As an intermediary between users and back-end resources, the SLB/ADC is also an ideal place to implement much needed security measures. Recalling the trends highlighted earlier—especially those pertaining to the evolution of threats, user mobility and inter-connectivity—it should be clear that SSL VPNs and application firewalls are two countermeasures, in particular, that deserve attention.
Aside from facilitating remote access, the benefit of having SSL VPN technology as an integral component of an ADC is that it provides fine-grained control over which users have access to which functions in which applications, and under which conditions (e.g., based on type and configuration status of the client device). When properly utilized, this capability can substantially reduce the risk of providing application access to a vast population of remote, mobile and third party users.
The shortcomings of network firewalls, which concern themselves primarily with network addresses and port-level information, are well documented. In general, they do not understand the inner workings of protocols and languages such as HTML and XML; they do not understand HTTP sessions; they cannot validate user inputs to an HTML application; they cannot filter or obfuscate sensitive data included in server responses; they cannot detect maliciously modified parameters in a URL request; and they are incapable of inspecting SSL-encrypted traffic. In contrast, it is specifically this depth of visibility and control that enables an application firewall to protect Web applications against a wide range of both known and unknown attacks.
Of course, having robust, application layer controls does not obviate the need to provide protection at other layers of the stack. This is another area where Citrix ADC outshines the competition. For example, Citrix ADC features a customized TCP/IP stack that: (a) enforces a positive security model, dropping all traffic that deviates from common guidelines for packet formation and content; and (b) prevents leakage of low level information by zeroing the unused portions of reused packets. In addition, Citrix ADC provides robust connection handling routines to automatically thwart many types of DDoS/flood attacks.