Virtualization Forum 2015, Praha, 7.10.2015
sál Citrix
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf.
2. NetScaler Application Delivery Controller
What is NetScaler?
NetScaler is an enterprise grade application
delivery controller, or ADC. So, what does that
mean?
NetScaler is the appliance that sits between
external users and your back-end resources. The
list of features and use cases for the NetScaler is
so long, it would be easier to explain what it doesn’t
do. But where’s the fun in that?
Let’s start off with the basics.
The primary features of the appliance are load
balancing, AAA traffic management, traffic
optimization, SSL offload and security.
3. Load Balancing
What is NetScaler?
Load balancing is the primary function of
the NetScaler.
NetScaler routes traffic to back end
resources using a designated set of rules so
that those back end servers are not
overloaded.
Several methods of load balancing
available, including:
• Least Connection
• Least Response time
• Round Robin
• SNMP based
• Hash based
• ….
4. AAA Traffic Management
What is NetScaler?
AAA provides security for a distributed Internet environment by allowing any client
with the proper credentials to connect securely to protected application servers
from anywhere on the Internet.
This feature incorporates the three security features of authentication,
authorization, and auditing.
5. Traffic Optimization
What is NetScaler?
Traffic optimization is a feature set on the NetScaler that includes:
• Integrated Caching
• HTTP Compression
• Front End Optimization
• TCP Optimization
6. SSL Offload and Acceleration
What is NetScaler?
A Citrix NetScaler appliance configured for SSL acceleration transparently
accelerates SSL transactions by offloading SSL processing from the server.
To configure SSL offloading, you configure a virtual server to intercept and
process SSL transactions, and send the decrypted traffic to the server (unless you
configure end-to-end encryption, in which case the traffic is re-encrypted).
Upon receiving the response from the server, the appliance completes the secure
transaction with the client.
From the client's perspective, the transaction seems to be directly with the server.
A NetScaler configured for SSL acceleration also performs other configured
functions, such as load balancing.
7. Internet
Web App Users
Legitimate traffic
allowed through
Application
Attacks Blocked
Citrix NetScaler
Application
Infrastructure
Network
Firewalls
• Blocks dozens of day zero attack vectors
o Includes CSRF, xPath Injection, XML attachment checks
• Bi-directional inspection: advanced attack prevention
• SSL traffic supported
• Sustained protection to 40 Gbps
• ICSA certified
• OWASP 10
Web Application Firewall
8. NetScaler TriScale Technology
What is NetScaler?
Citrix TriScale technology
revolutionizes enterprise cloud
networks by providing unrivaled
capabilities that smartly and affordably
scale application and service delivery
infrastructures without additional
complexity.
9. NetScaler ADC Use Cases
What is NetScaler
Use cases for the NetScaler ADC
include:
• Web application management
• Load balancing
• Web application security
• Server offloading
• Remote access
• Data Base optimization
• Traffic optimization
• Web Application Firewall
• DOS/DDOS protection
• ……
11. NetScaler Offerings
Licensing
Comprehensive L4-7 load
balancing and optimizes
expensive server and
network resources to reduce
cost
Web application delivery
solution providing advanced
traffic management and
powerful application
acceleration
Web application delivery
solution designed to deliver
mission-critical applications
with web application firewall
security, fastest performance,
and lowest cost
Standard
Edition
Enterprise
Edition
Platinum
Edition
30. Consolidation
(& Flexibility)
Experience Security
• Full SSL VPN tunnel and per
app VPN tunnel for iOS and
Android improves security
• SmartCompliance allows
centralized management
• Support for iOS, Android and
Linux VPN Clients
• Highly customizable portal
• GUI – Usability Simplification
and Dashboard
Future-proof architecture Granular and Dynamic security policies One click access to all apps
• One URL provides
consolidation
• Content Switching allows One
URL for all applications
• Flexibility to chose any device
type from any location
SaaS
Gateway
ICA
Proxy
SSL
VPN
Network
Visibility
+ Control
Threats
Access
QoS Optimized
SLAs
Video
What’s new in NetScaler with Unified GatewayWhat’s new in NetScaler Unified Gateway
32. CS
V-Server
LB V-Server
(Reverse Proxy)
Gateway V-Server
SSO
SSO
SaaS
One URL,
Login Once
Citrix Apps OWA SharePoint
Enterprise
Apps
Mobile
Apps
Unified Gateway provides One URL to any application
Web Apps
37. NetScaler Security Announcements
After the NSS labs report – Code changes in AppFW drove a performance increase
of 100-200%
Available now in latest 10.5.e build and 11.0.
Other enhancements include location based detection
and protection plus request capturing (trace) for
blocked requests.
38. New Cipher Support
AES-GCM/SHA-2
• Front-end on MPX, SDX (PX, N3)
• TLSv1.2 only.
ECDHE
• Back-end on MPX, SDX (PX, N3)
• Note: ECDHE on front-end GA’ed in 10.1, 10.5
Support on other platforms (FIPS, VPX) coming soon.
39. DEFAULT Cipher Alias Re-ordering (Front-end)
Give preference to AES/AES-GCM/ECDHE ciphers.
De-prioritize RC4 ciphers.
No ciphers dropped.
New Cipher Re-Order List
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
TLS1.2-AES-256-SHA256 (0x003d)
TLS1.2-AES-128-SHA256 (0x003c)
TLS1.2-AES256-GCM-SHA384
(0x009d)
TLS1.2-AES128-GCM-SHA256
(0x009c)
TLS1-ECDHE-RSA-AES256-SHA
(0xc014)
TLS1-ECDHE-RSA-AES128-SHA
(0xc013)
…………......
………………
……………… 28 ciphers…
Old Cipher Re-Order List
SSL3-RC4-MD5 (0x0004)
SSL3-RC4-SHA (0x0005)
SSL3-DES-CBC3-SHA (0x000a)
TLS1-AES-256-CBC-SHA (0x0035)
TLS1-AES-128-CBC-SHA (0x002f)
SSL3-EDH-DSS-DES-CBC3-SHA
(0x0013)
TLS1-DHE-DSS-RC4-SHA (0x0066)
TLS1-DHE-DSS-AES-256-CBC-SHA
(0x0038)
…………......
………………
………………28 ciphers…
40. DTLS Enhancement
Support for PFS cipher
• DHE
DTLS used for Framehawk support
• XA/XD attach.
• NS Gateway, TURN protocol.
41. SSL Profile…
New Changes..
• Cipher setting on a profile.
• Cipher Alias, User-defined Cipher Group, Single Cipher.
• Default profile will have - “DEFAULT” or “FIPS” cipher-alias on Front-end profile, “ALL” or “FIPS” cipher-
alias on Back-end profile.
• Different ciphers or cipher group/alias with priority settings.
•While choosing a cipher suite
a. First the cipher suites in the highest priority cipher group would be checked.
b. The cipher suites inside the cipher group would be considered according to their relative priority inside
the group
43. NS integration with Thales HSM
Thales HSM can be used to provide FIPS solution for Non FIPS
MPX/SDX/VPX appliances.
Releases: 11, 10.5.e (rs_105_e 53_9008_e+)
NW SWITCH SWITCH
Thales HSM
Remote File Server(RFS)
BS
47. TCP Nile Congestion Control
•We introduce a new congestion control algorithm for high speed networks, called TCP-Nile.
•TCP-Nile uses packet loss information to determine whether the window size should be
increased or decreased, and uses queueing delay information to determine the amount of
increment or decrement.
•TCP-Nile achieves high throughput, allocates the network resource fairly, and is incentive
compatible with standard TCP
49. Simple and powerful customizations using scripting
Policy is the first NS feature to support NS Extensions
Policy extensions are called Extension Functions
Citrix Confidential - Do Not Distribute
NetScaler Extensions