We are deploying two Netscalers that are going to be sitting in our DMZ. The firewall also has an IPS module in it that inspects all the inbound/outbound traffic. The team deploying the Netscalers want to connect one interface to the DMZ and the other interface to the inside network. Personally, I don't believe this deployment is safe since:
1. The traffic is not completely seen by the firewall since once it hits the device it will go to the internal network (I understand that the device has ACL, Routing, etc capabilities)
2. Traffic won't be seen by the IPS.
3. Netscaler will be in charge of the internal network security once the firewall hands off the traffic to the device.
I don't have a lot of expertise on firewalls and their deployment's best practices so I need some help from the experts.
All your concerns are valid. Traffic from internet to NetScalar in DMZ will still be inspected. We installed Netscalers in DMZ for citrix form couple of years back and nothing directly connects to Inside. if I remember correct, you can deploy them in One-arm or two-arm deployment scenarios. if you go with one-arm , they do not need to connect 2nd interface. Talk to the deployment team and discuss with them about your security concerns.
I have seen it done both ways. I have also seen the Netscaler completely in parallel with the firewall - acting in essence as the only security layer for the VIPs it was serving up.
In either the "one-armed" or "two-armed" setup the inbound traffic (and the replies to the remote clients) still come through the ASA and IPS module (assuming you have the inspection policy setup to do so). Two-armed (Netscaler with both DMZ and Inside network interfaces) keeps the ASA from having to handle the incoming traffic twice and also keeps you from having to created DMZ-Inside access-lists for the Netscaler VIPs to distribute traffic to the backend real servers (presumably on the inside network).
Citrix Netscaler is a pretty well-designed box security-wise and even has the option (with Platinum license I believe) of application layer firewall that is more capable than the ASA in that particular sense.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...