Jump to content
Welcome to our new Citrix community!
  • NetScaler ADC VPX on AWS Deployment Guide Part 1


    Richard Faulkner
    • Validation Status: Validated
      Summary: NetScaler ADC VPX on AWS Deployment Guide
      Has Video?: No

    NetScaler ADC VPX on AWS Deployment Guide Part 1

    Contributed By: Luis Ugarte and Beth Pollack

    Continued in Part 2

    Overview

    NetScaler ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments.

    As an undisputed leader of service and application delivery, NetScaler ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, NetScaler ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. NetScaler ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.

    NetScaler ADC VPX

    The NetScaler ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms.

    This deployment guide focuses on NetScaler ADC VPX on Amazon Web Services.

    Amazon Web Services

    Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services offer tools such as compute power, database storage, and content delivery services.

    AWS offers the following essential services:

    • AWS Compute Services

    • Migration Services

    • Storage

    • Database Services

    • Management Tools

    • Security Services

    • Analytics

    • Networking

    • Messaging

    • Developer Tools

    • Mobile Services

    AWS Terminology

    Here is a brief description of key terms used in this document that users must be familiar with:

    • Elastic Network Interface (ENI) – A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC).

    • Elastic IP (EIP) address – A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change.

    • Subnet – A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs.

    • Virtual Private Cloud (VPC) – A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define.

    Here is a brief description of other terms used in this document that users should be familiar with:

    • Amazon Machine Image (AMI) – A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.

    • Elastic Block Store – Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.

    • Simple Storage Service (S3) – Storage for the Internet. It is designed to make web-scale computing easier for developers.

    • Elastic Compute Cloud (EC2) – A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

    • Elastic Kubernetes Service (EKS) – Amazon EKS is a managed service that makes it easy for users to run Kubernetes on AWS without needing to stand up or maintain their own Kubernetes control plane. ... Amazon EKS runs Kubernetes control plane instances across multiple Availability Zones to ensure high availability. Amazon EKS is a managed service that makes it easy for users to run Kubernetes on AWS without needing to install and operate their own Kubernetes clusters.

    • Application Load Balancing (ALB) – Amazon ALB operates at layer 7 of the OSI stack so it's employed when users want to route or select traffic based on elements of the HTTP or HTTPS connection, whether host-based or path-based. The ALB connection is context-aware and can have direct requests based on any single variable. Applications are load balanced based on their peculiar behavior not solely on server (operating system or virtualization layer) information.

    • Elastic Load Balancing (ALB/ELB/NLB) – Amazon ELB Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. This increases the fault tolerance of user applications.

    • Network Load Balancing (NLB) – Amazon NLB operates at layer 4 of the OSI stack and below and is not designed to consider anything at the application layer such as content type, cookie data, custom headers, user location, or application behavior. It is context-less, caring only about the network-layer information contained within the packets it is directing. It distributes traffic based on network variables such as IP address and destination ports.

    • Instance type – Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications.

    • Identity and Access Management (IAM) – An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup.

    • Internet Gateway – Connects a network to the Internet. Users can route traffic for IP addresses outside their VPC to the Internet gateway.

    • Key pair – A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key.

    • Route table – A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.

    • Auto Scale Groups – A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks.

    • CloudFormation – A service for writing or changing templates that creates and deletes related AWS resources together as a unit.

    • Web Application Firewall (WAF) – WAF is defined as a security solution protecting the web application layer in the OSI network model. A WAF does not depend on the application it is protecting. This document focuses on the exposition and evaluation of the security methods and functions provided specifically by NetScaler WAF.

    • Bot – Bot is defined as an autonomous device, program, or piece of software on a network (especially the internet) that can interact with computer systems or users to run commands, reply to messages, or perform routine tasks. A bot is a software program on the internet that performs repetitive tasks. Some bots can be good, while others can have a huge negative impact on a website or application.

    Sample NetScaler WAF on AWS Architecture

    image.jpg

    The preceding image shows a virtual private cloud (VPC) with default parameters that builds a NetScaler WAF environment in the AWS Cloud.

    In a production deployment, the following parameters are set up for the NetScaler WAF environment:

    • This architecture assumes the use of an AWS CloudFormation Template and an AWS Quick Start Guide, which can be found here: GitHub/AWS-Quickstart/Quickstart-NetScaler-ADC-VPX .

    • A VPC that spans two Availability Zones, configured with two public and four private subnets, according to AWS best practices, to provide you with your own virtual network on AWS with a /16 Classless Inter-Domain Routing (CIDR) block (a network with 65,536 private IP addresses). *

    • Two instances of NetScaler WAF (Primary and Secondary), one in each Availability Zone.

    • Three security groups, one for each network interface (Management, Client, Server), that acts as virtual firewalls to control the traffic for their associated instances.

    • Three subnets, for each instance- one for management, one for client, and one for back-end server.

    • An internet gateway attached to the VPC, and a Public Subnets route table which is associated with public subnets so as to allow access to the internet. This gateway is used by the WAF host to send and receive traffic. For more information on Internet Gateways, see: Internet Gateways. *

    • 5 Route tables-one public route table associated with client subnets of both primary and secondary WAF. The remaining 4 route tables link to each of the 4 private subnets (management and server-side subnets of primary and secondary WAF). *

    • AWS Lambda in WAF takes care of the following:

      • Configuring two WAF in each availability zone of HA mode

      • Creating a sample WAF Profile and thus pushing this configuration with respect to WAF

    • AWS Identity and Access Management (IAM) to securely control access to AWS services and resources for your users. By default, the CloudFormation Template (CFT) creates the required IAM role. However, users can provide their own IAM role for NetScaler ADC instances.

    • In the public subnets, two managed Network Address Translation (NAT) gateways to allow outbound internet access for resources in public subnets.

     

    Note:
    The CFT WAF template that deploys the NetScaler WAF into an existing VPC skips the components marked by asterisks and prompts users for their existing VPC configuration.
    Backend servers are not deployed by the CFT.

    Logical Flow of NetScaler WAF on AWS

     

    image.jpg

     

    Logical Flow

    The Web Application Firewall can be installed as either a Layer 3 network device or a Layer 2 network bridge between customer servers and customer users, usually behind the customer company’s router or firewall. It must be installed in a location where it can intercept traffic between the web servers that users want to protect and the hub or switch through which users access those web servers. Users then configure the network to send requests to the Web Application Firewall instead of directly to their web servers, and responses to the Web Application Firewall instead of directly to their users. The Web Application Firewall filters that traffic before forwarding it to its final destination, using both its internal rule set and the user additions and modifications. It blocks or renders harmless any activity that it detects as harmful, and then forwards the remaining traffic to the web server. The preceding image provides an overview of the filtering process.

     

    Note:
    The diagram omits the application of a policy to incoming traffic. It illustrates a security configuration in which the policy is to process all requests. Also, in this configuration, a signatures object has been configured and associated with the profile, and security checks have been configured in the profile.

    As the diagram shows, when a user requests a URL on a protected website, the Web Application Firewall first examines the request to ensure that it does not match a signature. If the request matches a signature, the Web Application Firewall either displays the error object (a webpage that is located on the Web Application Firewall appliance and which users can configure by using the imports feature) or forwards the request to the designated error URL (the error page).

    If a request passes signature inspection, the Web Application Firewall applies the request security checks that have been enabled. The request security checks verify that the request is appropriate for the user website or web service and does not contain material that might pose a threat. For example, security checks examine the request for signs indicating that it might be of an unexpected type, request unexpected content, or contain unexpected and possibly malicious web form data, SQL commands, or scripts. If the request fails a security check, the Web Application Firewall either sanitizes the request and then sends it back to the NetScaler ADC appliance (or NetScaler ADC virtual appliance), or displays the error object. If the request passes the security checks, it is sent back to the NetScaler ADC appliance, which completes any other processing and forwards the request to the protected web server.

    When the website or web service sends a response to the user, the Web Application Firewall applies the response security checks that have been enabled. The response security checks examine the response for leaks of sensitive private information, signs of website defacement, or other content that should not be present. If the response fails a security check, the Web Application Firewall either removes the content that should not be present or blocks the response. If the response passes the security checks, it is sent back to the NetScaler ADC appliance, which forwards it to the user.

    Cost and Licensing

    Users are responsible for the cost of the AWS services used while running AWS deployments. The AWS CloudFormation templates that can be used for this deployment include configuration parameters that users can customize as necessary. Some of those settings, such as instance type, affect the cost of deployment. For cost estimates, users should refer to the pricing pages for each AWS service they are using. Prices are subject to change.

    A NetScaler ADC WAF on AWS requires a license. To license NetScaler WAF, users must place the license key in an S3 bucket and specify its location when they launch the deployment.

     

    Note:
    When users elect the Bring your own license (BYOL) licensing model, they should ensure that they have an AppFlow feature enabled. For more information on BYOL licensing, see:
    .

    The following licensing options are available for NetScaler ADC WAF running on AWS. Users can choose an AMI (Amazon Machine Image) based on a single factor such as throughput.

    • License model: Pay as You Go (PAYG, for the production licenses) or Bring Your Own License (BYOL, for the Customer Licensed AMI - NetScaler ADC Pooled Capacity). For more information on NetScaler ADC Pooled Capacity, see: NetScaler ADC Pooled Capacity.

     

    Note:
    If users want to dynamically modify the bandwidth of a VPX instance, they should elect a BYOL option, for example
    NetScaler ADC pooled capacity
    where they can allocate the licenses from NetScaler ADM, or they can check out the licenses from NetScaler ADC instances according to the minimum and maximum capacity of the instance on demand and without a restart. A restart is required only if users want to change the license edition.
    • Throughput: 200 Mbps or 1 Gbps

    • Bundle: Premium

    Deployment Options

    This deployment guide provides two deployment options:

    • The first option is to deploy using a Quick Start Guide format and the following options:

      • Deploy NetScaler WAF into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, security groups, and other infrastructure components, and then deploys NetScaler WAF into this new VPC.

      • Deploy NetScaler WAF into an existing VPC. This option provisions NetScaler WAF in the user existing AWS infrastructure.

    • The second option is to deploy using WAF StyleBooks using NetScaler ADM

    Deployment Steps using a Quick Start Guide

    Step 1: Sign in to the User AWS Account

    • Sign in to the user account at AWS: AWS with an IAM (Identity and Access Management) user role that has the necessary permissions to create an Amazon Account (if necessary) or sign in to an Amazon Account.

    • Use the region selector in the navigation bar to choose the AWS Region where users want to deploy High Availability across AWS Availability Zones.

    • Ensure that the user AWS account is configured correctly, refer to the Technical Requirements section of this document for more information.

    Step 2: Subscribe to the NetScaler WAF AMI

    • This deployment requires a subscription to the AMI for NetScaler WAF in the AWS Marketplace.

    • Sign in to the user AWS account.

    • Open the page for the NetScaler WAF offering by choosing one of the links in the following table.

      • When users launch the Quick Start Guide in to deploy NetScaler WAF in Step 3 below, they use the NetScaler WAF Image parameter to select the bundle and throughput option that matches their AMI subscription. The following list shows the AMI options and corresponding parameter settings. The VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory.

     

    Note:
    To retrieve the AMI ID, refer to the NetScaler Products on AWS Marketplace page on GitHub:
    .

     

    image.jpg

     

    • Review the terms and conditions for software usage, and then choose Accept Terms.

     

    image.jpg

     

     

    Note:
    Users receive a confirmation page, and an email confirmation is sent to the account owner. For detailed subscription instructions, see Getting Started in the AWS Marketplace Documentation:
    .
    • When the subscription process is complete, exit out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace—users will deploy the AMI with the Quick Start Guide.

    Step 3: Launch the Quick Start Guide to Deploy the AMI

     

    Important:
    If users are deploying NetScaler WAF into an existing VPC, they must ensure that their VPC spans across two Availability Zones, with one public and two private subnets in each Availability Zone for the workload instances, and that the subnets are not shared. This deployment guide does not support shared subnets, see Working with Shared VPCs:
    . These subnets require NAT Gateways in their route tables to allow the instances to download packages and software without exposing them to the internet. For more information about NAT Gateways, see:
    . Configure the subnets so there is no overlapping of subnets.

    Also, users should ensure that the domain name option in the DHCP options is configured as explained in the Amazon VPC documentation found here: DHCP Options Sets: DHCP Options Sets. Users are prompted for their VPC settings when they launch the Quick Start Guide.

    • Each deployment takes about 15 minutes to complete.

    • Check the AWS Region that is displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for NetScaler WAF will be built. The template is launched in the US East (Ohio) Region by default.

     

    Note:
    This deployment includes NetScaler WAF, which isn’t currently supported in all AWS Regions. For a current list of supported Regions, see the AWS Service Endpoints:
    .
    • On the Select Template page, keep the default setting for the template URL, and then choose Next.

    • On the Specify Details page, specify the stack name as per user convenience. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary.

    • In the following table, parameters are listed by category and described separately for the deployment option:

    • Parameters for deploying NetScaler WAF into a new or existing VPC (Deployment Option 1)

    • When users finish reviewing and customizing the parameters, they should choose Next.

    Parameters for Deploying NetScaler WAF into a new VPC

    VPC Network Configuration

    For reference information on this deployment refer to the CFT template here: AWS-Quickstart/Quickstart-Citrix-ADC-WAF/Templates.

    Parameter label (name) Default Description
    Primary Availability Zone (PrimaryAvailabilityZone) Requires input The Availability Zone for Primary NetScaler WAF deployment
    Secondary Availability Zone (SecondaryAvailabilityZone) Requires input The Availability Zone for Secondary NetScaler WAF deployment
    VPC CIDR (VPCCIDR) 10.0.0.0/16 The CIDR block for the VPC. Must be a valid IP CIDR range of the form x.x.x.x/x.
    Remote SSH CIDR IP(Management) (RestrictedSSHCIDR) Requires input The IP address range that can SSH to the EC2 instance (port: 22).
        For example Using 0.0.0.0/0, will enable all IP addresses to access the user instance using SSH or RDP. Note: Authorize only a specific IP address or range of addresses to access the user instance because it is unsafe to use it in production.
    Remote HTTP CIDR IP(Client) (RestrictedWebAppCIDR) 0.0.0.0/0 The IP address range that can HTTP to the EC2 instance (port: 80)
    Remote HTTP CIDR IP(Client) (RestrictedWebAppCIDR) 0.0.0.0/0 The IP address range that can HTTP to the EC2 instance (port: 80)
    Primary Management Private Subnet CIDR (PrimaryManagementPrivateSubnetCIDR) 10.0.1.0/24 The CIDR block for Primary Management Subnet located in Availability Zone 1.
    Primary Management Private IP (PrimaryManagementPrivateIP) Private IP assigned to the Primary Management ENI (last octet has to be between 5 and 254) from the Primary Management Subnet CIDR.
    Primary Client Public Subnet CIDR (PrimaryClientPublicSubnetCIDR) 10.0.2.0/24 The CIDR block for Primary Client Subnet located in Availability Zone 1.
    Primary Client Private IP (PrimaryClientPrivateIP) Private IP assigned to the Primary Client ENI (last octet has to be between 5 and 254) from Primary Client IP from the Primary Client Subnet CIDR.
    Primary Server Private Subnet CIDR (PrimaryServerPrivateSubnetCIDR) 10.0.3.0/24 The CIDR block for Primary Server located in Availability Zone 1.
    Primary Server Private IP (PrimaryServerPrivateIP) Private IP assigned to the Primary Server ENI (last octet has to be between 5 and 254) from the Primary Server Subnet CIDR.
    Secondary Management Private Subnet CIDR (SecondaryManagementPrivateSubnetCIDR) 10.0.4.0/24 The CIDR block for Secondary Management Subnet located in Availability Zone 2.
    Secondary Management Private IP (SecondaryManagementPrivateIP) Private IP assigned to the Secondary Management ENI (last octet has to be between 5 and 254). It would allocate Secondary Management IP from the Secondary Management Subnet CIDR.
    Secondary Client Public Subnet CIDR (SecondaryClientPublicSubnetCIDR) 10.0.5.0/24 The CIDR block for Secondary Client Subnet located in Availability Zone 2.
    Secondary Client Private IP (SecondaryClientPrivateIP) Private IP assigned to the Secondary Client ENI (last octet has to be between 5 and 254). It would allocate Secondary Client IP from the Secondary Client Subnet CIDR.
    Secondary Server Private Subnet CIDR (SecondaryServerPrivateSubnetCIDR) 10.0.6.0/24 The CIDR block for Secondary Server Subnet located in Availability Zone 2.
    Secondary Server Private IP (SecondaryServerPrivateIP) Private IP assigned to the Secondary Server ENI (last octet has to be between 5 and 254). It would allocate Secondary Server IP from the Secondary Server Subnet CIDR.
    VPC Tenancy attribute (VPCTenancy) default The allowed tenancy of instances launched into the VPC. Choose Dedicated tenancy to launch EC2 instances dedicated to a single customer.

    Bastion host configuration

    Parameter label (name) Default Description
    Bastion Host required (LinuxBastionHostEIP) No By default, no bastion host will be configured. But if users want to opt for sandbox deployment select “yes” from the menu which would deploy a Linux Bastion Host in the public subnet with an EIP that would give users access to the components in the private and public subnet.

    NetScaler WAF Configuration

    Parameter label (name) Default Description
    Key pair name (KeyPairName) Requires input A public/private key pair, which allows users to connect securely to the user instance after it launches. This is the key pair users created in their preferred AWS Region; see the Technical Requirements section.
    NetScaler ADC Instance Type (CitrixADCInstanceType) m4.xlarge The EC2 instance type to use for the ADC instances. Ensure that the instance type opted for aligns with the instance types available in the AWS marketplace or else the CFT might fail.
    NetScaler ADC AMI ID (CitrixADCImageID) The AWS Marketplace AMI to be used for NetScaler WAF deployment. This must match the AMI users subscribed to in step 2.
    NetScaler ADC VPX IAM role (iam:GetRole) This Template: AWS-Quickstart/Quickstart-Citrix-ADC-VPX/Templates creates the IAM role and the Instance Profile required for NetScaler ADC VPX. If left empty, CFT creates the required IAM role.
    Client PublicIP(EIP) (ClientPublicEIP) No Select "Yes" if users want to assign a public EIP to the user Client Network interface. Otherwise, even after the deployment, users still have the option of assigning it later if necessary.

    Pooled Licensing configuration

    Parameter label (name) Default Description
    ADM Pooled Licensing No If choosing the BYOL option for licensing, select yes from the list. This allows users to upload their already purchased licenses.
    Before users begin, they should Configure NetScaler ADC Pooled Capacity to ensure ADM pooled licensing is available, see: Configure NetScaler ADC Pooled Capacity.    
    Reachable ADM / ADM Agent IP Requires input For the Customer Licensed option, whether users deploy NetScaler ADM on-prem or an agent in the cloud, make sure to have a reachable ADM IP which would then be used as an input parameter.
    Licensing Mode Optional Users can choose from the 3 licensing modes:
    • Configure NetScaler ADC Pooled Capacity: Configure NetScaler ADC Pooled Capacity
    • NetScaler ADC VPX Check-in and Check-out Licensing (CICO): NetScaler ADC VPX Check-in and Check-out Licensing
    • NetScaler ADC virtual CPU Licensing: NetScaler ADC virtual CPU Licensing| |License Bandwidth in Mbps|0 Mbps|Only if the licensing mode is Pooled-Licensing, then this field comes into the picture. It allocates an initial bandwidth of the license in Mbps to be allocated after BYOL ADCs are created. It should be a multiple of 10 Mbps.| |License Edition|Premium|License Edition for Pooled Capacity Licensing Mode is Premium| |Appliance Platform Type|Optional|Choose the required Appliance Platform Type, only if users opt for CICO licensing mode. Users get the options listed: VPX-200, VPX-1000, VPX-3000, VPX-5000, VPX-8000| |License Edition|Premium|License Edition for vCPU based Licensing is Premium.|

    AWS Quick Start Guide Configuration

     

    Note:
    We recommend that users keep the default settings for the following two parameters, unless they are customizing the Quick Start Guide templates for their own deployment projects. Changing the settings of these parameters will automatically update code references to point to a new Quick Start Guide location. For more details, see the AWS Quick Start Guide Contributor’s Guide located here:
    .
    Parameter label (name) Default Description
    Quick Start Guide S3 bucket name (QSS3BucketName) aws-quickstart The S3 bucket users created for their copy of Quick Start Guide assets, if users decide to customize or extend the Quick Start Guide for their own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen.
    Quick Start Guide S3 key prefix (QSS3KeyPrefix) quickstart-citrix-adc-vpx/ The S3 key name prefix, from the Object Key and Metadata: Object Key and Metadata, is used to simulate a folder for the user copy of Quick Start Guide assets, if users decide to customize or extend the Quick Start Guide for their own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes.
    • On the Options page, users can specify a Resource Tag or key-value pair for resources in your stack and set advanced options. For more information on Resource Tags, see: Resource Tag. For more information on setting AWS CloudFormation Stack Options, see: Setting AWS CloudFormation Stack Options. When users are done, they should choose Next.

    • On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and that it might require the capability to auto-expand macros.

    • Choose Create to deploy the stack.

    • Monitor the status of the stack. When the status is CREATE_COMPLETE, the NetScaler WAF instance is ready.

    • Use the URLs displayed in the Outputs tab for the stack to view the resources that were created.

     

    image.jpg

     

    Step 4: Test the Deployment

    We refer to the instances in this deployment as primary and secondary. Each instance has different IP addresses associated with it. When the Quick Start has been deployed successfully, traffic goes through the primary NetScaler WAF instance configured in Availability Zone 1. During failover conditions, when the primary instance does not respond to client requests, the secondary WAF instance takes over.

    The Elastic IP address of the virtual IP address of the primary instance migrates to the secondary instance, which takes over as the new primary instance.

    In the failover process, NetScaler WAF does the following:

    • NetScaler WAF checks the virtual servers that have IP sets attached to them.

    • NetScaler WAF finds the IP address that has an associated public IP address from the two IP addresses that the virtual server is listening on. One that is directly attached to the virtual server, and one that is attached through the IP set.

    • NetScaler WAF reassociates the public Elastic IP address to the private IP address that belongs to the new primary virtual IP address.

    To validate the deployment, perform the following:

    • Connect to the primary instance

    For example, with a proxy server, jump host (a Linux/Windows/FW instance running in AWS, or the bastion host), or another device reachable to that VPC or a Direct Connect if dealing with on-prem connectivity.

    • Perform a trigger action to force failover and check whether the secondary instance takes over.

     

    Tip:
    To further validate the configuration with respect to NetScaler WAF, run the following command after connecting to the
    Primary NetScaler WAF instance
    :

     

    Sh appfw profile QS-Profile

    Connect to NetScaler WAF HA Pair using Bastion Host

    If users are opting for Sandbox deployment (for example, as part of CFT, users opt for configuring a Bastion Host), a Linux bastion host deployed in a public subnet will be configured to access the WAF interfaces.

    In the AWS CloudFormation console, which is accessed by signing in here: Sign in, choose the master stack, and on the Outputs tab, find the value of LinuxBastionHostEIP1.

     

    image.jpg

     

    • PrivateManagementPrivateNSIP and PrimaryADCInstanceID key’s value to be used in the later steps to SSH into the ADC.

    • Choose Services.

    • On the Compute tab, select EC2.

      • Under Resources, choose Running Instances.

      • On the Description tab of the primary WAF instance, note the IPv4 public IP address. Users need that IP address to construct the SSH command.

     

    image.jpg

     

    • To store the key in the user keychain, run the command ssh-add -K [your-key-pair].pem

    On Linux, users might need to omit the -K flag.

    • Log in to the bastion host using the following command, using the value for LinuxBastionHostEIP1 that users noted in step 1.

    ssh -A ubuntu@[LinuxBastionHostEIP1]

    • From the bastion host, users can connect to the primary WAF instance by using SSH.

    ssh nsroot@[Primary Management Private NSIP]

    Password: [Primary ADC Instance ID]

     

    image.jpg

     

    Now users are connected to the primary NetScaler WAF instance. To see the available commands, users can run the help command. To view the current HA configuration, users can run the show HA node command.

    NetScaler Application Delivery Management

    NetScaler Application Delivery Management Service (NetScaler ADM) provides an easy and scalable solution to manage NetScaler ADC deployments that include NetScaler ADC MPX, NetScaler ADC VPX, NetScaler Gateway, NetScaler Secure Web Gateway, NetScaler ADC SDX, NetScaler ADC CPX, and NetScaler SD-WAN appliances that are deployed on-premises or on the cloud.

    Users can use this cloud solution to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified, and centralized cloud-based console. NetScaler ADM Service provides all the capabilities required to quickly set up, deploy, and manage application delivery in NetScaler ADC deployments and with rich analytics of application health, performance, and security.

    NetScaler ADM Service provides the following benefits:

    • Agile – Easy to operate, update, and consume. The service model of NetScaler ADM Service is available over the cloud, making it easy to operate, update, and use the features provided by NetScaler ADM Service. The frequency of updates, combined with the automated update feature, quickly enhances user NetScaler ADC deployment.

    • Faster time to value – Quicker business goals achievement. Unlike with the traditional on-premises deployment, users can use their NetScaler ADM Service with a few clicks. Users not only save the installation and configuration time, but also avoid wasting time and resources on potential errors.

    • Multi-Site Management – Single Pane of Glass for instances across Multi-Site data centers. With the NetScaler ADM Service, users can manage and monitor NetScaler ADCs that are in various types of deployments. Users have one-stop management for NetScaler ADCs deployed on-premises and in the cloud.

    • Operational Efficiency – Optimized and automated way to achieve higher operational productivity. With the NetScaler ADM Service, user operational costs are reduced by saving user time, money, and resources on maintaining and upgrading the traditional hardware deployments.

    How NetScaler ADM Service Works

    NetScaler ADM Service is available as a service on the NetScaler Cloud. After users sign up for NetScaler Cloud and start using the service, install agents in the user network environment or initiate the built-in agent in the instances. Then, add the instances users want to manage to the service.

    An agent enables communication between the NetScaler ADM Service and the managed instances in the user data center. The agent collects data from the managed instances in the user network and sends it to the NetScaler ADM Service.

    When users add an instance to the NetScaler ADM Service, it implicitly adds itself as a trap destination and collects an inventory of the instance.

    The service collects instance details such as:

    • Host name

    • Software version

    • Running and saved configuration

    • Certificates

    • Entities configured on the instance, and so on.

    NetScaler ADM Service periodically polls managed instances to collect information.

    The following image illustrates the communication between the service, the agents, and the instances:

     

    image.jpg

     

    Documentation Guide

    The NetScaler ADM Service documentation includes information about how to get started with the service, a list of features supported on the service, and configuration specific to this service solution.

    Deploying NetScaler ADC VPX Instances on AWS using NetScaler ADM

    When customers move their applications to the cloud, the components that are part of their application increase, become more distributed, and need to be dynamically managed.

    With NetScaler ADC VPX instances on AWS, users can seamlessly extend their L4-L7 network stack to AWS. With NetScaler ADC VPX, AWS becomes a natural extension of their on-premises IT infrastructure. Customers can use NetScaler ADC VPX on AWS to combine the elasticity and flexibility of the cloud, with the same optimization, security, and control features that support the most demanding websites and applications in the world.

    With NetScaler Application Delivery Management (ADM) monitoring their NetScaler ADC instances, users gain visibility into the health, performance, and security of their applications. They can automate the setup, deployment, and management of their application delivery infrastructure across hybrid multi-cloud environments.

    Architecture Diagram

    The following image provides an overview of how NetScaler ADM connects with AWS to provision NetScaler ADC VPX instances in AWS.

     

    image.jpg

     

    Configuration Tasks

    Perform the following tasks on AWS before provisioning NetScaler ADC VPX instances in NetScaler ADM:

    • Create subnets

    • Create security groups

    • Create an IAM role and define a policy

    Perform the following tasks on NetScaler ADM to provision the instances on AWS:

    • Create site

    • Provision NetScaler ADC VPX instance on AWS

    To Create Subnets

    Create three subnets in a VPC. The three subnets that are required to provision NetScaler ADC VPX instances in a VPC - are management, client, and server. Specify an IPv4 CIDR block from the range that is defined in the VPC for each of the subnets. Specify the availability zone in which the subnet is to reside. Create all the three subnets in the same availability zone. The following image illustrates the three subnets created in the customer region and their connectivity to the client system.

     

    image.jpg

     

    For more information on VPC and subnets, see VPCs and Subnets.

    To Create Security Groups

    Create a security group to control inbound and outbound traffic in the NetScaler ADC VPX instance. A security group acts as a virtual firewall for a user instance. Create security groups at the instance level, and not at the subnet level. It is possible to assign each instance in a subnet in the user VPC to a different set of security groups. Add rules for each security group to control the inbound traffic that is passing through the client subnet to instances. Users can also add a separate set of rules that control the outbound traffic that passes through the server subnet to the application servers. Although users can use the default security group for their instances, they might want to create their own groups. Create three security groups - one for each subnet. Create rules for both incoming and outgoing traffic that users want to control. Users can add as many rules as they want.

    For more information on security groups, see: Security Groups for your VPC.

    To Create an IAM Role and Define a Policy

    Create an IAM role so that customers can establish a trust relationship between their users and the NetScaler trusted AWS account and create a policy with NetScaler permissions.

    1. In AWS, click Services. In the left side navigation pane, select IAM > Roles, and click Create role.

    2. Users are connecting their AWS account with the AWS account in NetScaler ADM. So, select Another AWS account to allow NetScaler ADM to perform actions in the AWS account.

    Type in the 12-digit NetScaler ADM AWS account ID. The NetScaler ID is 835822366011. Users can also find the NetScaler ID in NetScaler ADM when they create the cloud access profile.

     

    image.jpg

     

    1. Enable Require external ID to connect to a third-party account. Users can increase the security of their roles by requiring an optional external identifier. Type an ID that can be a combination of any characters.

    2. Click Permissions.

    3. In Attach permissions policies page, click Create policy.

    4. Users can create and edit a policy in the visual editor or by using JSON.

    The list of permissions from NetScaler is provided in the following box:

    {"Version": "2012-10-17","Statement":[    {         "Effect": "Allow",        "Action": [            "ec2:DescribeInstances",            "ec2:DescribeImageAttribute",            "ec2:DescribeInstanceAttribute",            "ec2:DescribeRegions",            "ec2:DescribeDhcpOptions",            "ec2:DescribeSecurityGroups",            "ec2:DescribeHosts",            "ec2:DescribeImages",            "ec2:DescribeVpcs",            "ec2:DescribeSubnets",            "ec2:DescribeNetworkInterfaces",            "ec2:DescribeAvailabilityZones",            "ec2:DescribeNetworkInterfaceAttribute",            "ec2:DescribeInstanceStatus",            "ec2:DescribeAddresses",            "ec2:DescribeKeyPairs",            "ec2:DescribeTags",            "ec2:DescribeVolumeStatus",            "ec2:DescribeVolumes",            "ec2:DescribeVolumeAttribute",            "ec2:CreateTags",            "ec2:DeleteTags",            "ec2:CreateKeyPair",            "ec2:DeleteKeyPair",            "ec2:ResetInstanceAttribute",            "ec2:RunScheduledInstances",            "ec2:ReportInstanceStatus",            "ec2:StartInstances",            "ec2:RunInstances",            "ec2:StopInstances",            "ec2:UnmonitorInstances",            "ec2:MonitorInstances",            "ec2:RebootInstances",            "ec2:TerminateInstances",            "ec2:ModifyInstanceAttribute",            "ec2:AssignPrivateIpAddresses",            "ec2:UnassignPrivateIpAddresses",            "ec2:CreateNetworkInterface",            "ec2:AttachNetworkInterface",            "ec2:DetachNetworkInterface",            "ec2:DeleteNetworkInterface",            "ec2:ResetNetworkInterfaceAttribute",            "ec2:ModifyNetworkInterfaceAttribute",            "ec2:AssociateAddress",            "ec2:AllocateAddress",            "ec2:ReleaseAddress",            "ec2:DisassociateAddress",            "ec2:GetConsoleOutput"        ],            "Resource": "*"    }]}
     
    1. Copy and paste the list of permissions in the JSON tab and click Review policy.

    2. In the Review policy page, type a name for the policy, enter a description, and click Create policy.

    To Create a Site in NetScaler ADM

    Create a site in NetScaler ADM and add the details of the VPC associated with the AWS role.

    1. In NetScaler ADM, navigate to Networks > Sites.

    2. Click Add.

    3. Select the service type as AWS and enable Use existing VPC as a site.

    4. Select the cloud access profile.

    5. If the cloud access profile does not exist in the field, click Add to create a profile.

      • In the Create Cloud Access Profile page, type the name of the profile with which users want to access AWS.

      • Type the ARN associated with the role that users have created in AWS.

      • Type the external ID that users provided while creating an Identity and Access Management (IAM) role in AWS. See step 4 in “To create an IAM role and define a policy” task. Ensure that the IAM role name specified in AWS starts with NetScaler-ADM- and it correctly appears in the Role ARN.

     

    image.jpg

     

    The details of the VPC, such as the region, VPC ID, name and CIDR block, associated with your IAM role in AWS are imported in NetScaler ADM.

    1. Type a name for the site.

    2. Click Create.

    To Provision NetScaler ADC VPX on AWS

    Use the site that users created earlier to provision the NetScaler ADC VPX instances on AWS. Provide NetScaler ADM service agent details to provision those instances that are bound to that agent.

    1. In NetScaler ADM, navigate to Networks > Instances > NetScaler ADC.

    2. In the VPX tab, click Provision.

    This option displays the Provision NetScaler ADC VPX on Cloud page.

    1. Select Amazon Web Services (AWS) and click Next.

    2. In Basic Parameters,

      • Select the Type of Instance from the list.

        • Standalone: This option provisions a standalone NetScaler ADC VPX instance on AWS.

        • HA: This option provisions the high availability NetScaler ADC VPX instances on AWS.

        To provision the NetScaler ADC VPX instances in the same zone, select the Single Zone option under Zone Type.

        To provision the NetScaler ADC VPX instances across multiple zones, select the Multi Zone option under Zone type. In the Cloud Parameters tab, make sure to specify the network details for each zone that is created on AWS.

       

      image.jpg

       

      • Specify the name of the NetScaler ADC VPX instance.

      • In Site, select the site that you created earlier.

      • In Agent, select the agent that is created to manage the NetScaler ADC VPX instance.

      • In Cloud Access Profile, select the cloud access profile created during site creation.

      • In Device Profile, select the profile to provide authentication.

      NetScaler ADM uses the device profile when it requires to log on to the NetScaler ADC VPX instance.

      • Click Next.
    3. In Cloud Parameters,

      • Select the NetScaler IAM Role created in AWS. An IAM role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

      • In the Product field, select the NetScaler ADC product version that users want to provision.

      • Select the EC2 instance type from the Instance Type list.

      • Select the Version of NetScaler ADC that users want to provision. Select both Major and Minor version of NetScaler ADC.

      • In Security Groups, select the Management, Client, and Server security groups that users created in their virtual network.

      • In IPs in server Subnet per Node, select the number of IP addresses in server subnet per node for the security group.

      • In Subnets, select the Management, Client, and Server subnets for each zone that are created in AWS. Users can also select the region from the Availability Zone list.

      • Click Finish.

     

    image.jpg

     

    The NetScaler ADC VPX instance is now provisioned on AWS.

     

    Note:
    NetScaler ADM doesn’t support deprovisioning of NetScaler ADC instances from AWS.

    To View the NetScaler ADC VPX Provisioned in AWS

    1. From the AWS home page, navigate to Services and click EC2.

    2. On the Resources page, click Running Instances.

    3. Users can view the NetScaler ADC VPX provisioned in AWS.

    The name of the NetScaler ADC VPX instance is the same name users provided while provisioning the instance in NetScaler ADM.

    To View the NetScaler ADC VPX Provisioned in NetScaler ADM

    1. In NetScaler ADM, navigate to Networks > Instances > NetScaler ADC.

    2. Select NetScaler ADC VPX tab.

    3. The NetScaler ADC VPX instance provisioned in AWS is listed here.

    NetScaler ADC WAF and OWASP Top 10 – 2017

    The Open Web Application Security Project: OWASP released the OWASP Top 10 for 2017 for web application security. This list documents the most common web application vulnerabilities and is a great starting point to evaluate web security. Here we detail how to configure the NetScaler ADC Web Application Firewall (WAF) to mitigate these flaws. WAF is available as an integrated module in the NetScaler ADC (Premium Edition) as well as a complete range of appliances.

    The full OWASP Top 10 document is available at OWASP Top Ten.

    OWASP Top-10 2017 NetScaler ADC WAF Features
    A1:2017- Injection Injection attack prevention (SQL or any other custom injections such as OS Command injection, XPath injection, and LDAP Injection), auto update signature feature
    A2:2017 - Broken Authentication NetScaler ADC AAA, Cookie Tampering protection, Cookie Proxying, Cookie Encryption, CSRF tagging, Use SSL
    A3:2017 - Sensitive Data Exposure Credit Card protection, Safe Commerce, Cookie proxying, and Cookie Encryption
    A4:2017 XML External Entities (XXE) XML protection including WSI checks, XML message validation & XML SOAP fault filtering check
    A5:2017 Broken Access Control NetScaler ADC AAA, Authorization security feature within NetScaler ADC AAA module of NetScaler, Form protections, and Cookie tampering protections, StartURL, and ClosureURL
    A6:2017 - Security Misconfiguration PCI reports, SSL features, Signature generation from vulnerability scan reports such as Cenznic, Qualys, AppScan, WebInspect, Whitehat. Also, specific protections such as Cookie encryption, proxying, and tampering
    A7:2017 - Cross Site Scripting (XSS) XSS Attack Prevention, Blocks all OWASP XSS cheat sheet attacks
    A8:2017 – Insecure Deserialisation XML Security Checks, GWT content type, custom signatures, Xpath for JSON and XML
    A9:2017 - Using Components with known Vulnerabilities Vulnerability scan reports, Application Firewall Templates, and Custom Signatures
    A10:2017 – Insufficient Logging & Monitoring User configurable custom logging, NetScaler ADC Management and Analytics System

    A1:2017- Injection

    Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into running unintended commands or accessing data without proper authorization.

    ADC WAF Protections

    • SQL Injection prevention feature protects against common injection attacks. Custom injection patterns can be uploaded to protect against any type of injection attack including XPath and LDAP. This is applicable for both HTML and XML payloads.

    • The auto update signature feature keeps the injection signatures up to date.

    • Field format protection feature allows the administrator to restrict any user parameter to a regular expression. For instance, you can enforce that a zip-code field contains integers only or even 5-digit integers.

    • Form field consistency: Validate each submitted user form against the user session form signature to ensure the validity of all form elements.

    • Buffer overflow checks ensure that the URL, headers, and cookies are in the right limits blocking any attempts to inject large scripts or code.

    A2:2017 – Broken Authentication

    Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

    ADC WAF Protections

    • NetScaler ADC AAA module performs user authentication and provides Single Sign-On functionality to back end applications. This is integrated into the NetScaler ADC AppExpert policy engine to allow custom policies based on user and group information.

    • Using SSL offloading and URL transformation capabilities, the firewall can also help sites to use secure transport layer protocols to prevent stealing of session tokens by network sniffing.

    • Cookie Proxying and Cookie Encryption can be employed to completely mitigate cookie stealing.

    A3:2017 - Sensitive Data Exposure

    Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such poorly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

    ADC WAF Protections

    • Application Firewall protects applications from leaking sensitive data like credit card details.

    • Sensitive data can be configured as Safe objects in Safe Commerce protection to avoid exposure.

    • Any sensitive data in cookies can be protected by Cookie Proxying and Cookie Encryption.

    A4:2017 XML External Entities (XXE)

    Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

    ADC WAF Protections

    • In addition to detecting and blocking common application threats that can be adapted for attacking XML-based applications (that is, cross-site scripting, command injection, and so forth).

    • ADC Application Firewall includes a rich set of XML-specific security protections. These include schema validation to thoroughly verify SOAP messages and XML payloads, and a powerful XML attachment check to block attachments containing malicious executables or viruses.

    • Automatic traffic inspection methods block XPath injection attacks on URLs and forms aimed at gaining access.

    • ADC Application Firewall also thwarts various DoS attacks, including external entity references, recursive expansion, excessive nesting, and malicious messages containing either long or a large number of attributes and elements.

    A5:2017 Broken Access Control

    Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, and so on.

    ADC WAF Protections

    • NetScaler ADC AAA feature that supports authentication, authorization, and auditing for all application traffic allows a site administrator to manage access controls with the ADC appliance.

    • The Authorization security feature within the NetScaler ADC AAA module of the ADC appliance enables the appliance to verify, which content on a protected server it should allow each user to access.

    • Form field consistency: If object references are stored as hidden fields in forms, then using form field consistency you can validate that these fields are not tampered on subsequent requests.

    • Cookie Proxying and Cookie consistency: Object references that are stored in cookie values can be validated with these protections.

    • Start URL check with URL closure: Allows user access to a predefined allow list of URLs. URL closure builds a list of all URLs seen in valid responses during the user session and automatically allows access to them during that session.

    A6:2017 - Security Misconfiguration

    Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or improvised configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.

    ADC WAF Protections

    • The PCI-DSS report generated by the Application Firewall, documents the security settings on the Firewall device.

    • Reports from the scanning tools are converted to ADC WAF Signatures to handle security misconfigurations.

    • ADC WAF supports Cenzic, IBM AppScan (Enterprise and Standard), Qualys, TrendMicro, WhiteHat, and custom vulnerability scan reports.

    A7:2017 - Cross Site Scripting (XSS)

    XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing webpage with user-supplied data using a browser API that can create HTML or JavaScript. Cross-site scripting allows attackers to run scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.

    ADC WAF Protections

    • Cross-site scripting protection protects against common XSS attacks. Custom XSS patterns can be uploaded to modify the default list of allowed tags and attributes. The ADC WAF uses an allow list of allowed HTML attributes and tags to detect XSS attacks. This is applicable for both HTML and XML payloads.

    • ADC WAF blocks all the attacks listed in the OWASP XSS Filter Evaluation Cheat Sheet.

    • Field format check prevents an attacker from sending inappropriate web form data which can be a potential XSS attack.

    • Form field consistency.

    A8:2017 - Insecure Deserialization

    Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

    ADC WAF Protections

    • JSON payload inspection with custom signatures.

    • XML security: protects against XML denial of service (xDoS), XML SQL and Xpath injection and cross site scripting, format checks, WS-I basic profile compliance, XML attachments check.

    • Field Format checks in addition to Cookie Consistency and Field Consistency can be used.

    A9:2017 - Using Components with Known Vulnerabilities

    Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

    ADC WAF Protections

    • NetScaler recommends having the third-party components up to date.

    • Vulnerability scan reports that are converted to ADC Signatures can be used to virtually patch these components.

    • Application Firewall templates that are available for these vulnerable components can be used.

    • Custom Signatures can be bound with the firewall to protect these components.

    A10:2017 - Insufficient Logging & Monitoring

    Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show that the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

    ADC WAF Protections

    • When the log action is enabled for security checks or signatures, the resulting log messages provide information about the requests and responses that the application firewall has observed while protecting your websites and applications.

    • The application firewall offers the convenience of using the built-in ADC database for identifying the locations corresponding to the IP addresses from which malicious requests are originating.

    • Default format (PI) expressions give the flexibility to customize the information included in the logs with the option to add the specific data to capture in the application firewall generated log messages.

    • The application firewall supports CEF logs.

    Continued in Part 2


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...