Concerns about Citrix NetScaler Web Application Firewall (WAF)

Let’s talk about a WAF, a Web Application Firewall on a Citrix NetScaler. What’s to be concerned off? Is it worth while considering a NetScaler to be your WAF?

I do work for several companies, including Citrix Consulting Services. Recently I worked on some Web Application Firewall projects, so I have some experience on it.

Usual concerns

  1. will a Citrix NetScaler be really safe WAF?
  2. How well does it scale?
  3. Is it easy to implement?

1: How safe is a Citrix NetScaler Web Application Firewall (WAF)

As far as I know one of the biggest websites world wide is using NetScaler WAF. They are storing hundreds of millions of customer records (including billing and credit card information). As far as we know, they never got hacked so far. Their website seems to be safe. Same about a huge NGO with is political exposed very much. They are attractive to hackers from all over the world. They also still are not known to be hacked during the last some years.

I also know of banks trusting in Citrix NetScaler Web Application Firewall (WAF), they are successful.

Nicht zuletzt gibt es mehrere Zertifizierungen, die unsere NetScaler WAF derzeit durchführt: NSS-Labs empfiehlt NetScaler WAF genauso wie ICSA-Labs.

So I consider NetScaler WAF to be secure, if it’s set up correctly.

2: How well will it scale?

Well, that’s a problem indeed. And it depends (every architect’s standard answer to each and every question). To be honest, a WAF is overhead. Huge overhead. Every single packet, flowing in (and flowing out in many cases), has to get inspected. So WAF has to be considdered a burden for the CPU of a NetScaler.

Like every feature on NetScaler, WAF is not multithreaded, meaning: Every Packet Processing Engine (PPE) is processing a TCP packet flow, independently from all other PPEs. And does everything on it’s own, not calling a singe operating system funchtion. There is just one thread, picking up the packet, doing all policies (responder, rewriting, WAF, …) and forwarding it to it’s destination. This feature is great, as it makes a NetScaler a very stable box, but it may cause some CPU-cores to be overloaded for a relatively long time. Overload on a CPU-core means latency for a user. To avoid overload, average CPU has to be under 75-80 %.

So, if you go NetScaler WAF, you’ll have to be able to scale out. Scaling out may mean, to upgrade your box with bigger licenses. Bigger licenses may mean: unlocking CPU cores and RAM. But it may also mean: Add more NetScaler boxes. Adding more NetScaler boxes seems to mean: Cluster. But as I personally would avoid a Cluster, I’d rather load-balance NetScalers. So a typical WAF-deployment would look like this:

A pair of NetScaler VPX (or SDX, MPX) boxes (in HA, tier 1) load balancing NetScaler MPX boxes (tier 2). These MPX boxes do both SSL-on- / off-loading and WAF. HA is not needed.

The tier 1 HA pair is just a load balancing vServer of type SSL bridge, using SSL session ID for persistence. The vServer is in source IP mode (SIP-mode), to preserve IP addresses for tier 2

This setup scales up easily and – at the same time – avoids cluster typical problems like features not being available or being hardly tested. We don’t use HA as load balancing in tier 1 takes care of high availability. We may scale out easily, if performance is insufficuient. We may even upgrade these boxes independent from each other. Of course we need one additional box, in case of one of these boxes is going down (n+1 principle)

3: Is it easy to implement?

Citrix sales (and some consultants) tend to answer this questions with a clear and simple yes, as NetScaler comes with an integrated learning feature doing all stuff for you. That’s really great!

Me, being rather a consultant than a sales guy – however – would rather say no. Being a customer I’d absolutely like to have a consultant with long-term experience working on this project.

One of the biggest problems in security is a false feeling of safety. A WAF will always give you a sound feeling of security. Feeling secure, makes people careless. But bever forget: What if there is something wrong about your WAF?

You got it: Your feeling of security may be as same as wrong, as your WAF setup.


Leave a Reply

Your email address will not be published. Required fields are marked *