By John M. Smith
Okay, so the Netscaler appliance has been virtualized, so now what?
On May 18th of this year Citrix allowed anyone who wanted to get familiar with their Virtual Netscaler/AGEE to download a beta version of its Netscaler VPX appliance. This appliance runs on the XenServer 5.0 hypervisor and is a fully functional Netscaler product that includes AGEE, Application Firewall, Caching and basically everything that comes with a Platinum Netscaler.
So, aside from a lab environment, what can we do with this new Virtualized Netscaler/AGEE? Well, my Platinum 7000 has one CPU and 1GB of memory in it. I installed the VPX appliance on my Dell 1950 G9. It has 16GB of memory and two dual-core CPU’s (4 Processors). I am sure that the overhead of the hypervisor will be optimized and we will be able to make up for that by pushing an additional proc or more memory to the VPX. So, out of the box, the VPX has very similar resources (1024 RAM, 1CPU) as my existing 7000. This leaves me with at least 14GB of RAM with the hypervisor running in the background. This is where I believe the virtual Netscaler can be leveraged to provide exceptional security and presents an optional “Datacenter-in-a-box” solution.
Securing your incumbent web server:
One of my first jobs out of college was as the local health inspector, while inspecting several stores in a really bad neighborhood, I came across a particular convenient store that had been robbed so many times that you would have to walk up to the window, tell the owner what you wanted and they would go and get it and you would conduct the transaction at the point of entry and were never allowed inside. The public internet is the digital equivalent to the most run-down, crime-ridden neighborhoods the US. The Netscaler, with its security features, offers a similar functionality without the considerable delay that my store owner has. While things have quieted down in the last few years, for awhile there it seemed as though IIS had become the internet’s whipping boy. Additionally, other web servers such as Apache, iPlanet and the like have also noted security flaws that have left them vulnerable. I recall back in 2003 when working as a Security Analyst, during a debate with the team about web security saying “Well, if we want true security, I think the solution is to unplug all of the RJ-45 ports on each of the servers”. All joking aside, despite the use of firewalls, ACL’s and hardened builds you are still at the mercy of the existing exposed port and the code behind it. The Netscaler’s application firewall is a perfect solution for securing insecure code. The VPX takes it a step further; I can install my web server into the Xenserver hypervisor and run it on an internal (non-wired) network. In a way, I can achieve the level of security that was brought up in jest six years ago. What I have done in my lab with the VPX is bind an internal network on the Hypervisor and provide a multi-homed VPX that can present the internal web server’s content. In this manor, my OS is never even exposed to the network. In a way, it functions similar to my shop keeper who refused to let anyone enter the store.
Why is this a good thing?
Well, first off, your Operating system is never on the public internet and I am not dependant on another device (firewall, IOS based ACL) to keep other hosts from sending packets to my server. Over the years, Windows admins have become very adept at securing their IIS boxes with a series of registry-hacks, disabled services and least-privileged security solutions. While this is great most of the time, on more than one occasion, it has served as a “get-out-of-jail-free” card for a vendor who says…”well, I’m sorry but for this app to work, the IUSR_ account needs full control to the system32 directory AND HKLM” (Yes, I was ACTUALLY told that once with a piece of FINANCIAL software no doubt!). If your organization does not have a scripted build solution such as Altiris then these custom builds become time intensive. While I am not saying hypervising your Web Server and placing it behind the VPX will eliminate the need for Windows security, I do like the idea of my OS never being exposed other than from behind an Netscaler and the arsenal that comes with it.
Datacenter in a box:
Well, I gave a GIG to my Netscaler, and four gigs to my web server…I have 10 gigs left…what to do…what to do? So, while my web server is in a nice safe cocoon, that is all fine and dandy if you just have web content on it. However; that isn’t how it works today, today your web server references back-end services such as databases, XML/SOA based web services, etc.
In my current environment, I have a pix firewall in front, my web farm, another pix and then my back end resources. I think this is a pretty typical setup for most environments and most enterprises. For SMBs, and less regulated shops, it may be feasible to hypervise the entire environment and locate the back-end services that your web server needs on the same internal (non-wired) network within the Xenserver. This allows back end transactions to occur on the buss rather than on a network that may have varying levels of performance. Today’s x64 architecture is extremely fast and can easily outperform the throughput of a switched network. So rather than traversing a firewall, moving through a few layer 3 hops and a few layer 2 devices to get to your data, the back end data is located on the same buss as the web server. This puts all communications on the same piece of hardware. Like I said, some larger enterprise security groups will likely not allow this as this puts everything on one piece of hardware and while you can segment at layer 3 by using the virtual switch that comes with Xenserver, that does not provide the physical segmentation that will sufficiently ease concerns of internal security groups, even if you add another internal network, hypervise a firewall and pace it in between the web server and the back end database servers. Most security teams are, rightfully, paid to see the glass as half-empty. That said, on today’s Intel based servers, the amount of RAM you can put in them as well as disk space makes it hard to ignore the potential to put the entire nth-tier application into one piece of hardware where the bus I/O is the only bottleneck you have to worry about. Securing this model and getting regulatory buy-off will be the major challenge.
Working outside of the hardware?
So, let’s say you work in a heavily regulated environment where the datacenter-in-a-box solution is not an option. You can still hypervise your Netscaler and use it as a security wrapper and still allow the web server to consume SOAP based web services. The same way that I create a VIP on my external network and present it to internet based IP’s, I can create a VIP internally and present it to my hypervised web server that allows it to connect to and consume web services on my corporate network. If my web server on my closed system needs to consume XML services located on another host on the corporate intranet, I can create a VIP on the same VPX and present it to my internal network for consumption by internal virtual machines. Example: I have a VPX that is presenting an external VIP to end users on IP Address 220.127.116.11 that is portal to a web server on an internal (non-wired) XenServer network located at 10.10.10.43. This same web server consumes XML/SOA-based services on a host located on the corporate network at 192.168.11.37. In this scenario, I would create an internally facing VIP on 10.10.10.33 that presents these web services to my internal host using the VPX as the broker. Internet request for my web server are handled by the VPX and routed to 10.10.10.43 and internal SOA communications are handled by the VPX and routed from the internal network to 192.168.11.37. The Netscaler offers the ability to terminate any TCP based port on a VIP so I can present both web services and SQL listeners via an internal VIP to the protected web server. Thus my web server can make all of the necessary external calls while remaining inside the protective bubble provided by XenServer and the VPX.
In addition to the added security that you get with the Netscaler you also get the ability to do Web 2.0 pushes, content redirection, external authentication and URL rewriting. Also, as most systems are still running 32bit operating systems, 16gb server can be hypervised to provide two or three instances of a web server front-ended by the Netscaler. Keep in mind that I can double the resources presently on my Platinum 7000 in my VPX and still have enough resources for a pair of web servers. Also, the ability to readily allocate resources (RAM, Disk, etc) can let you be much more aggressive with CPU intensive app firewall rules. While I keep running home to security, the performance benefits of a Netscaler are as important making the VPX an exceptional solution for DMZ based web solutions as well as those applications that require a stock build. The ability to allow for external authentication would allow CRM companies like Envala and Sales Logic to authenticate end users against their customer’s LDAP/Authentication URL’s prior to delivering their custom content without having to procure Netscaler hardware.
How do I manage my VM’s?
What I did for my GSLB lab was set up one VPX to function as an Access Gateway and two additional VPX’s to serve as GSLB lab machines. The VPX AGEE is multi-homed providing VPN access to the internal non-wired network allowing me to patch, RDP and administer internal hosts in the same way you would connect to your corporate network from home. While I uesed three VPX machines for this CBT, A single VPX can provide load balancing as well as a VPN connection to administrators to manage internal (non-wired) systems. We have a system in our DMZ that cannot get to a DNS Server and sending it to “update.microsoft.com” is a bit of a hassle every month when we patch. It remedy this, we created a VIP on the same network that terminated at our WSUS server and edited the security policy to use this VIP for updates. The same would work for an internal, non-wired network where you would deliver a VIP that provided access to the internal WSUS box, or whichever patching strategy you have, and allow your protected hosts to consult this VIP for patches, updates, etc in the same manor you would allow it to consume external database and web services.
Other benefits of the VPX:
As the Citrix sales people will likely attest, trying to market a network solution that does not have a “CISCO” bezel on it can be tough. At times, I find myself running into the “Cisco mafia” who will insist on an XSS/HSM solution. And while the technical battle was long over by version 7 of the Netscaler, the Marketing battle seems to wage on. While I think Cisco makes great products and I greatly appreciate the network engineers that lay the very foundation we communicate on, I feel like the entire web-based load balancing technology should have never been in the hands of Network engineers in the first place. While my connectivity mates can explain BGP peers, OSPF route convergence and subnet on a grease board faster than I can use the calculator, explaining a URL rewrite to them, or an HTTP Call out or SOAP can produce a deer in the headlights look. Additionally, while I am passionate about Application delivery, some connectivity folks can be a bit “eh…” when it comes to load balancing. Also, anyone that calls a Netscaler a Load Balancer does not really know what a Netscaler is.
If the resource cost of the hypervisor can be marginalized (which I believe it can, in fact booting from BSD and launching from a flash drive, isn’t it kind of a VM already?) then you will be putting the same server in the rack that you have always put in the rack. The fact that it is running XenServer with a web farm, fronted by an application switch will go largely unnoticed. While I am not for doing anything under the radar as that will get you fired in some shops, I tend to feel like marketing this as a secure wrapper for web services is a pretty good way to deliver this solution without raising the hackles of the connectivity staff.
Business Continuity is another benefit of this solution. In 2003, I pleaded with VMWare to make something called “VMWare-lite” where I could hypervise all of my servers and I told them that they had accidentally built a great business continuity solution. Currently, if any of my Netscaler hardware fails, I have to send out for a replacement. With the VPX, I don’t have to worry about having a new chassis sent to me in the event of a failure.
The benefits of the Netscaler speaks for itself, I think the VPX will go a long way in helping web/server admins get their feet wet with this technology. I would expect most web server administrators to take to this technology like a duck to water. If it is possible to bundle this solution as an add-on then we may be able to see a change in how web services/content is delivered. The future indicates that hypervisors are here to stay, the ability to secure your web environment behind the VPX, could boost XenServer in this space and put enterprise application delivery at the fingertips of server administrators everywhere. The big question will be how quickly and to what extent this is adopted but at a minimum, allowing the VPX to run on incumbent vendor hardware will be a big step in standardized environments. I, for one, like the virtualized Netscaler/CAG and look forward to using it beyond the lab.
GSLB Lab using VPX: (Sorry, utipu is done for good, I upgraded so I could have videos on my blog)