Tech Brief: SD-WAN Edge Security

Introduction

With the continued growth of cloud and SaaS, Enterprises are searching for solutions to provide optimal Internet access irrespective of where the endpoint is located. Citrix SD-WAN excels at steering intranet traffic across the WAN or Internet traffic, at the Edge. It applies business rules to identify applications using a database of 4,500+ predefined entries.

However, to provide direct Internet access Enterprises also need to secure remote offices to protect the intranet. Direct Internet access exposes remote networks, and next the entire corporate network, to threats. Ingress and egress traffic must be filtered, inspected, and scanned to protect against vulnerabilities.

Citrix SD-WAN has a nativeonboard ICSA certified firewall. It integrates with leading third partySecure Web Gateway (SWG)vendors via cloud proxy. Citrix SD-WAN also hosts onboard SWGs as aVirtual Network Function (VNF). Security partners include:

• iboss
• Check Point
• Palo Alto
• Forcepoint
• Zscaler

Now Citrix has added native onboard Next Generation Firewall – Edge Security functionality to the arsenal of SD-WAN protection options. The release of Citrix SD-WAN version 11.2 Advanced Edition combines full stack security functionality, with its application performance enhancement capabilities, including:

• Intrusion Prevention
• Web Filtering
• Malware Protection

As a result, Enterprises are now able to enhance application performance securely from the edge of their network entirely with Citrix. They also can confidently consolidate their Branch Office networks with a Citrix SD-WAN appliance that can provide steering to Internet services while inspecting traffic, and protecting it. Enterprises also can manage and monitor Edge Security through a single plane of glass with Citrix Cloud hosted Orchestrator service.

让明星ted

With only a handful of requirements, Citrix SD-WAN customers can quickly get up and running with Advanced Edition - Edge Security:

• Citrix Orchestrator
• 11.2+ software
• 1100 AE appliance
• Advanced Edition (AE) license
• Firewall Security Profile
• Firewall Policy Action

Network Configuration – Software Version 11.2.0.88 & 1100 appliance

Basic Settings – Device Edition AE

Firewall Security Profile

Firewall Profile Action

Intrusion Prevention

入侵预防系统(IPS)减轻国际扶轮sk of threats to networks by identifying, logging and or blocking known attacks. The patterns of attacks are regularly updated and added to a common database. Citrix SD-WAN Edge Protection – Intrusion Prevention includes over 34,000 signature detections and heuristic signatures for port scans.

Citrix SD-WAN Edge Security Intrusion Prevention functionality is powered by theSuricataopen source network threat detection engine. Suricata is owned and supported by the Open Information Security Foundation (OISF). It inspects the network traffic after passing through the firewall using extensive rules and a powerful signature language.

Rules look for attacks such as

• Port scans where bots or bad actors test for open ports susceptible to penetration.
• Any traffic from known “bad” public IP addresses.
• Denial of Service attacks where attackers seek to overrun network bandwidth and receive buffers by sending certain protocol sequences excessively or a high volume of flows.

Citrix SD-WAN Intrusion Prevention includes predefined rules grouped into one of four priority categories based on severity:

• Critical
• High
• Medium
• Low

Rules, which are customizable, include fields to specify patterns to identify in a logical statement. Once matched the following actions can be taken:

• Recommended - Perform the recommended action defined for the signatures.
• Enable Log - Allow and log traffic that matches any of the signatures in the rule.
• 允许列表——签名的来源和定n networks are modified to exclude networks defined by the allow list variable.
• Disable - The signatures are disabled. Allow the traffic to continue to the destination without logging.
• Enable Block - Drop the traffic that matches any of the signatures in the rule.
• Enable Block if Recommended is Enabled - If the rule action is Recommended, and the signature’s recommended action is Enable Log, drop the traffic matching any of the signatures in the rule.

You can maintain visibility by reporting on Intrustion Prevention events.

For more information seeCitrix SD-WAN Edge Security – Intrusion Prevention

Web Filtering

Web Filtering mitigates the risk of unsuspecting users clicking links on sites behind known “unsafe” domains and infecting their endpoints with malware, viruses, ransomware, or other threats. It also helps protect users from accessing sites that would violate compliance rules or the Enterprise Acceptable Use Policy.

Citrix SD-WAN utilizesWebroot’s BrightCloudmachine learning-based Web Classification and Web Reputation engine to filter domain names. It includes over 32 billion URLs and 750 million domains. When users visit a site, the URL is sent for classification. A temporary local cache is maintained to expedite the lookup the next time the URL is requested.

Web filtering is enabled, and preferences are configured within a Security Profile.

Existing categories can be selected to “block” access to the website or “flag” (log) access. Alternatively, specific sites may be “bypassed” by domain name or IP address.

You can maintain visibility by reporting on Web Filtering events.

For more information seeCitrix SD-WAN Edge Security – Web Filtering

Anti-Malware

Anti-Malware protects users against ransomware and viruses. It guards against files delivered by HTTP download or opened from SMTP delivered email. Powered byBitdefender, it assembles and scans files destine for users through email or HTTP downloads. Anti-Malware can then block the file delivery, log its presence, and or send a notification regarding the risk identified.

Citrix SD-WAN Anti-Malware takes a four-step process to evaluate files. It can scan 41 file-type extensions and 10 MIME types for email content. If the file fails any of the tests below it is considered malware and the download is blocked:

1. Query a threat intelligence database for information about the file metadata based on its fingerprint.
2. A local scan using Bitdefender’s signature database is run on the server while the cloud lookup is being performed.
3. Perform a heuristic scan to look for suspicious patterns in executable files.
4. Lastly, evaluate code in an emulator and look for malicious activity.

Anti-Malware can be enabled or disabled for specific file types by selecting their extension.

Also, you can choose to exclude certain MIME types from scanning.

You can maintain visibility by reporting on Anti-Malware events.

For more information seeCitrix SD-WAN Edge Security – Anti-Malware

Differentiation

与边缘安全,有11所示。2 Advanced Edition, Citrix is now one of the few SD-WAN vendors that provides Intrusion Detection, Web Filtering, and Anti-Malware natively in On-premises appliances. With Edge Security Citrix SD-WAN offers significant value to Enterprises including:

• Maximize User Experience & Minimize Network Bandwidth– Enterprises no longer must backhaul internet traffic over their Wan to meet compliance requirements and guard against the perils of the Internet. Now they can steer flows to the nearest business SaaS sites while protecting endpoints.
• Secure the Enterprise Perimeter– while direct Internet access enables better application performance it exposes branches and subsequently the corporate network to risk. Edge Security mitigates that risk by guarding against vulnerabilities at the point of remote office Internet access.
• Branch Office consolidation– Enterprises can simplify the equipment they must manage and host in remote office utility closets. All of the following equipment functionality can be replaced with a Citrix SD-WAN 1100 AE appliance:
  • Stand alone routers
  • SWG appliances and firewalls
  • DHCP and DNS servers
  • WAN Optimization appliances
• Single Point of Contact– customers can contact Citrix regarding Network forwarding or Network security. Having a single point of contact avoids finger pointing if complex issues arise. Enterprises can partner with Citrix Services to support operations.
• Simplified Monitoring & Management- with Citrix Cloud hosted Orchestrator service Enterprise admins have an easy to use dashboard to onboard, configure, and monitor their Citrix SD-WAN Edge Security implementations.

Summary

Enterprises can provide a great Internet service user experience while securing their intranet at Edge egress points withCitrix SD-WAN Edge Security. With the11.2 Advanced EditionCitrix providesIntrusion Prevention, Web Filtering, and Anti-Malwareon theSD-WAN 1100 AE appliance. User endpoints are protected in Branch Offices, while Administrators manage and monitor their network centrally through the Citrix Cloud hosted Orchestrator service.