Integrating Citrix ADC with passive security devices (Intrusion Detection System)

A Citrix ADC appliance is now integrated with passive security devices such as Intrusion Detection System (IDS). These passive devices store logs and trigger alerts when it detects a bad or non-compliant traffic. It also generate reports for compliance purpose. If Citrix ADC appliance is integrated with two or more IDS devices and when there is a high volume of traffic, the appliance can load balance the devices by cloning traffic at the virtual server level. For advanced security protection, a Citrix ADC appliance is integrated with passive security devices such as Intrusion Detection System (IDS) deployed in detection-only mode. These devices store log and trigger alerts when it sees a bad or non-compliant traffic. It also generates reports for compliance purpose. Following are some of the benefits of integrating Citrix ADC with an IDS device.

  • Inspecting encrypted traffic. Most security devices bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A Citrix ADC appliance can decrypt traffic and send it to IDS devices for enhancing customer’s network security.
  • Offloading inline devices from TLS/SSL processing. TLS/SSL processing is expensive and it results in high system CPU in intrusion detection devices if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. Citrix ADC helps in offloading traffic to IDS devices from TLS/SSL processing. This way of offloading data results in an IDS device supporting a high volume of traffic inspection.
  • Loading balancing IDS devices. The Citrix ADC appliance load balances multiple IDS devices when there is a high volume of traffic by cloning traffic at the virtual server level.
  • Replicating traffic to passive devices. The traffic flowing into the appliance can be replicated to other passive devices for generating compliance reports. For example, few government agencies mandate every transaction to be logged in some passive devices.
  • Fanning traffic to multiple passive devices. Some customers prefer to fan out or replicate incoming traffic into multiple passive devices.
  • Smart selection of traffic. Every packet flowing into the appliance might not be need to be content inspected, for example download of text files. User can configure the Citrix ADC appliance to select specific traffic (for example .exe files) for inspection and send the traffic to IDS devices for processing data.

How Citrix ADC is integrated with IDS device with L2 connectivity

The following diagram shows how intrusion detection system (IDS) is integrated with a Citrix ADC appliance. IDS integration

The component interaction is given as follows:

  1. A client sends an HTTP/HTTPS request to Citrix ADC appliance.
  2. The appliance intercepts the traffic and replicates it to an IDS device based on content inspection policy evaluation.
  3. If the traffic is an encrypted one, the appliance decrypts the data and sends it as a plain text.
  4. Based on policy evaluation, the appliance applies a “MIRROR” type content inspection action.
  5. The action has IDS service or load balancing service (for multiple IDS device integration) configured in it.
  6. The IDS device is configured as content inspection service type “Any” on the appliance. The content inspection service is then associated to the content inspection profile of type “MIRROR” which specifies the egress interface through which the data has to be forwarded to the IDS device. Note: Optionally, you can also configure a VLAN tag in the content inspection profile.
  7. The appliance then, replicates the data through the egress interface to one or more IDS devices.
  8. Similarly, when the back-end server sends a response to Citrix ADC, the appliance replicates the data and forwards it to the IDS device.
  9. If your appliance is integrated to one or more IDS devices and if you prefer to load balance the devices, then you can use the load balancing virtual server.

Software licensing

To deploy the inline device integration, your Citrix ADC appliance must be provisioned with one of the licenses given below:

  1. ADC Premium
  2. ADC Enterprise
  3. Telco Advanced
  4. Telco Premium

Configuring intrusion detection system integration

You can integrate IDS device with Citrix ADC in two different ways.

Scenario 1: Integration with a single IDS device

Following are the steps you must configure using the command line interface.

  1. Enable content inspection
  2. Add content inspection profile of type MIRROR for service representing IDS device.
  3. Add IDS service of type “ANY”
  4. Add content inspection action of type “MIRROR”
  5. Add content inspection policy for IDS inspection
  6. Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL

Enable Content Inspection

If you want Citrix ADC appliance to send the content for inspection to the IDS devices, you must enable the Content Inspection and load balancing features irrespective of performing decryption.

At the command prompt, type:

enable ns feature contentInspection LoadBalancing

Add Content Inspection profile of type “MIRROR

The Content Inspection profile of type “MIRROR” explains how you can connect to the IDS device. At the command prompt, type.

add contentInspection profile <name> -type MIRROR -egressInterface <interface_name> [-egressVlan <positive_integer>]

Example:

add contentInspection profile IDS_profile1 -type MIRROR -egressInterface 1/1 -egressVLAN 10

Add IDS service

You must configure a service of type “ANY” for each IDS device that is integrated with the appliance. The service has the IDS device configuration details. The service represents the IDS device.

At the command prompt, type:

add service <Service_name> <IP> ANY <Port> - contentinspectionProfileName <Name> -healthMonitor OFF -usip ON –useproxyport OFF

Example:

add service IDS_service 1.1.1.1 ANY 8080 -contentInspectionProfileName IDS_profile1 -healthMonitor OFF

Add content inspection action of type MIRROR for IDS service

After you enable the Content Inspection feature and then add the IDS profile and service, you must add the Content Inspection action for handling the request. Based on the content inspection action, the appliance can drop, reset, block or send data to IDS device.

At the command prompt, type:

add ContentInspection action < action_name > -type MIRROR -serverName Service_name/Vserver_name>

Example:

add ContentInspection action IDS_action -type MIRROR –serverName IDS_service

Add content inspection policy for IDS inspection

After you create a Content Inspection action, you must add Content Inspection policies to evaluate requests for inspection. The policy is based on a rule which consists of one or more expressions. The policy evaluates and selects the traffic for inspection based on the rule.

At the command prompt, type the following:

add contentInspection policy < policy_name > –rule <Rule> -action <action_name>

Example:

add contentInspection policy IDS_pol1 –rule true –action IDS_action

Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL

To receive the web traffic, you must add a load balancing virtual server. At the command prompt, type:

add lb vserver <name> <vserver name>

Example:

add lb vserver HTTP_vserver HTTP 1.1.1.3 8080

Bind Content Inspection policy to content switching virtual server or load balancing virtual server of type HTTP/SSL

You must bind the load balancing virtual server or content switching virtual server of type HTTP/SSL to the Content Inspection policy.

At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority < priority > -type <REQUEST>

Example:

bind lb vserver HTTP_vserver -policyName IDS_pol1 -priority 100 -type REQUEST

Scenario 2: Load balancing multiple IDS devices

If you are using two or more IDS devices, you must load balance the devices using different content inspection services. In this case, the Citrix ADC appliance load balances the devices on top of sending a subset of traffic to each device. For basic configuration steps, refer to scenario 1.

Load balancing multiple IDS devices

Following are the steps you must configure using the command line interface.

  1. Add content inspection profile 1 of type MIRROR for IDS service 1
  2. Add content inspection profile 2 of type MIRROR for IDS service 2
  3. Add IDS service 1 of type ANY for IDS device 1
  4. Add IDS service 2 of type ANY for IDS device 2
  5. Add load balancing virtual server of type ANY
  6. Bind IDS service 1 to load balancing virtual server
  7. Bind IDS service 2 to load balancing virtual server
  8. Add content inspection action for the load balancing of IDS devices.
  9. Add content inspection policy for inspection
  10. Add content switching or load balancing virtual server of type HTTP/SSL
  11. Bind content inspection policy to load balancing virtual server of type HTTP/SSL

Add content inspection profile1 of type MIRROR for IDS service 1

IDS configuration can be specified in an entity called Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile1 is created for IDS service 1.

At the command prompt, type:

add contentInspection profile <name> -type ANY -egressInterface <interface_name> [-egressVlan <positive_integer>]

Example:

add contentInspection profile IDS_profile1 -type MIRROR -egressInterface 1/1 -egressVLAN 1

Add content inspection profile 2 for type MIRROR for IDS service 2

The Content Inspection profile 2 is added for service 2 and the inline device communicates with the appliance through egress 1/1 interface.

At the command prompt, type:

add contentInspection profile <name> -type MIRROR -egressInterface -egressVlan <positive_integer>]

Example:

add contentInspection profile IDS_profile1 -type MIRROR -egressInterface 1/1 -egressVLAN 1

Add IDS service 1 of type ANY for IDS device 1

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 1 for inline device 1 to be part of the load balancing setup. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> ANY <Port> -contentInspectionProfileName <IDS_Profile_1> –usip ON –useproxyport OFF

Example:

add service IDS_service1 1.1.1.1 ANY 80 -contentInspectionProfileName IDS_profile1 -usip ON -useproxyport OFF

Note:

The IP address mentioned in the example is a dummy one.

Add IDS service 2 of type ANY for IDS device 2

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 2 for inline device 2. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> ANY -contentInspectionProfileName <Inline_Profile_2> -healthmonitor OFF –usip ON –useproxyport OFF

Example:

add service IDS_service 1 1.1.2 ANY 80 -contentInspectionProfileName IDS_profile2

Note:

The IP address mentioned in the example is a dummy one.

Add load balancing virtual server

After you have added the inline profile and the services, you must add a load balancing virtual server for load balancing the services.

At the command prompt, type:

add lb vserver <vserver_name> ANY <Pvt_IP3> <port>

Example:

add lb vserver lb-IDS_vserver ANY 1.1.1.2

Bind IDS service 1 to load balancing virtual server

After you add the load balancing virtual server, now bind the load balancing virtual server to the first service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-IDS_vserver IDS_service1

Bind IDS service 2 to load balancing virtual server

After you add the load balancing virtual server, now bind the server to the second service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-IDS_vserver IDS_service2

Add content inspection action for the IDS service

After you enable the Content Inspection feature, you must add the Content Inspection action for handling the inline request information. Based on the action selected, the appliance drops, resets, blocks or sends traffic to the IDS device.

At the command prompt, type:

add contentInspection action <name> -type <type> (-serverName <string> [-ifserverdown <ifserverdown>]

Example:

add ContentInspection action IDS_action -type MIRROR –serverName lb-IDS_vserver

Add content inspection policy for inspection

After you create a Content Inspection action, you must add Content Inspection policy to evaluate requests for service.

At the command prompt, type the following:

add contentInspection policy <policy_name> –rule <Rule> -action <action_name>

Example:

add contentInspection policy IDS_pol1 –rule true –action IDS_action

Add content switching or load balancing virtual server of type HTTP/SSL

Add a content switching or load balancing virtual server to accept web traffic. Also you must enable the layer2 connection on the virtual server.

For more information about load balancing, refer to How load balancing works topic.

At the command prompt, type:

add lb vserver <name> <vserver name>

Example:

add lb vserver http_vserver HTTP 1.1.1.1 8080

Bind Content Inspection policy to load balancing virtual server of type HTTP/SSL

You must bind the content switching or load balancing virtual server of type HTTP/SSL to the Content Inspection policy.

At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority <> -type <REQUEST>

Example:

bind lb vserver http_vserver -policyName IDS_pol1 -priority 100 -type REQUEST

Configure inline service integration using the Citrix ADC GUI

  1. Navigate to Security > Content Inspection > ContentInspection Profiles.
  2. In the ContentInspection Profile page, click Add.
  3. In the Create ContentInspectionProfile page, set the following parameters.
    1. Profile Name. Name of the content inspection profile for IDS.
    2. Type. Select the profile types as MIRROR.
    3. Egress Interface. The interface through which the traffic is sent from Citrix ADC to the IDS device.
    4. Egress VLAN (optional). The interface VLAN ID through which the traffic is sent to the IDS device.
  4. Click Create.

    Create Content Inspection Profile

  5. Navigate to Traffic Management > Load Balancing > Services and click Add.
  6. In the Load Balancing Service page, enter the content inspection service details.
  7. In the Advanced Settings section, click Profiles.
  8. Go to the Profiles section and click the Pencil icon to add the content inspection profile.
  9. Click OK.

    Create Content Inspection Profile

  10. Navigate to Load Balancing > Servers. Add a virtual server of type HTTP or SSL.
  11. After entering the server details, click OK and again OK.
  12. In the Advanced Settings section, click Policies.
  13. Go the Policies section and click the Pencil icon to configure content inspection policy.
  14. On the Choose Policy page, select Content Inspection. Click Continue.
  15. In the Policy Binding section, click “+” to add a Content Inspection policy.
  16. In the Create CI Policy page, enter a name for the Inline content inspection policy.
  17. In the Action field, click the “+” sign to create an IDS content inspection action of type MIRROR.
  18. In the Create CI Action page, set the following parameters.

    a. Name. Name of the content inspection Inline policy.

    b. Type. Select the type as MIRROR. c. Server Name. Select the server/service name as Inline devices.

    d. If Server Down. Select an operation if server goes down. e. Request Time-out. Select a time-out value. Default values can be used.

    f. Request Time-out Action. Select a time-out action. Default values can be used.

  19. Click Create.

    Create Content Inspection Action

  20. In the Create CI Policy page, enter other details.
  21. Click OK and Close.

For information about the Citrix ADC GUI configuration for load balancing and replicating the traffic to IDS devices, see Load Balancing.

Create Content Inspection Policy

For information about the Citrix ADC GUI configuration for load balancing and forwarding the traffic to back-end origin server after content transformation, see Load Balancing.

Integrating Citrix ADC with passive security devices (Intrusion Detection System)