The recent NSS Labs Web Application Firewall (WAF) provides sample NetScaler Application Firewall as a leader in the recommended list. As an architect and director of products responsible for NetScaler AppFirewall, here are the underlying principles, the Citrix Application Firewall awesome. (Treated HTTP)
All HTTP traffic as First Class
for layer 7 processing, the traffic between protocol layers in NetScaler defaults optimized for the fast path and uniformly in the software. Due to this construction, we are able to extract the most out of the x86 processor and maintain a consistently high performance. Every once we see in a while alternative approaches where the first few bytes are tested before they try to short-circuit data forwarding hardware, but we have consistently wrong seen leading results. Concocted marketing performance tests look good, but does not match the reality. For us it's about making the kind of how we do it the best way possible.
power of small batches
When working with HTTP handling, the traditional approach of breaking levels in a number of different steps upwards, working in different processes or steps inefficient. Among other things, comes from a reason for this inefficiency to reconsider the analysis of the requests repeatedly that adds for no good reason, a ton of overhead. What we we have the NetScaler architected instead do is take a piece of requests and they run through the whole chain of actions (parsing, inspection, etc.) in a single pass over the payload. This is part of the reason why we, as other solutions significantly higher speeds on an x86.
A side effect of this way of data processing approach is data locality . Because we believe that the requirements in the CPU cache, the code that needs to access it never waiting for a cache miss. The result is a super-fast series of actions. We are pretty picky about this approach and when adding new features, we make sure that we keep to handle each transaction in this way. The consistent application of this method results in great performance.
More speed and scaling
By the end of this year we will publish more obvious performance / scalability improvements. In terms of performance we are optimizing our Single Pass request stream processing mechanisms to improve performance! .! In addition, we these optimizations are to take and use them on the NetScaler clusters that crazy big numbers for real testing means
Safety First
Safety speed trumped - always. Our approach to security has always been a safe attitude of the box to offer while it easy to make fine-tuning in a way that minimizes the error. This narrow focus on accuracy is best reflected in the NSS Labs report where NetScaler blocks 100% of the attacks during the test.
So you have it ... the secret ingredient that the NetScaler AppFirewall makes awesome!
0 Komentar