Jump to content
Updated Privacy Statement
  • Akhil Nair
    Pre-Requisite: Customers should have a Premium NetScaler License and ADM Service to enable API Gateway
    The rise of API-driven software has seen a corresponding rise in API-related security attacks. In the last few years, the industry has seen an increase in data breaches across companies of all shapes and sizes. Notable enterprises such as Venmo, Experian, and Peloton among others have all been victims of API attacks and data breaches. This has led to the exposure of millions of personally identifiable information (PII) records of their customers, costing millions in damages and fines.
    As organizations are realizing the critical need for effective API security in their overall security posture, Citrix API Gateway is one solution that’s ready to solve the challenge. 3 simple steps can enable organizations to protect their APIs by deploying them behind the Citrix API Gateway. They are as follows:
    Onboarding the API Deploying the API Enabling Policies Onboarding the API
    To onboard your API to the Citrix API Gateway, the first step is uploading the API specification. An API specification is a high-level blueprint of how your API works structurally. Although sometimes development teams may overlook creating an API specification, it is an incredibly important step in the end to have secure applications.
    The OpenAPI Specification (OAS), previously known as Swagger, is one such standard interface for RESTful API specifications, allowing APIs to be discovered and understood by both computers and humans. An OAS specification is represented as an object in a JSON or YAML file. No need to worry if you don’t have your API spec already created. You can create one manually inside the Citrix API Gateway.
    To begin, navigate to your instance of Citrix ADM and login. Once there, follow these steps.
    Go to the sidebar and click Security >> API Gateway >> API Definitions Click Add and either upload your OAS API specification file (if you have one) OR select Create Your Definition to create one manually Now that you’ve added your API spec, it’s time to deploy your API to the gateway.
    Deploying the API
    Go to the sidebar and click Security >> API Gateway >> Deployments Click Add and fill out the details under the Deployment Basic Info Give your deployment a name and select the target API gateway (NetScaler) from the drop-down menu. Select the relevant API definition and fill out details around IP address, port, certification, and so on Next, under Upstream Services, click Add to configure your Upstream API Services (aka your back end API service) Next, Under Routing, add routes for the API Upstream Services or back-end API services that you created. Routing for API Upstream Services adds details about API routing configuration for the API Gateway to route incoming API calls to the right back end service. Enabling Policies
    The next step in the deployment process is to create policies for the API Upstream Services or back end API services.
    Go to the sidebar and click Security >> API Gateway >> Policies Click Add. Fill out a name, select a deployment and choose the appropriate upstream service Next, click Add to create various types of policies against different API resources Some useful policies include rate-limiting, authorization, WAF, Bot, header rewrite, and deny. You can also create custom rules according to your business needs. Once complete with all policies, click Save and Apply. And that’s it. You’ve successfully onboarded your API to the Citrix API Gateway. This is one step that pays dividends in the end as your APIs and applications are now more secure. Not only this helps limit your attack surface, but it will also help you gain holistic visibility into your API ecosystem (via the API Analytics feature). This allows you to monitor API performance, discover shadow and leaky APIs, monitor endpoint activity, and gain various insights on your API deployments.
    With the added level of security, rest assured knowing that the Citrix API Gateway takes care of the tedious and keeps your applications much more secure.

    Akhil Nair
    Whether you’re developing a software program or building a website, you may often find yourself, either as a front-end or back-end developer, requiring an application programming interface (API). APIs are the protocols, routines, and utilities that work behind the curtain to facilitate communication among web and mobile apps, and they’ve completely changed how we use mobile and web apps. They’re the key integration point, and you can usually find an API for almost anything such as current local weather information, Netflix content, or Google search information.
    The global API management market is expected to grow from USD 1.2 billion in 2018 to USD 5.1 billion by 2023, at a compound annual growth rate 32.9 percent. The key drivers for that include increased demand for API-led connectivity and the need for public and private APIs to accelerate digital transformation. Three significant shifts in the industry have led to this amazing growth:
    Consumer shift from single-device to multi-device usage Architecture shift from monolithic devices to microservices Infrastructure shift from on-prem to cloud Along with these shifts in the industry have come ever-increasing complexity, lack of clear visibility into API access, and challenges in terms of new and increased levels of attacks on APIs.
    In this post, we will look at the NetScaler’s API security offering. We will also examine the security issues that shadow APIs can pose to organizations and how API discovery can help eliminate the security risks associated with shadow APIs.
    NetScaler API Security
    NetScaler API security offers comprehensive protection for your APIs so that you can secure your organization’s valuable app and data assets. Because our API security is built on top of NetScaler ADC, it delivers a level of performance and security built up over two decades.
    NetScaler API security front ends API services and acts as a gateway and single point to enforce security policies on the APIs. NetScaler API security works in conjunction with NetScaler Application Delivery Management (ADM) to provide insights into API performance and to help you make more informed decisions. The API gateway provides a single point of entry for API calls, and it helps you to configure, manage, and secure API endpoints. It can perform rate limiting, authentication and authorization, content routing, and additional tasks to ensure secure, reliable access to back-end services via your APIs.
    You can use NetScaler ADM to manage your API gateway, and NetScaler API security uses machine learning in NetScaler ADM to thwart cyberattacks like excessive data exposure (OWASP API-3) and attempted account takeovers.
    Shadow APIs and API Discovery
    Agile development processes help software teams to make smaller incremental changes to code at a rapid pace, and APIs enable DevOps to focus on accelerating the pace of innovation by continuously delivering new apps and APIs. However, this speed of innovation can create silos, especially in organizations in which multiple teams are involved.
    When those shadow APIs are created and/or deployed outside of an organization’s documented publication process, when specifications are not conformed to, or when older versions of APIs are not end-of-lifed properly, they can introduce potential security risks that can lead to data loss, fraud, or abuse. Shadow APIs or deprecated APIs may not be subject to an organization’s normal security policies, and they may transmit sensitive information or confidential PII data with no security oversight. Auto API discovery, inventory, and assessment of your APIs eliminate security risks associated with shadow APIs.
    NetScaler API Discovery and Analytics
    NetScaler API security learns about APIs by onboarding API definitions from an OAS file. OAS (OpenAPI Specification) is a community-driven open specification within the OpenAPI Initiative, a Linux Foundation Collaborative Project. OAS defines a standard, programming language-agnostic interface description for REST APIs.
    The ability to onboard APIs from an OAS file dramatically speeds up the configuration of your NetScaler API security functionality. What used to be a time-consuming, manual process is simplified and automated with NetScaler ADM. It will accept new API definitions from an OAS file and lets you configure your API gateway policies and then deploy them to NetScaler ADC in a matter of minutes, enabling you to deploy new apps securely and quickly.
    Follow these steps to create an API Definition in NetScaler ADM:
    Navigate to Applications → API Gateway → API Definitions. Click Add. To Create your definition using the API Specification file, click “Upload OAS Specification” to browse and upload the API specification (Swagger 2.0 or OpenAPI 3.0). This will parse and auto-populate the required information to create your API Definition. Alternatively, you can manually input the required API information, all resource paths, and the methods to create your API Definition manually. Select Create Your Definition and specify the following required API information to create your API definition manually: Name – A name for the API definition. API Definition – A definition must include title, version, base path, and host. You can specify a domain name or IP address in the Host. API Resources – Add multiple API resources to your definition. Each resource has a path and supported method.
    /applications/core/interface/js/spacer.png" data-src="/monthly_2022_12/image.jpg.baf08a2e3916f35d2cf31346f2349c13.jpg" data-ratio="73.1" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click Create. NetScaler API Discovery
    NetScaler’s integrated API discovery offering helps to make your API security more effective and simpler to deploy and makes automating and centralizing the visibility of all of your APIs easy. API discovery enables you to create an inventory of all APIs and delivers insights into API usage and security metrics.
    API discovery identifies the REST/HTTP API traffic transactions as seen by the NetScaler ADC (API Security/Gateway) data plane for the selected duration. All virtual servers and API deployments that have API traffic are displayed.
    When you select a specific virtual server or API deployment, you’ll get an inventory view of all API endpoints and methods for which the API traffic was observed with the following information:
    Method – This displays the method used in an API endpoint (for example, the GET and POST methods). Total requests – This displays the count of API requests on the API endpoint. Response statuses – This displays the count for each response status (for example, 2xx, 3xx, 4xx, and 5xx). Found in Spec – This column appears only for API deployments. Sometimes, the internal APIs that aren’t part of the API definition might receive traffic from outside. This column helps you identify whether the API endpoint and observed method are part of the API definition. This column helps you identify API resources and methods that are not present in your onboarded API definition, thus it helps you discover shadow APIs or unpublished APIs. Here you should check for the presence ofsShadow APIs. Analyze the APIs to ensure that they conform to your specifications, that they are not deployed outside of your documented publication process, and that no older versions or end-of-lifed versions improperly display. If you find shadow APIs, they can be properly mitigated before they lead to data loss, fraud, and app business logic abuse. API deployments – This displays APIs that are deployed from NetScaler ADM using an API definition. The API deployments tab discovers the API endpoints when API deployments receive API requests for the specified period. The Found in Spec column of API deployments can help you to discover Shadow APIs and mitigate them in a timely way to prevent security threats.
    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.1d4355f33d3929d82f5dbb9abc5e23df.jpg" data-ratio="43.7" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    You can also select the required API endpoint to view its detailed analytics report. The detailed analytics report provides API endpoint performance and usage data such as response time, bandwidth consumption, geo locations from where the API endpoints were accessed, and HTTP response status of API endpoints. API analytics enables visibility into API traffic and allows IT administrators to monitor API instances and endpoints served by an API gateway.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.32dc91b68a28b358d46d397d72084dfd.jpg" data-ratio="146.77" width="511" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Learn More
    Effective API security requires that multiple tools work in concert. NetScaler’s API security solutions can protect your most important assets from harm and help you to ensure your workforce can be productive from anywhere.

    Isha Khurana
    Digital transformation and cloud application adoption are top business imperatives, and the need to connect a growing number of apps and digital experiences is only increasing. APIs give developers easily access to apps and the ability to combine digital assets in different systems, even if those systems were never intended to interoperate.
    APIs can automate the transfer of data between different apps and systems, ensuring greater efficiency, improved reliability, and faster rollouts for innovative solutions. According to the State of API Integration Report*, 83 percent of IT specialists, whether focused on the frontend or backend, consider API integration vital for their business. This has put DevOps front and center in digital business strategy as companies seek simple, streamlined ways to develop, deploy, change, and manage apps.
    Traditional automation methods like custom scripting, direct integrations, and web services introduce more complexity, and IT teams largely rely on REST APIs to facilitate their automation journey. As a result, Bain & Company estimates, the number of companies scaling their automation will double by 2023**.
    Security is the top priority for most organizations, and there’s increased demand for secure integrations with other APIs and systems. Organizations want and need products that can ensure a frictionless API integration experience. NetScaler App Delivery and Security Service provides a simple and rich app-centric configuration model for seamless app delivery, augmented with sophisticated analytics, rich security, and self-healing capabilities.
    NetScaler App Delivery and Security Service's APIs are designed using an “outside-in” approach, simplifying the user and developer experience. From APIs, API documentation, API developer portals, and API artifacts, NetScaler App Delivery and Security Service provides simple and intuitive APIs that offer a self-service developer portal, complete documentation, a great onboarding experience, consistent and useful error messaging, code samples, Postman scripts, and a free developer tier.
    NetScaler App Delivery and Security Service's REST APIs lets you build and tailor solutions to suit your business or functional intent. This is essential in enabling integration between discrete microservices APIs. NetScaler App Delivery and Security Service APIs are well documented on NetScaler's Developer Portal using the OpenAPI standard (formerly known as Swagger) to show parameters, enable live calls, and provide the specification itself for download by developers.
    DevOps teams use a variety of tools to automate APIs and set up new environments, which allows them to treat infrastructure as code. As APIs are becoming an essential component of software development, it’s necessary for developers and programmers to manage every stage of the API lifecycle. Let’s look at how the NetScaler App Delivery and Security Service does it.
    Postman Integration
    NetScaler App Delivery and Security Service seamlessly integrates with Postman to incorporate automated testing into your CI/CD pipeline ensuring to simplify each step of building an API and streamline collaboration so you can create better APIs faster. Key benefits of NetScaler App Delivery and Security Service APIs and Postman integration include:
    API-First Development: Release reliable services to build your API before deploying code. Application Development: To eliminate dependencies and reduce time to production by having front-end and back-end teams work in parallel. Automated Testing: To automate manual tests and integrate them into your CI/CD pipeline to ensure that any code changes will not break the API in production. Exploratory Testing: To explore the APIs output data in accordance to variable inputs. Developer Onboarding: To quickly get consumers up to speed on what your API can do and how it works. Developer Portals: To enable internal and external consumers to consume APIs for app delivery and security. /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.c0b204d3e26b9252d00068a7eed1aac4.jpg" data-ratio="56.4" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Delivering an app through Postman (click image to view larger) Terraform Integration for Automating Intent
    /applications/core/interface/js/spacer.png" data-src="/monthly_2022_12/image.jpg.433cfe96f85c5ad0951b7ac79ae7379f.jpg" data-ratio="11.59" width="811" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    To enable DevOps to implement business intent, NetScaler Application Delivery and Security Service lets DevOps teams use Terraform for automation with infrastructure as code. These APIs can be leveraged to build powerful Terraform scripts that will translate business intent into human-readable, declarative configuration files. Once you trigger these terraform configuration files, all the terraform resources (or Nitro API calls of NetScaler Application Delivery and Security Service) help you provision and integrate NetScaler ADC into your app delivery lifecycle, eliminating human errors.
    NetScaler Application Delivery and Security Service is useful in scenarios where admins want a SaaS solution that helps them manage, monitor, analyze, and troubleshoot their global hybrid multi-cloud application delivery infrastructure from a single touchpoint. The key benefits of NetScaler Application Delivery and Security Service APIs are:
    Enabling Operational Efficiency: NetScaler Application Delivery and Security Service helps and enables operational efficiency by providing an exceptionally reliable, available workflow execution engine that scales to meet your needs. Enabling DevOps Automation: Customers expect their CloudOps and DevOps teams to be able to leverage automation. NetScaler Application Delivery and Security Service APIs reduce operational overhead and free up IT and DevOps staff to focus on work that adds business value by moving the cloud management tasks to be run automatically. No Upfront Investment: Organizations can innovate without making large upfront investment in equipment and can control and power systems down to reduce costs as needed. Unlock New Use Cases: It opens the door to innovation, making it possible to unlock use cases that enable access to new customers and seamless integrations with third-party applications Increase Customer Retention and Experience (CX): Today’s users demand the ability to stitch together apps and features from different vendors. Products that integrate are more valuable to customers and get more use. Faster Time to Market: It gives you flexibility to build the frontend independent of the backend and reuse the components by focusing on core business capabilities and not the long tail. To get started with NetScaler Application Delivery and Security Service and your intent-based app delivery journey, go to your account today and access the App Delivery and Security tile for your 60-day free trial.
    Sources
    * 83 percent of IT specialists (frontend and backend developers), consider API integration vital for their business, per the State of API Integration Report.
    ** Bain & Company estimates number of companies scaling their automation will double by 2023.

    Akhil Nair
    Key Use Cases:
           
     
     
    Unified Application Security - A new config workflow that consolidates all WAF and Bot capabilities into a single pane of glass while abstracting the need to learn about how security works. End users will have access to templates such as OWASP Top-10 checks and CVE related checks. It is available in ADM Service and available in ADM on-prem starting from version 14.1 12.x Builds.
      WAF Recommendation Scanner on ADM on-prem - Available as part of the Unified Application Security workflow, users can now scan their external/internal web apps and the scanner will automatically suggest WAF checks based on the Web App’s underlying technology. Available in ADM on-prem starting from version 14.1 12.x Builds.
      API Security: API aware NetScaler as proxy - API Spec files can now be uploaded on ADCs directly to validate every endpoint and ensure that it conforms to the schema. Additionally, you can apply WAF or AAA policies and use PI expressions to apply security, authenticate endpoints or route API traffic
    Other use cases:
    Protect internal apps accessed via Gateway (SPA/Storefront) from malicious attacks - You can now protect all your applications that are behind the VPN virtual server by binding the Web App Firewall policy to the VPN virtual server.
    For example - 
    A company hosts three critical applications (SAP, Workday, and Tally) behind a VPN virtual server. 
    Create multiple profiles based on the required application. Configure the profile with the necessary security checks based on the application’s need.
    Add the app firewall policies that are applicable for each application and associate the policy with the profile.
    add appfw policy sap_policy true HTTP.REQ.URL.CONTAINS (“sap.com”) pr-basic1
    add appfw policy workday_policy true HTTP.REQ.URL.CONTAINS (“workday.com”) pr-basic2
    add appfw policy tally_policy true HTTP.REQ.URL.CONTAINS (“tally.com”) pr-basic3
    Bind the created policy to VPN vserver
    Bot related expressions - You can now use bot related expressions in your policies for routing or taking a certain action on your traffic.
    For example - 
    HTTP.REQ.BOT.IS_SUSPECTED - Returns true if the client is suspected as a BOT.
    HTTP.REQ.BOT.TYPE.EQ(<bot type>) - Returns true if the client BOT type is the same as the argument. Possible values of BOT types: GOOD, BAD, and UNKNOWN.
    Security violations display OWASP tags - In the NetScaler Console GUI, the security violations now display OWASP tags. It supports the OWASP 2017 and OWASP 2021 lists and these tags help you determine whether the violation belongs to the OWASP top 10 list.
    Create or Update API definitions from discovered API endpoints - NetScaler admins can create or update an existing API Definition from the discovered API endpoints. This removes the need for admins to wait for API Schema file from the app owners/developers
    Proxy auth support for signatures and IP Reputation - In cases where NetScaler cannot connect to the internet directly or if the customer needs an added layer of security, one can configure a proxy server for retrieving latest WAF and Bot signatures and IP Reputation feeds.
    Custom keyword support for JSON payload - SQL injection and command injection have a predefined set of keywords or patterns that they look for in the incoming requests. However, if the end user wants to add additional keywords to reduce false positives, they can leverage this feature to add custom keywords of their choice.
    CLI/API support to enable WAF signatures - You can now enable individual signatures in your NetScaler Web App Firewall through CLI commands or API calls.
    For example:
    import appfw signature DEFAULT object_name -sigRuleId 1001 9882 2000 1250 810 -Enabled ON -Action LOG BLOCK
    import appfw signature DEFAULT object_name -sigCategory web-misc -Enabled ON -Action LOG BLOCK
    Configurable payload size for inspection - Post Body Limit (Bytes) - Limits the request payload (in bytes) inspected by Web Application Firewall. 
    Default value: 20000000 Minimum value: 0 Maximum Value: 10 GB

    Guest
    NetScaler WAF Signatures Update v122
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate several CVEs with variable CVSS.
    CVE-2023-50968: This vulnerability is an arbitrary file properties reading flaw in Apache Software Foundation Apache OFBiz. When a user operates an URI call without authorizations, the same URI can be operated to realize a server-side request forgery (SSRF) attack also without authorizations. The vulnerability has been fixed in version 18.12.11, and users are recommended to upgrade to this version.
    CVE-2023-51467: This vulnerability is an authentication bypass flaw in Apache OFBiz. A threat actor sends an HTTP request to exploit a flaw in the checkLogin function. When null or invalid username and password parameters are supplied and the requirePasswordChange parameter is set to Y in the URI, the checkLogin function fails to validate the credentials, leading to authentication bypass. The vulnerability has been patched in Apache OFBiz product version 18.12.11 or above.
    It is important to protect against these vulnerabilities as they can lead to unauthorized access to the system, compromising confidential information and disrupting vital services. The exploit might also create opportunities for supply chain attacks. Therefore, it is recommended that users upgrade to the latest version of Apache OFBiz (version 18.12.11 or above) to mitigate these vulnerabilities.
      Signatures included in v122:
    Rule
    CVE ID
    Description
    998554
    CVE-2023-51467
    WEB-MISC Apache Ofbiz Multiple Versions - Server-Side Request Forgery Vulnerability (CVE-2023-51467)
    998555
    CVE-2023-50968
    WEB-MISC Apache Ofbiz Multiple Versions - Server-Side Request Forgery Vulnerability (CVE-2023-50968)
    998557
    CVE-2023-48777
    WEB-WORDPRESS Elementor Plugin Prior to 3.18.1 - File Upload/Remote Code Execution Vulnerability Via ID (CVE-2023-48777)
    998560
    CVE-2023-49105
    WEB-MISC ownCloud Prior to 10.13.1 - Access Control Bypass Vulnerability (CVE-2023-4105)
    999415
    CVE-2020-9446
    WEB-MISC Apache OFBiz 17.12.03 - XML-RPC Unsafe Deserialization Vulnerability (CVE-2020-9446)
    999416
    CVE-2020-9446
    WEB-MISC Apache OFBiz 17.12.03 - XML-RPC Cross-Site Scripting Vulnerability (CVE-2020-9446)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 122 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
     Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     

    Chris Chau
    Join our upcoming webinar to explore the intricate landscape of cloud deployments, encompassing dependencies like security groups, IAM roles, and much more at the cloud environment level. For customers transitioning from on-premises to the cloud, replicating the NetScaler deployments could be daunting. However, our NetScaler Cloud Sanity Checker tool guarantees deployment accuracy in every aspect and provides actionable insights for error scenarios.
     
    In this live demo, NetScaler experts will cover:
    Overview of NetScaler Public Cloud Common challenges with cloud deployments How NetScaler Cloud Sanity Checker Tool works Details information can be found in the following eDoc link:
    NetScaler Hybrid Multicloud Deployment: https://docs.netscaler.com/en-us/netscaler-console-service/hybrid-multi-cloud-deployments For more latest NetScaler technical information, please feel free to visit and register our NetScaler Community: https://community.netscaler.com
     

     

    Chris Chau
    Join us for a live demonstration session where we will dive into the art of tuning the NetScaler VPX running on ESX for the best performance. Get ready to explore the keys to achieve top-tier efficiency in this interactive, hands-on session.
     
    In this live demo, we will:
    Uncover the techniques and best practices to supercharge your application delivery and network performance Details information can be found in the following eDoc link:
    Optimize the NetScaler VPX Performance: https://docs.netscaler.com/en-us/citrix-adc/current-release/deploying-vpx/vpx-performance-on-esx-kvm-xen.html For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
     

     

    Chris Chau
    When NetScaler is deployed as a proxy for application deployments, NetScaler inspects each user request or response for global routing and local data center routing. With the thousands of logs and counters provided by NetScaler you can have granular information about HTTP, TCP, SSL, and DNS packets. You can leverage such rich data and insights from NetScaler to troubleshoot and pinpoint issues. You can export the data from NetScaler to your preferred observability endpoints to create visualizations and get real-time, granular application insights.
     
    NetScaler Intelligent Traffic Management (ITM) provides a revolutionary approach to Global Traffic Management/Global Server Load Balancing (GTM/GSLB). The mission of NetScaler ITM is to enable next-generation cloud strategies based on real-time Internet data feeds. The platform provides a highly robust means to ingest real-time data from various Internet sources and provides a DNS-based approach to Load-balancing. ITM uses DNS CNAME or records where its DNS responses can be altered in real-time based on the required business logic.
     
    In this demo, we will cover:
    Internet health monitoring: Internet visibility using NetScaler ITM Infrastructure health monitoring: exporting NetScaler logs and events to Splunk Details information can be found in the following eDoc link:
    NetScaler Intelligent Traffic Management (ITM): https://docs.netscaler.com/en-us/citrix-intelligent-traffic-management/openmix NetScaler Observability: https://docs.netscaler.com/en-us/citrix-adc/current-release/observability.html For more latest NetScaler technical information, please feel free to register and visit our NetScaler Community: https://community.netscaler.com
     

     

    Uttam Somani
    Author : Uttam Somani, Bibek Ranjan Sahu
     
    In today’s digital world, where online privacy and security are paramount, the need for robust security tools and systems has become increasingly obvious. The domain name system or DNS, as it is called is one of the most critical parts of internet communication, that translates human-readable domain names into machine-readable IP addresses. The traditional DNS protocol operates over plain text, leaving it vulnerable to interception and potential manipulation by malicious entities. DNS over TLS (DoT) has emerged as one of the most important solutions to reinforce the security and privacy of DNS queries and responses. 
     DNS over TLS (DoT) is a network security protocol that enhances the privacy and integrity of Domain Name System (DNS) queries by encrypting the communication between DNS clients and servers. By aligning with the DNS PRIVate Exchange (DPRIVE) RFC 7858 standards and specifications, NetScaler ensures that its DoT implementation meets the industry-recognized privacy and security standards. The traditional DNS resolution process makes it susceptible to eavesdropping and potential data manipulation. DoT addresses these security concerns and more by adding a layer of encryption to the DNS communication. Here’s how:
    Encryption of DNS Queries:  DoT encrypts the entire communication channel between clients and DNS resolvers for heightened privacy.
    TLS Protocol:
    Utilizes Transport Layer Security (TLS) to secure connections, similar to HTTPS, preventing unauthorized access and man-in-the-middle attacks. Improved Privacy:
    Shields DNS queries from network surveillance, enhancing user privacy, especially on untrusted networks  Mitigation of DNS Spoofing:
    Encrypting DNS transactions in DNS over TLS helps mitigate DNS spoofing and tampering risks, ensuring authentic responses. NetScaler supports DoT by encrypting both authoritative DNS (ADNS) and DNS proxy modes. The new DoT service type decrypts encrypted DNS requests, validates packet formats, and ensures secure client responses. This advancement underscores NetScaler's commitment to fortifying DNS communication channels with encryption protocols.

    Configuration of DoT in proxy mode
    You can set up an LB Vserver and backend service of type DoT. NetScaler initiates TLS handshakes with the client and server to establish a secure TLS connection. Subsequently, clients transmit encrypted DNS queries to NetScaler, which decrypts them, applies any configured DNS or SSL policies on the virtual server, re-encrypts the request, and forwards it to the backend server. The server responds with an encrypted DNS reply, which Netscaler decrypts, applies configured policies if present, re-encrypts the response, and sends it back to the client. It is essential to bind the SSL server certificate to enable the LB virtual server of DOT type.
     Flexible Security Configurations: Mixed Mode Support in NetScaler's Proxy Mode NetScaler introduces mixed mode support, allowing the configuration of (DoT + DNS_TCP) or (DNS_TCP + DoT) for both frontend and backend service types. This flexibility empowers users to secure the frontend listening channel while trusting the backend, or vice versa, adapting to specific security requirements.
     
    DNS Secure Caching If a record is requested via a secure channel (either Vserver or service is of type DoT), NetScaler caches the record as a secure record, or else it is an insecure record. Now, if a request for that specific record comes through a secure channel, NetScaler will provide it instantly. However, if the request is in a secure channel, and NetScaler does not have the secure record in the memory (cache), it won't serve the record from the cache. Instead, NetScaler will directly contact the source (backend server), read the most recent data, and share the secure record while updating the cache as a secured record. If the Vserver or service isn’t of type DoT, it will continue to work with an unsecured cache.

     

     
    Configuring DoT in ADNS mode:
    NetScaler can configure the ADNS_DOT service type for ADNS service, where it works as a listening service that accepts encrypted DNS queries from clients. If a corresponding record for the domain is available in the Netscaler, it responds with encrypted information, otherwise, it sends an empty response. You have the flexibility to set up records directly on the NetScaler. To make this listening entity operational, binding an SSL certificate is crucial, ensuring secure communication in every interaction. This encrypted communication adds additional security to DNS transactions.
    For more information, please visit NetScaler docs
    Conclusion
    Securing DNS queries is crucial for safeguarding online privacy and enhancing overall security. Implementing DNS over TLS (DoT) is a highly effective measure to encrypt these queries, thereby reducing the vulnerabilities associated with data interception and DNS attacks. NetScaler has already incorporated this technology to enhance online security, introducing additional security features aimed at fortifying protection for online users. These enhancements are designed to defend against emerging threats that could jeopardize the security and privacy of your business. Furthermore, we have introduced the Automated Signature Roll-over feature in DNSSEC. For more details on this topic, refer to this article.

×
×
  • Create New...