Cenzic-generated rules are then bound to the NetScaler Application Firewall profile

Quick protection against Cenzic Hailstorm identified application vulnerabilities. No additional configuration and learning is required
2012 Citrix

Certificate Lifecycle Management

Certificate Management on NetScaler with Venafi

Enable rapid migration from 1024 bit keys to 2048 across the IT infrastructure
Venafi has the certificate inventory Venafi provide automated replacement of keys Venafi can enforce 2048 policies / compliance
Validatio n Network Discovery Reporting, Analysis, & Mgmt

Improve performance by offloading SSL certificates to NetScaler devices

Expand NetScaler platforms to enable 2048 compliance without degrading performance Venafi integration with NetScaler enables automated deployment of certs to NetScaler from other systems
2012 Citrix

Automated Provisionin g Enrollment (to CAs)

Monitorin g& Alerting

How Does it Work?

Venafi discovers certificates in your network Venafi validates inventory daily Venafi monitors for & reports on inventory expirations, policy violations Venafi acts as the intermediary to manage the enrollments, approvals and issuances of certificates Venafi automatically issues, uploads and binds new certificates in the Citrix NetScaler Venafi regularly rotates certificates, providing increased security agility
2012 Citrix
6. Submit CSR 7. Retrieve Cert 1. Configure Netscaler in Director 2. Configure Cert 8. Approve Installation (for each Netscaler)

4. Generate Key Pair/CSR 5. Store encrypted in DB

3. Approve Key Gen

9. Transfer certificate and private key 10. Associate certificate with virtual server

Token-less and Risk-based One-Time Password (OTP)

RSA Adaptive Authentication with Citrix NetScaler

Solution Components
Citrix NetScaler - Version 9.2 or later Identity Provider such as Active Directory or equivalent LDAP based system RSA Adaptive Authentication Server for secondary authentication of users based on behavioral and other inputs

How does the integration work?

User attempts to access a system protected by Adaptive Authentication User's activity is analyzed by the RSA Risk Engine and is assigned a Risk Score RSA Policy Manager determines Risk using behavioral analysis User is directed to "Step-Up Authentication"

2012 Citrix

SecureMatrix GSB Integration with NetScaler

2012 Citrix

Single Sign On

SAML Consumer with SecureAuth

Reference win at Carolinas Healthcare System (CHS) against Juniper SSL/VPN CHS chose SecureAuth for SSO/SAML Provider use case Requested support for SAML Consumer in NetScaler/AGEE
Delivered by Citrix Consulting

Product support in NetScaler 10

2012 Citrix

71

Intrusion Detection and Intrusion Protection (IDS/IPS)

How Does IDS/IPS Integration Work?

Two modes of deployment
Off of span port Inline mode

Solution Components
Citrix NetScaler front-ending web applications & sites Sourcefire 3D Sensor Sourcefire Defense Center

How does it work?

Sourcefire 3D Sensor detects an attack Sourcefire Defense Center creates an ACL policy and sends it to Citrix NetScaler through the NetScaler API Citrix NetScaler applies the policy and blocks the attack

2012 Citrix

How Does SNORT Signature Integration Work?

Import signatures into NetScaler
Signatures updates available from Citrix NetScaler product update site approximately every 6 weeks

Click and choose which application rules to apply Choose whether to block or log Deploy

2012 Citrix

Anti Virus and URL Filtering

Integration with Anti-Virus, URL Filtering

Integrated with Trend Micro IWS Virtual Appliance (IWSVA) Customer win at Government of Alberta, Canada Whitepaper written by Trend Micro

NetScaler VPX deployment as forward proxy load balancing outbound user traffic across multiple InterScan Web Security appliances.

2012 Citrix

NetScaler deployed as reverse proxy switching inbound file uploads across multiple Trend Micro Inter Scan Web appliances

How Does It Work?

2012 Citrix

NetScaler deployed as reverse proxy switching inbound file uploads across multiple Trend Micro Inter Scan Web appliances

Security Information & Event Management (SIEM)

Security Event Management with ArcSight and RSA

Correlate NetScaler events with SIM/SEM Tools address Compliance and Visibility requirements for NERC, FISMA, PCI, HIPAA, IT Governance etc NetScaler now a supported data source with RSA enVision
RSA enVision Event Sources

ArcSight ESM integration available ArcSight and RSA in Citrix Ready program
Collateral at Citrix Cloud Solution Compliance Partners

NitroSecurity (McAfee) integration is now available

2012 Citrix

Visibility & Reporting

Visibility and Reporting with Splunk for NetScaler

Splunk App for NetScaler available as of Aug 2010 Available at SplunkBase
Splunk App for NetScaler

Case Study: FreshDirect

Fresh Direct Case Study

2012 Citrix

Application Visibility - AppFlow on NetScaler

Whos accessing my application resources? Are my apps aligned with my users? How can I get clear operational visibility? How do I monitor and ensure SLAs are met?
2012 Citrix

Application Visibility and Log Mgmt Partners

2012 Citrix

Channel Solution Example: SoftChoice

Cenzic scans supported by NetScaler Three products bundled and packaged together by SoftChoice Sold by SoftChoice along with consulting as a Web Security Solution
2012 Citrix

 2012 Citrix

News and Views

86

NetScaler Repeater Scalability

http://blogs.citrix.com/2012/07/13/branch-repeater-on-hyper-v/

2012 Citrix

NetScaler command Center MPX

http://blogs.citrix.com/2012/07/13/netscaler-command-center-mpx%E2%80%93-a-complete-solution-in-a-box/

88

2012 Citrix

AAA revisited
http://blogs.citrix.com/2012/07/30/aaa-what-it-means-to-you/

89

2012 Citrix

GSLB hierarchical approach

http://blogs.citrix.com/2012/07/27/netscaler-gslb-parent-child-sites/

90

2012 Citrix

NetScaler 10 and keep-alives

http://blogs.citrix.com/2012/07/26/netscaler-10-keep-alive-value-add-to-the-tcpstack-with-profiles/

91

2012 Citrix

CAC/SIPR tokens and NetScaler

http://blogs.citrix.com/2012/07/20/cac-or-sipr-token-on-netscaleragee/

92

2012 Citrix

NetScaler SAML and CG

http://blogs.citrix.com/2012/07/19/workin-it-with-netscaler-saml-and-cloudgateway/

93

2012 Citrix

NetScaler and TFTP

http://blogs.citrix.com/2012/07/19/load-balancing-tftp-with-netscaler/

94

2012 Citrix

Tagged and Untagged traffic and NetScaler HA

http://blogs.citrix.com/2012/07/19/netscaler-ha-managing-tagged-versusuntagged-traffic/

95

2012 Citrix

Competition
Impressive and relevant book on Application Security If you haven't thought about security yet - this is the book for you A great book for those new to web security

2012 Citrix

Master Class: September

Wednesday September 5 2pm UK time Agenda
NetScaler "101" NetScaler projects: Beginning to end "In the Spotlight" NetScaler Implementation: A case study from Citrix Consulting Services Whats new NetScaler product hardware update Register today https://www1.gotomeeting.com/register/521747929
2012 Citrix

Work better. Live better.

98

Back issues of Master Class (recordings)

September 2011 Master Class recording here:
https://www1.gotomeeting.com/register/124944433

October 2011 Master Class recording here:

https://www1.gotomeeting.com/register/907493912

November 2011 Master Class recording here:

https://www1.gotomeeting.com/register/294761545

December 2011 Master Class recording here:

https://www1.gotomeeting.com/register/586128016
2012 Citrix

Back issues of Master Class (recordings)

February 2012 Master Class recording here:
https://www1.gotomeeting.com/register/811363848

March 2012 Master Class recording here:

https://www1.gotomeeting.com/register/939423792

April 2012 Master Class recording here:

https://www1.gotomeeting.com/register/276970321

May 2012 Master Class recording here:

https://www1.gotomeeting.com/register/125653712
2012 Citrix

Back issues of Master Class (recordings)

June 2012 Master Class recording here:
https://www1.gotomeeting.com/register/665543696

July 2012 Master Class recording here:

https://www1.gotomee0ng.com/register/625884512

August 2012 Master Class recording here:

https://www1.gotomeeting.com/register/325602920

2012 Citrix

Back issues of Master Class (slides)

September slides here:
https://citrix.sharefile.com/d-s5fdba69fbf44df49

October slides here:

https://citrix.sharefile.com/d-s489bf4162504deb8

November slides here:

https://citrix.sharefile.com/d-s20dc77787bd46a68

December slides here:

https://citrix.sharefile.com/d-s8ad080afc1f49d99
2012 Citrix

Back issues of Master Class (slides)

February slides here:
https://citrix.sharefile.com/d-s39b8bc07da7493d9

March slides here:

https://citrix.sharefile.com/d-s7d8999b053d404d9

April slides here:

https://citrix.sharefile.com/d-s6210f76d272418d8

May slides here:

https://citrix.sharefile.com/d-s3b6fca7101e4bda8
2012 Citrix

Back issues of Master Class (slides)

June slides here:
https://citrix.sharefile.com/d-s5bed85db98f40238

July slides here:

https://citrix.sharefile.com/d-sa17f2229f9b40ae9

2012 Citrix

Work better. Live better.

105