About the talk
Hybrid cloud deployment success depends on the effectiveness of your networking and security strategy and how you manage complexity. In this session, we will teach you top use cases and real-world security architectural considerations to optimize and secure your apps, data, and workspaces.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.
Hello everybody. How are you doing this morning? Hopefully ever wake I think I see eyeballs. Not too much drinking last night, right? My name is Robin manke Cassidy and I'm with our networking and Security Group here. It's the truth and my colleague with me today is responsible for the application security portfolio as part of the Citrix ATC formerly known as netscaler butterfly and new things that are coming up with our application security for workspace. Hybrid cloud. So first of all, you probably saying this if you feel like tweeting, please help yourself
if you can do ab security since 1:15, you know in Citrix Synergy, that would be awesome. So what we're going to go over today is where security delivery transformation is happening. I hate using the word transformation cuz I think it's overused today and then some one of our existing solutions that we have in place and some new Security Solutions that we're bringing online here quite shortly. So first of all, let's talk about the threats that are out there.
So this is from the National Institute of Standards and Technology 92% of the vulnerabilities that are out there have nothing to do with your network. It has everything to do with the applications and how people are accessing them and the threats in the vectors around that that's a huge number. So as you're thinking about how you're deploying your application, this is a key component that you need to be thinking about. An applications are changing as you guys probably know if it hasn't hit your organization yet. It will be in the near future. Everything
is moving towards API. So how applications are going to communicate to each other how it gets to resources those types of things are moving towards music API almost exclusively. So as you can see from statistics Care organizations have already experienced application breaches. I'm not sure. There's anyone in the world that has it or hasn't discovered that they already are. And many people are not really confident with how they're doing their security protection today on their application,
you know, there's a lot of different point solutions that people put in place but they don't communicate together. You can't get a full picture of what's really going on but makes it a little bit more difficult organizations feel that web apps are their highest security risk and they are if you think about the applications that you're putting in place today, most of them are either web-based or staffbase. So it's it's not also how you manage your the application security but you know, there was a session that I did yesterday. It's also how your users connect to those
And organizations 26% are doing little to nothing for their application security. They put it in place. They put a a load balancer in front of it and and they just go to business. You're not actually thinking about the full security component fit that needs to be put in place. So I talked a little bit about this already, but our traditional applications in our data center on Prim have changed how many people won are using Cloud hosted data center services are you've moved a bunch of your resources to provide already? Or thinking about it.
That's almost everybody in the room. Okay. So this is the future right? There are industries that will never or you know, in late stages move their stuff out. But this is the reality of our world and as we move to the cloud there are new vectors that you need to take into consideration. When you put your applications out there, for example, cloud-native applications using microservices in containers. There's a whole new world there that you need to consider how the communication happens between and how that security how do you making sure that security is in
place to make sure that the right applications are making the right API call and you're not accepting calls from somebody you shouldn't be connecting from So I forgot I wanted to ask one of the question how many people in the room are in kind of networking load balancing that side of the house. Okay, and how many of you do Works be an application development? Okay, so I'm going to turn it over to. Prashant, thank you. So you don't ever think about going to hybrid multi-cloud. We know we talked about how some of the applications are on Fram. Some
are really moving towards and others are still Bible apps that are internally deployed either on Prime in hosted data center or even the Cloud public cloud infrastructure-as-a-service and platform-as-a-service components and ask that proliferation of deployment models happens. And of course like Robin mention the app architecture that changing themselves from traditional to microservices. The complexity and how to manage, you know security and risk across this apartment models significantly Rises. And then you
heard about that on the networking level. But really if you look at the latest your hacks are data breaches that are happening there all almost always at the application layer. So somebody had you know that the the black just one which was I think the Equifax hack happened because somebody did not patch their server in the back end with an Apache struts vulnerability is pretty common. Right? It's either you are missing some of the components they don't they're not attached to the latest and greatest they have availability that is exposed or somebody's you know Bad actors.
I just paid or non-state actors are trying to get through and you know, I don't know password friend cuz call credential stuffing or password thing attacks for Bots. They might be trying to get access to data using things like SQL injection and others on your bail application denial of service attack. On your application felt so there are multiple types of attacks that happened either using Bots using trying to do an authorized access and lastly as more and more of these apps are moving towards an API Centric
word. Your API by definition is really kind of in some ways machine-to-machine communication and windows environment. How do you make sure that those apis and secure? And each of these scenarios and deployed as facing to your customers like outside public-facing or you're that bad that's deployed in the workplace environment. Like we saw gray them off into Visionworks place yesterday with a lot of different webs watchful eyes fast and internal damage by baps the all our problems in the workplace. And so
as long as you haven't even an internal app that is published in the workspace. You want to make sure that in in in this area of malware or ransomware you want to make sure that you're in town hall facing apps employee facing apps are also secured. So when will you think about those challenges let's go walkthrough. How 6abc and all of the security functions can help and so this is just, you know, a series of things that we have listed are all the different tool sets all the different features that's available today in helping you protect your public-facing
or internal web apps and apis so starting with in a layer three layer for You want to make sure that you have DDOS protection like that. There are multiple layers of DDOS protection, but on 680 see we have a robust in a set of DDOS protection features more than 35 of them overall in putting Florida Tax reflection attacks of different things right certified learfield live for Fireball. So we have had a CLS for a while and these are now certified to be used as a firewall internally, but not of the perimeter firewall what typically if you want to
segment a network for in a specific application specific compliance requirements and play Ophelia for Network segmentation is good enough. You can use Leo female 451 insecticide. Is it so that again Making sure from an authentication authorization standpoint. We have a gamete of Integrations and a gamete of different feature set there and then we'll dig deeper into the four things of it in the next set of four slides. One thing I wanted to mention is on the your SSL TLS layer going to be on later today at 4 to SSL and TLS. We have
a set of you know, known for best price performance in the market, but not just that we have a set of robust features that we also support TLS 1.3. We were the first ATC in the market to support the latest telephone. Respect as a as a beta as well as SGA. So, you know, we always in the Forefront in the hotel and by the way, we have optimized and we find out SSL stack. It's not the same openssl stack. So you don't over the last few years have seen a lot of one of these, not to tell you he has to
tell me to is not good enough now move to TLS 1.1 1.2 in each of those scenarios because we had refined our thing, you know, that's what they'll back much better. We didn't have the exact. We had some but then you know certainly was much better than what other vendors had to go through. As part of City CDC premium. We also have you know, you've had this is a web application firewall for for a while now, like we're more than three thousand customers worldwide what actively using Citrix bath to protect against application later tax or
meet compliance requirements like PCI. I mean if you have PCOS if you absolutely need to deploy a bath and if you have something to say to see especially as a premium license you already own it, but you already have the capability to do it and more. What I'm finding is even Point Journal apps security operations teams are requiring that you deploy web application firewall and you have a full-featured fully functional that application firewall release signatures for it every
one to two weeks on all the new series that we find. It has all the classic OS top 10 funeral protections. But again, this is easy to use easy to start off a we have learning as well for an application Behavior learning and based on that we can do a lot of the checks and relaxation. So overall it's a fully functional fully-featured web application firewall. Not just that as part of the DC DC Premium what we just announced yesterday is pretty soon. We'll have what we call but
management know how many a few understand. What is the problem with Bots? anybody Okay, so if you think about the internet traffic more than 35% of traffic today on the Internet is automation Bots if you put up a website and I'm out and we do this small extra tall extra Monero on our own website and we put it past boot store. We put on application firewall in front of it. We counted more than 10 attempts to scrape the website or get into the website by boss that were based out of Alaska
University of Michigan China lot of different places. So it's not just do it could be anywhere but these are infected machines iot devices. Net owners and using to go and just Scrape website or just going thing website and do the different things. They're trying to find the door that they can get through on within the next few days. Your laptop has been scanned and feel people have been poking around already. So this is a pretty common problem. The other thing that people do is dead by Pat username password on
the dark web the take the whole list and tried against the well-known website because most people be used the username and password. So this is a pretty common problem as well. And that's the business issues with box things. Like they'll try to scrape your website or you're probably facing, you know property will try to scrape your content scrap prices. They probably want to hold inventory. So that is a very interesting case where one of the airlines in Asia. I was having a hard time selling tickets and didn't know what was going on their prices were great
that everything was perfect. What they found out when was the automatic scripts that were holding on to the ementary? So they are inventing would never actually hit the market. The automated script will keep on holding it when you if you're going to take it Master P for 10 minutes and then you have to buy write that exact same thing is happening with the airline and that on the airline so things happen as well in terms of what watts can do. This is a big big issue
out there today and and growing faster. So what we announced yesterday is a spot of surgically DC. We will have support for what protection and bought management that'll be coming soon. Right? And so it'll help you defend against the loudest and identified based on behavior of the device in the browser whether this is a real user human user or this is an Automation and then based on your specification we can say is it a good automation or is this bad and it would be
like Google web crawler. You want to be indexed for search, right so bad boss and will be able to support on on both. Any questions so far? I mean you need to think about this. It's it's they're not just malicious necessarily but they could be competitors. They're out looking to see what your lowest prices are so they can go lower than you. So it is not just a stop your business. It could be to affect your business. In other way. So bought the up-and-coming thing,
right and then the side effect of bots is you don't we we talked about how 35% plus of traffic coming to a website is typically Bazar commission, which means you have infrastructure in the back end to support these but you're invested in computer storage all the other things database. To support traffic that is not really helpful to you in running the business. So when you put on what protection in front as a secretary scene in on the Lord answer itself now, you're also helping Optimizer interested in the back end. So there is
also a cost-benefit. It's not just about security and there's also a cost-benefit and then there's the business benefit when you have data privacy, you don't have you no other competitors scraping things are doing denial of service attacks on on your inventors that is plaguing almost every public facing website and not just that if you're an internal web app that you know your workspace then somebody could come in with him. And that's that. Can be attacked in the exact same manner as well. So The scale of your protection to defer when you have a public-facing consumer-facing property
versus when you have an employee facing property, but I think the risks remain the same almost the same. So you need to put all your security checks and balances whether its internal employee facing website web app or a customer-facing leather. The other thing that's going to be talked about API. So 6abc can be used to protect your apis as well. We have all the classic function better. Typical API protection solution needs protection from DDOS protection from
box that we talked about but also things like enforcing authentication making sure that only the right Partners or the right in a consumer standings how many times make sure that you are meeting that SLA ability to Define and get insight into what Hobby Lobby Arabia is performing right because you need to meet certain SLA is all of these things can be done using typically see if you can do on syndication. You can even loud those apis to the right service point. So for example, let's say you have two or three different years of service for your partners. And you want without
them appropriate to the light service level you can use to check fantasy. And if you have protection and unicorn canvas routing policies to do that, or if you want to deploy, you know, I temporarily next to you can do the exact same thing with such accuracy as well. So lots of a robot that you can leverage for your website as well as a replies. I've been with 13. Oh that were just released as part of such a policy premium. We also have what we call forward proxy included as part of
That 80's license and what this means is you can now use Citrix ATC as an outgoing SSL interception point so you better get apis and calling out or users are going out you can end for swipe Liz Blacklist URL filtering, you know, all of those kind of things and make sure that your users are there apis and not calling command and control servers not going to for proxy, right? You can enforce that and they'll give that's part of Pacific a disagreement as well with an added URL filtering database license that
subscription for the functionality DC Premium and making it really a solution that you can use it. Multinational like your multiple tools to have and help you against a lot of different a collector's suggestions. And I know everyone's probably thinking this in the back of the head cuz I know I am so if I'm turning on these additional security capabilities, what is it doing to my ATC traffic-wise speed? Why is it going to snow all day if I turned every single
one of these on Technical question. So the short answer is this performance impact right? When you turn on more functions, we have a detailed sizing guide both on our forward proxy as well as an application firewall, please, you know, you can rest assured when you are trying to enable the feature you will get to understand what that might impact in terms of performance by or do you need a license? Do you need a separate deployment? Whatever that might be in Austell seems can work with your clothes on getting that done.
My other question is so you know, we've got so many form factors. Do you know we got physical boxes? We've got virtual we've got bare metal. Now, we've got containers are these capabilities across to all of the platforms or are we limiting it to certain has so far and all the soccer forum factors, including an electrical npxs TX VPX, which of the martial arts form factor. We just introduced in an ounce if your card is the bare metal BLX form factor, which means it stronger than Linux process on any of your your Linux servers. It can be a UCS chassis for all that. We
share each of these factors has the exact same functionality and so you don't have to worry about whether you're deploying it in Azure or AWS or your private data center. No matter what you're doing and very early playing it with You have the same functionality centrally-managed Central analytics with a DM. Rackspace is now transitioning over to ATC. So if you're hosting your data data center at all on Rackspace, this capability will be coming to you soon.
So in terms of service is available available in state of Tennessee for a while. Now if you're interested more in learning more about this capability your reach out to us. We have a white paper that we can share with you and how to use to fix a DC as an API protection device as well. Yesterday again is coming soon is the ability to do API protection as well as security function in a kubernetes microservices environment. You have teams that are in some ways working on microservices app development. Capital One
Couple maybe if you have things that I'm working towards developing apps in Microsoft vs environment almost all of them. My default are going to turn to two bananas. So if you look away on its environment, you can use static Tennessee as a Gateway or Ingress control with we call it dangerous device in 2 minutes environment that will help you run around and do all the things that you need to do before traffic enter the kubernetes cluster. So it gives you the reason that it gives you the security it helps you enforce things like that. So PLS
Pfeiffer's Rite Aid helps you route or to the right services to all of those things are available today as part of the interested, right? It could be either a container lights were formed or you could be your existing net Centric, Tennessee next killers. We have anal capabilities from work with ball. And then what is coming soon is the ability to do API protection in October 9th. So when you have services and apis exposed out of your kubernetes cluster out of your microservices to the rest of the data center on the world you can
end for a lot of the API protection mechanism that we just talked about. So you can enforce authentication you can make it seem less for developers to use those templates. And so, you know, one of the key thing about it is that you don't that walks or off doesn't want to get in the way and with the template and Whisper no solution that we have developed does not have to get in the way all day to do is to find a template and they're done with it right for each of the apis that they want to expose. So that's that's something that we announced yesterday. It will be available soon between dysport
right now. any questions and last but not least. We also have or the last year introduced functions in netscaler Secretary see which allows you to do SSL offloading and there are two forms of this like this is important a lot of our customers in the reverse floxacin the classic load balancer concept. They stop using IPS in front of the wraps because everything was encrypted and takes a lot of money lot of scale to run IPS on each of the things that are coming in encrypted to be clipped electric again, and again,
Same thing with antiviral same thing with DLP. So what we have capability now in netscaler ATC premium is you can now decrypt SSL traffic send it to either an IPS order next-gen firewall or a Navy or DLP whichever one you choose and you know, it can be multiple of those so that we can do service chaining of all the different security function and then send it back and flipped it and in the benefit of all this is that you now can actually get visibility that you had lost productivity
encrypted but more importantly you can do it cost-effectively. You don't have to scale your other security functions and buy bigger boxes and buy more expensive IPS. You can use the IPS you had before you bought for the encrypted traffic problem. So this works both in the reverse process or you know users going to your app. And this also works you can deploy Saturday to see in a follower proxy more than users going out can also go to this and we can decrypt traffic to IPS and in other security devices
and this is really called something like an invisibility Appliance. So you can use Citrix ADC also the Nets at invisibility Appliance. So this is something that has come over the last year and the latest release with v chapter 19 audio this month also improve things get ready to copy traffic. We call it Port mirroring so you can beat the traffic mirror it to your ideas. You can meet her that HDPE traffic to your gigamon or some recording device that you might need for compliance. And that way you don't have to again by beater boxes. You can just grab with
your existing investment. So that's that's something that's available again as part of the 50 Cities Premium. So all the security functions we talked about so far right in when you get to ATC premium, which I don't have an STX by before you have it or you know, you you are on the other version to buy a premium license and imported is a great way to buy a subscription then and make sure that you are you have the flexibility all the security functions starting from web application firewall API protection. I want to call Contra inspection with TLS termination and scale
as well as Know what we talked about. All of these functions are part of the premium license and then you have it available as a consolidation play on on 5036. The weather in San Fran in your data center or all of these functions work the same way in a shortened AWS to give lot of customers were making the journey from on-prem to public cloud and they are using it as a way to have a consistent deployment model invisibility across these clouds. So in order to support that
we have something called Citrix ATM application delivery manager. So this is a centralized controller single-pane-of-glass that allows you to manage all your different instances all of the different deployment on promoting the cloud consistently right right management it so, you know configuration deployment using Stine books because he's been used by books, but not just that it's also a lot of analytics and insights. So one of the just give me two examples for ATM gives you Insight on performance and Security Board, you can give you insights on web transaction that can give you
insights on of course, you already know what place deployment as well with with icon-x inside of America Securities more specifically one is the whole SL dashboard. So this dashboard is a great tool to help with auditing and meeting compliance with this dashboard, you know exactly what ciphers what can affect Interruption Technologies Killen Al being used in your network. What certificates are coming up for, you know expiration. What certificate do you need to focus on all the things I made easy with the simple to use dashboard and it's the
one place to go and when you have auditing requirements, you can just show this that's what it's a look at this with me have it right or leave your meeting compliance encryption standards. And then from a verification firewall standpoint, we have an application security dashboard that gives you a whole interview on what kind of attacks are coming in. How big is the attack how many of those attacks are being viewed? Which apps are under attack most most where the clients are coming from and where they're coming from
a very quick view on all the things that are happening with your apps and who was being attacked or who won the attacking, you know, which apps are being attacked and then of course you can drill down and get beaten logging into each and every incident using ATM and say, okay, you know, this piss SQL injection. I'm getting it from this particular client. Let me look into it more ice all of us. Are there behind in the in the ATM? So any any questions on you know the solutions the problem. No questions.
Clear as mud. Okay in in summary, right Secretary's Day is is really a kind of a tool chest for you. We have tons and tons of security features that you can use to secure your application, whether they are deployed in front of you know, in in public place in customer-facing or employee facing environments and it really is a Touchback starting from Leo spelaea for with DDOS and Lia Sinclair for firewall. They do web application firewall, you know SSL encryption standards. And then what the two new things that we
just announced yesterday with Bart management, which is becoming more and more problem and how you secure your API from the theater to action and security standpoint. If I'm just starting to look at this. I see all of these different security components that we now have in the ATC. And I wanted to start going down this path. I'm not going to turn them all on at once right? Is there do we have a recommendation for you know, what's most important? What would you lookat next? How would you go and not every apps going to necessarily
need the same protections? Right? So I think play Ophelia for firewalling and lead us protection SSL encryption as well as authentic. The Next Step from there is to turn on web application firewall, especially for things basic things like SQL injection, you're unable to Signature checks because we can now have signatures coming every week every two weeks. And that's the most basic thing you can do as a security hygiene for your application right on uneven apis because trust me SQL injection the most common form of attack coming in the second. Most common form is cross-site
scripting right and then these are the things that you can very easily protect against the third one is buffer overflow, which means when your forms people try to send him a lot more data than you think you need and pause buffer overflow cuz you're back in application to class and expose data that you were not supposed to think that almost most basic you have to enable and then as what management comes into picture you have you unable Bart management as a basic feature are a part of it is a female. Now 1 1 qualification is you don't need to turn on web
application firewall to use Bart management or vice a versa so you can decide to say I'm going to first take it off my boss management problem and see what's going on on my website and then turn on web application firewall so you can do either way but most customers today. We have to buy one and then graduate in two more advanced use cases turn on the application firewall in the through ATM watch the traffic that's that's coming through it to know where the security issues are before maybe going back and setting policy. Absolutely.
You can set policies that you say, you know, I'm just going to watch and log and not really take action or you can take action of lie detector drop or whatever other things. Later on for alarm protection since we're going to be filtering up what the major danger items coming through or traffic coming from I can actually set it more intelligent. That's alright. So that's that's all thank you still we do have a couple of Please if you haven't seen someone 21 what's going on,
and in networking at Citrix, I highly suggest that we also have 237 which goes into ATM in more detail about how you can manage all those different deployments as well as have the security side and 1/2 to 2 where they're actually going to go into how to troubleshoot common problem with your networking and and your application and please there's one more. Can you go one more? We would love to get your feedback. Hopefully you learned a lot. There shot is a wealth of information about security.
So, please give us your feedback would love to hear it so that we can fine-tune for our next presentations next year. So, thank you guys so much for your attention, and if you have any questions were going to be here for a few more minutes. So, thank you. Thank you.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.