ADC

Integrating NetScaler layer 3 with passive security devices (Intrusion Detection System)

A NetScaler appliance is now integrated with passive security devices such as the Intrusion Detection System (IDS). In this setup, the appliance sends a copy of the original traffic securely to remote IDS devices. These passive devices store logs and trigger alerts when it detects a bad or non-compliant traffic. It also generates reports for the compliance purpose. If a NetScaler appliance is integrated with two or more IDS devices and when there is a high volume of traffic, the appliance can load balance the devices by cloning traffic at the virtual server level.

For advanced security protection, a NetScaler appliance is integrated with passive security devices such as IDS deployed in detection-only mode. These devices store log and trigger alerts when it sees a bad or non-compliant traffic. It also generates reports for the compliance purpose. Following are some of the benefits of integrating the NetScaler with an IDS device.

  • Inspecting encrypted traffic. Most security devices bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A NetScaler appliance can decrypt traffic and send it to IDS devices for enhancing the customer’s network security.
  • Offloading inline devices from TLS/SSL processing. TLS/SSL processing is expensive and it results in high system CPU in intrusion detection devices if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. NetScaler helps in offloading traffic to IDS devices from TLS/SSL processing. This way of offloading data results in an IDS device supporting a high volume of traffic inspection.
  • Loading balancing IDS devices. The NetScaler appliance load balances multiple IDS devices when there is a high volume of traffic by cloning traffic at the virtual server level.
  • Replicating traffic to passive devices. The traffic flowing into the appliance can be replicated to other passive devices for generating compliance reports. For example, few government agencies mandate every transaction to be logged in some passive devices.
  • Fanning traffic to multiple passive devices. Some customers prefer to fan out or replicate incoming traffic into multiple passive devices.
  • Smart selection of traffic. Every packet flowing into the appliance might not be must be content inspected, for example download of text files. User can configure the NetScaler appliance to select specific traffic (for example .exe files) for inspection and send the traffic to IDS devices for processing data.

How NetScaler is integrated with IDS device with L3 connectivity

The following diagram shows how the IDS is integrated with a NetScaler appliance.

IDS integration

The component interaction is given as follows:

  1. A client sends an HTTP/HTTPS request to the NetScaler appliance.
  2. The appliance intercepts the traffic and sends the data to remote IDS devices across different data centers or even in a cloud. This integration is done through IP tunneled layer 3. For more information about IP tunneling in a NetScaler appliance, see IP tunnels topic.
  3. If the traffic is an encrypted one, the appliance decrypts the data and sends it as a plain text.
  4. Based on policy evaluation, the appliance applies a “MIRROR” type content inspection action.
  5. The action has an IDS service or load balancing service (for multiple IDS device integrations) configured in it.
  6. The IDS device is configured as content inspection service type “Any” on the appliance. The content inspection service is then associated to the content inspection profile of type “MIRROR” and the tunnel parameter which specifies the IP tunneled layer 3 interface through which the data is forwarded to the IDS device.

    Note:

    Optionally, you can also configure a VLAN tag in the content inspection profile.

  7. Similarly, when the back-end server sends a response to the NetScaler, the appliance replicates the data and forwards it to the IDS device.
  8. If your appliance is integrated to one or more IDS devices and if you prefer to load balance the devices, then you can use the load balancing virtual server.

Software licensing

To deploy the IDS integration, your NetScaler appliance must be provisioned with one of the following licenses:

  1. ADC Premium
  2. ADC Advanced

Configuring intrusion detection system integration

You can integrate IDS device with a NetScaler in two different ways.

Scenario 1: Integration with a single IDS device

Following are the steps you must configure using the command line interface.

  1. Enable content inspection
  2. Add content inspection profile of type MIRROR for service representing IDS device.
  3. Add IDS service of type “ANY”
  4. Add content inspection action of type “MIRROR”
  5. Add content inspection policy for IDS inspection
  6. Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL

Enable Content Inspection

If you want the NetScaler appliance to send the content for inspection to the IDS devices, you must enable the Content Inspection and load balancing features irrespective of performing decryption.

At the command prompt, type:

enable ns feature contentInspection LoadBalancing

Add Content Inspection profile of type “MIRROR”

The Content Inspection profile of type “MIRROR” explains how you can connect to the IDS device. At the command prompt, type.

Note:

The IP tunnel parameter must be used only for layer 3 IDS topology. Otherwise, you must use the egress interface with the egress VLAN option. GRE/IPIP tunnel types are supported with the layer 3 IDS topology.

add contentInspection profile <name> -type MIRROR -ipTunnel <iptunnel_name>

Example:

add contentInspection profile IDS_profile1 -type MIRROR –ipTunnel ipsect-tunnel1

Add IDS service

You must configure a service of type “ANY” for each IDS device that is integrated with the appliance. The service has the IDS device configuration details. The service represents the IDS device.

At the command prompt, type:

add service <Service_name> <IP> ANY <Port> - contentinspectionProfileName <Name> -healthMonitor OFF -usip ON –useproxyport OFF

Example:

add service IDS_service 1.1.1.1 ANY 8080 -contentInspectionProfileName IDS_profile1 -healthMonitor OFF

Add content inspection action of type MIRROR for IDS service

After you enable the Content Inspection feature and then add the IDS profile and service, you must add the Content Inspection action for handling the request. Based on the content inspection action, the appliance can drop, reset, block, or send data to the IDS device.

At the command prompt, type:

add ContentInspection action < action_name > -type MIRROR -serverName Service_name/Vserver_name>

Example:

add ContentInspection action IDS_action -type MIRROR –serverName IDS_service

Add content inspection policy for IDS inspection

After you create a Content Inspection action, you must add Content Inspection policies to evaluate requests for inspection. The policy is based on a rule which consists of one or more expressions. The policy evaluates and selects the traffic for inspection based on the rule.

At the command prompt, type the following:

add contentInspection policy < policy_name > –rule <Rule> -action <action_name>

Example:

add contentInspection policy IDS_pol1 –rule true –action IDS_action

Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL

To receive the web traffic, you must add a load balancing virtual server. At the command prompt, type:

add lb vserver <name> <vserver name>

Example:

add lb vserver HTTP_vserver HTTP 1.1.1.3 8080

Bind Content Inspection policy to content switching virtual server or load balancing virtual server of type HTTP/SSL

You must bind the load balancing virtual server or content switching virtual server of type HTTP/SSL to the Content Inspection policy.

At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority < priority > -type <REQUEST>

Example:

bind lb vserver HTTP_vserver -policyName IDS_pol1 -priority 100 -type REQUEST

Scenario 2: Load balancing multiple IDS devices

If you are using two or more IDS devices, you must load balance the IDS devices using different content inspection services. In this case, the NetScaler appliance load balances the devices on top of sending a subset of traffic to each device. For basic configuration steps, refer to scenario 1.

Load balancing multiple IDS devices

Following are the steps you must configure using the command line interface.

  1. Add content inspection profile 1 of type MIRROR for IDS service 1
  2. Add content inspection profile 2 of type MIRROR for IDS service 2
  3. Add IDS service 1 of type ANY for IDS device 1
  4. Add IDS service 2 of type ANY for IDS device 2
  5. Add load balancing virtual server of type ANY
  6. Bind IDS service 1 to load balancing virtual server
  7. Bind IDS service 2 to load balancing virtual server
  8. Add content inspection action for the load balancing of IDS devices.
  9. Add content inspection policy for inspection
  10. Add content switching or load balancing virtual server of type HTTP/SSL
  11. Bind content inspection policy to load balancing virtual server of type HTTP/SSL

Add content inspection profile1 of type MIRROR for IDS service 1

IDS configuration can be specified in an entity called the Content Inspection profile. The profile has a collection of device settings. The Content Inspection profile1 is created for IDS service 1.

Note: IP tunnel parameter must be used only for layer 3 IDS topology. Otherwise, you must use the egress interface with the egress VLAN option. GRE/IPIP tunnel types are supported with the layer 3 IDS topology.

At the command prompt, type:

add contentInspection profile <name> -type ANY – ipTunnel <iptunnel_name>

Example:

add contentInspection profile IDS_profile1 -type MIRROR - ipTunnel ipsect_tunnel1

Add content inspection profile 2 for type MIRROR for IDS service 2

The Content Inspection profile 2 is added for service 2 and the inline device communicates with the appliance through the egress 1/1 interface.

At the command prompt, type:

add contentInspection profile <name> -type ANY – ipTunnel <iptunnel_name>

Example:

add contentInspection profile IDS_profile2 -type ANY – ipTunnel ipsect_tunnel2

Add IDS service 1 of type ANY for IDS device 1

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 1 for the inline device 1 to be part of the load balancing setup. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> ANY <Port> -contentInspectionProfileName <IDS_Profile_1> –usip ON –useproxyport OFF

Example:

add service IDS_service1 1.1.1.1 ANY 80 -contentInspectionProfileName IDS_profile1 -usip ON -useproxyport OFF

Note:

The IP address mentioned in the example is a dummy one.

Add IDS service 2 of type ANY for IDS device 2

After you enable the Content Inspection feature and add the inline profile, you must add an inline service 2 for inline device 2. The service that you add, provides all the inline configuration details.

At the command prompt, type:

add service <Service_name_1> <Pvt_IP1> ANY -contentInspectionProfileName <Inline_Profile_2> -healthmonitor OFF –usip ON –useproxyport OFF

Example:

add service IDS_service 1 1.1.2 ANY 80 -contentInspectionProfileName IDS_profile2

Note:

The IP address mentioned in the example is a dummy one.

Add load balancing virtual server

After you have added the inline profile and the services, you must add a load balancing virtual server for load balancing the services.

At the command prompt, type:

add lb vserver <vserver_name> ANY <Pvt_IP3> <port>

Example:

add lb vserver lb-IDS_vserver ANY 1.1.1.2

Bind IDS service 1 to load balancing virtual server

After you add the load balancing virtual server, now bind the load balancing virtual server to the first service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-IDS_vserver IDS_service1

Bind IDS service 2 to load balancing virtual server

After you add the load balancing virtual server, now bind the server to the second service.

At the command prompt, type:

bind lb vserver <Vserver_name> <Service_name_1>

Example:

bind lb vserver lb-IDS_vserver IDS_service2

Add content inspection action for the IDS service

After you enable the Content Inspection feature, you must add the Content Inspection action for handling the inline request information. Based on the action selected, the appliance drops, resets, blocks, or sends traffic to the IDS device.

At the command prompt, type:

add contentInspection action <name> -type <type> (-serverName <string> [-ifserverdown <ifserverdown>]

Example:

add ContentInspection action IDS_action -type MIRROR –serverName lb-IDS_vserver

Add content inspection policy for inspection

After you create a Content Inspection action, you must add the Content Inspection policy to evaluate requests for service.

At the command prompt, type the following:

add contentInspection policy <policy_name> –rule <Rule> -action <action_name>

Example:

add contentInspection policy IDS_pol1 –rule true –action IDS_action

Add content switching or load balancing virtual server of type HTTP/SSL

Add a content switching or load balancing virtual server to accept web traffic. Also you must enable the layer2 connection on the virtual server.

For more information about load balancing, refer to How load balancing works topic.

At the command prompt, type:

add lb vserver <name> <vserver name>

Example:

add lb vserver http_vserver HTTP 1.1.1.1 8080

Bind Content Inspection policy to load balancing virtual server of type HTTP/SSL

You must bind the content switching or load balancing virtual server of type HTTP/SSL to the Content Inspection policy.

At the command prompt, type the following:

bind lb vserver <vserver name> -policyName < policy_name > -priority <> -type <REQUEST>

Example:

bind lb vserver http_vserver -policyName IDS_pol1 -priority 100 -type REQUEST

Configure inline service integration using the NetScaler GUI

  1. Navigate to Security > Content Inspection > ContentInspection Profiles.
  2. In the ContentInspection Profile page, click Add.
  3. In the Create ContentInspectionProfile page, set the following parameters.
    1. Profile Name. Name of the content inspection profile for IDS.
    2. Type. Select the profile types as MIRROR.
    3. Connectivity. Layer 2 or Layer 3 interface.
    4. IP Tunnel. Select the network communication channel between the two networks.
  4. Click Create.
  5. Navigate to Traffic Management > Load Balancing > Services and click Add.
  6. In the Load Balancing Service page, enter the content inspection service details.
  7. In the Advanced Settings section, click Profiles.
  8. Go to the Profiles section and click the Pencil icon to add the content inspection profile.
  9. Click OK.
  10. Navigate to Load Balancing > Servers. Add a virtual server of type HTTP or SSL.
  11. After entering the server details, click OK and again OK.
  12. In the Advanced Settings section, click Policies.
  13. Go the Policies section and click the Pencil icon to configure the content inspection policy.
  14. On the Choose Policy page, select Content Inspection. Click Continue.
  15. In the Policy Binding section, click “+” to add a Content Inspection policy.
  16. In the Create CI Policy page, enter a name for the Inline content inspection policy.
  17. In the Action field, click the “+” sign to create an IDS content inspection action of type MIRROR.
  18. In the Create CI Action page, set the following parameters.
    1. Name. Name of the content inspection Inline policy.
    2. Type. Select the type as MIRROR.
    3. Server Name. Select the server/service name as Inline devices.
    4. If Server Down. Select an operation if the server goes down.
    5. Request Time-out. Select a time-out value. Default values can be used.
    6. Request Time-out Action. Select a time-out action. Default values can be used.
  19. Click Create.
  20. In the Create CI Policy page, enter other details.
  21. Click OK and Close.

For information about the NetScaler GUI configuration for load balancing and replicating the traffic to IDS devices, see Load Balancing.

For information about the NetScaler GUI configuration for load balancing and forwarding the traffic to the back-end origin server after content transformation, see Load Balancing.

Integrating NetScaler layer 3 with passive security devices (Intrusion Detection System)