8/7/2019 CitrixApplicationFirewallPO

1/4

www.citrix.com

Citrix NetScaler Application Firewall Product Overview

www.citrix.com

NetScaler Application FirewallCitrix NetScaler Application Firewall is a comprehensive web applicationsecurity solution that blocks known and unknown attacks against web andweb services applications. NetScaler Application Firewall enforces a positivesecurity model that permits only correct application behavior, withoutrelying on attack signatures. It analyzes all bi-directional trafc, includingSSL-encrypted communication, to protect against a broad range of securitythreats without any modication to applications.

NetScaler Application Firewall technology is included in and integrated withCitrix NetScaler, Platinum Edition, and is available as an optional module

that can be added to NetScaler MPX appliances running NetScaler EnterpriseEdition. NetScaler Application Firewall is also available as a stand-alone solutionon ve NetScaler MPX appliances, as well as a FIPS-140-2-compliant model.The stand alone NetScaler Application Firewall models can be upgraded viasoftware license to a full NetScaler Application Delivery Controller (ADC).

Addressing security challengesNot only are web applications vulnerable to attack, they are attractivetargets for hackers because they often have direct connectivity with oneor more databases containing sensitive customer and company information.Protecting these applications with solutions that simply inspect applicationtrafc to identify known attack signatures is insufcient. Threats against

web applications are often devised specically for a target application, makingthreat identication by network-level security devices (e.g., intrusion protectionsystems and network rewalls) impossibleleaving web applications exposedto a myriad of known and zero-day exploits. NetScaler Application Firewallcomprehensively addresses the challenge of delivering centralized application-layer security for all web applications and web services.

The positive security model advantageNetScaler Application Firewall enforces a positive security model to ensurecorrect application behavior. Instead of relying on attack signatures orpattern-matching techniques, the positive security model understands goodapplication behavior, and treats all other trafc as malicious. This is the only

proven approach delivering zero-day protection against unpublished exploits.

Delivers PCI-DSS v.1.2(section 6.5 and 6.6)compliance

Protects credit and debit card

account numbers to comply

with the Payment Card Industry

Data Security Standards.

Prevents data losses for

which government regulations

require customer notication.

Simplies desktop management.

Protects online revenuesources

Ensures uptime of websites and web services by

defeating L7 denial of service

(DoS) attacks.

Application learning

ensures protection without

false positives.

Maintains trust relationship

between consumer and

vendor by preventing cross-

site scripting (XSS) attacks.

8/7/2019 CitrixApplicationFirewallPO

2/4

2

Citrix NetScaler Application Firewall Product Overview

Meeting PCI compliance and auditing

requirementsNetScaler Application Firewall aids corporate IT security teams in conformingto governmental privacy regulations and industry mandates. For example,organizations subject to Payment Card Industry Data Security Standard(PCI-DSS) requirements can now fully meet the requirements detailed inPCI-DSS Section 6.6, which mandates the installation of web applicationrewall in front of public-facing applications as one method of maintaininga proper security posture. In support of PCI security audits, NetScaler ApplicationFirewall can generate dedicated reports detailing all security protectionsdened in the application rewall policy that pertain to PCI requirements.In addition, NetScaler Application Firewall prevents the inadvertent leakageor theft of sensitive information, such as credit card numbers or custom-dened data objects, by either removing or masking content from applicationresponsesbefore being publicly disclosed.

Defeating XML-based threatsIn addition to detecting and blocking common application threats that canbe adapted for attacking XML-based applications (i.e. cross-site scripting,command injection, etc.), NetScaler Application Firewall includes a rich setof XML-specic security protections. These include schema validation tothoroughly verify SOAP messages and XML payloads, and a powerful XMLattachment check to block attachments containing malicious executablesor viruses. NetScaler Application Firewall also thwarts a variety of DoSattacks, including external entity references, recursive expansion, excessivenesting and malicious messages containing either long or a large number ofattributes and elements.

Tailoring security policiesNetScaler Application Firewall incorporates an advanced and provenadaptive learning engine that discovers aspects of application behaviorthat might be blocked by the positive security model even if the behavior isintended by the web application. This would include, for example, modicationsmade by client-side application scripting that legally modies HTML formelds. Once application behavior is learned, NetScaler Application Firewallgenerates human-readable policy recommendations, which bring to securitymanagers a clearer understanding of actual application behavior. Tailoredsecurity policies may then be applied to each application.

Industry-leading performanceNetScaler Application Firewall provides multi-gigabit performance to meetthe needs of even the largest networks. In addition, the solution can actuallyimprove application performance and lower response times by ofoadingcompute-intensive tasks, such as TCP connection management, SSL encryptionand compression from web servers. In addition, the integrated caching functionalityavailable on the NetScaler platform ofoads the servers while still applyingfull rewall functionality. Freeing valuable server resources improves theoverall application experience.

8/7/2019 CitrixApplicationFirewallPO

3/4

3

Citrix NetScaler Application Firewall Product Overview

Flexibility to adapt to changing

business requirements

NetScaler Application Firewall permits exible, stepwise deployment of

web application protection. The default web application protection proledefends against the most common dangerous threats and adds full protectionagainst both data theft and layer 4-7 denial of service (DoS) attacks.

The advanced web application protection prole adds session-aware protectionsto protect dynamic elements, such as cookies, form elds and session-specicURLs. Such protection is imperative for any application that processes user-specic content, such as an e-commerce site. To make sure these securitymeasures are compatible with any application, NetScaler Application Firewalllearning capabilities help the administrator create managed exceptions andrelaxations when the applications intendedand legalbehavior mightotherwise cause a violation of the default security policy.

Key features

Protects online revenue sources

Buffer overow

CGI-BIN parameter manipulation

Form/hidden eld manipulation

Forceful browsing protection

Cookie or session poisoning

Cross-site scripting (XSS)

Command injection

SQL injection

Error triggering sensitive information leak

Insecure use of cryptography

Server misconguration

Back doors and debug options

Rate-based policy enforcement

Well-known platform vulnerabilities

Zero-day exploits

Content rewrite and response control

Content Filtering

Authentication, authorizating and auditing

L4-7 DoS protection

Simplied management and deploymentuser interface

Secure web-based GUI

SSH-based CLI access network management

SNMP

Syslog-based logging

PCI-DSS compliance reporting tool

Comprehensive web server and webservices security

Deep stream inspection; bi-directional analysis

HTTP & HTML header and payload inspection

Full HTML parsing; semantic extraction

Session-aware and stateful

Protocol neutrality

HTML form eld protection:

Required elds returned; no added eldsallowed; read-only and hidden eldenforcement

Drop-down list & radio button eldconformance

Form-eld max-length enforcement

Cookie poisoning defenses ensures cookiesare not modied

Legal URL enforcement Web applicationcontent integrity

Full SSL ofoad:

Decrypts trafc prior to inspection;

encrypts trafc prior to forwarding Congurable back-end encryption

Support for client-side certicates

XML data protection:

XML security: protects against XMLdenial of service (xDoS), XML SQLinjection and cross site scripting

XML message and schema validation,format checks, WS-I basic prolecompliance, XML attachments check

URL transformation

8/7/2019 CitrixApplicationFirewallPO

4/4

Citrix NetScaler Application Firewall Product Overview

31244/ 0110/XXXX

Worldwide Headquarters

Citrix Systems, Inc.

851 West Cypress Creek Road

Fort Lauderdale, FL 33309, USA

T +1 800 393 1888

T +1 954 267 3000

www.citrix.com

Americas

Citrix Silicon Valley

4988 Great America Parkway

Santa Clara, CA 95054, USA

T +1 408 790 8000

Europe

Citrix Systems International GmbH

Rheinweg 9

8200 Schaffhausen, Switzerland

T +41 52 635 7700

Asia Pacifc

Citrix Systems Hong Kong Ltd.

Suite 6301-10, 63rd Floor

One Island East

18 Westland Road

Island East, Hong Kong, China

T +852 2100 5000

Citrix Online Division

6500 Hollister Avenue

Goleta, CA 93117, USAT +1 805 690 6400

About Citrix

Citrix Systems, Inc. (NASDAQ:CTXS) is the leading provider of virtualization, networking and software as a service technologiesfor more than 230,000 organizations worldwide. Its Citrix Delivery Center, Citrix Cloud Center (C3) and Citrix Online Servicesproduct families radically simplify computing for millions of users, delivering applications as an on-demand service to any user,in any location on any device. Citrix customers include the worlds largest Internet companies, 99 percent of Fortune Global500 enterprises, and hundreds of thousands of small businesses and prosumers worldwide. Ci trix partners with over 10,000companies worldwide in more than 100 countries. Founded in 1989, annual revenue in 2008 was $1.6 bil lion.

2010 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, Citrix Delivery Center and NetScaler Application Firewallare trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patentand Trademark Ofce and in other countries. All other trademarks and registered trademarks are property of their respectiveowners.

NetScaler ApplicationFirewall Model

MPX 5500 MPX 7500 9010 FIPS MPX 9500 MPX 10500 MPX 12500

Throughput-Basic

mode (Mbps)

500 1,000 500 2,000 3,000 5,000

Throughput-Advancedmode (Mbps)

140 350 100 350 1,000 1,000

SSL Throughput (Mbps) 500 1,000 500 3,000 5,000 5,000

SSL transactions/second 4,000 8,000 4,400 16,000 24,000 48,000

Software upgradeUpgrade option to

MPX 9500

Upgrade option to MPX

12500

Processors Two (Dual core) Four (Quad core) Single Four (Quad core) Eight (Two quad core) Eight (Two quad core)

Memory 4 GB 8 GB 2 GB 8 GB 16 GB 16 GB

Ethernet ports 4x10/100/1000

BASE-T

8x10/100/1000

BASE-T

4x1000 BASE-

X SFP

(ber or Cu)

Or

4x10/100/1000

BASE-T

8x 10/100/1000

BASE-T

8x10/100/1000 BASE-T

AND 8x1000 BASE-X

SFP(ber or Cu)

Or

2x10GBASE-X SFP+

and 8x10/100/1000

BASE-X SFP

8x10/100/1000 BASE-T

AND 8x1000 BASE-X

SFP(ber or Cu)

Or

2x10GBASE-X SFP+

and 8x10/100/1000

BASE-X SFP

Power supplies Single Single-OptionalSecond

Dual Single-OptionalSecond

Dual Dual

Height 1U 1U 2U 1U 2U 2U

Citrix NetScaler Application Firewall hardware platforms