Virtual desktop infrastructure White Paper

Secure
virtual desktop
infrastructure with
Citrix NetScaler
and Palo Alto
Networks
next-generation
firewalls

citrix.com
Virtual desktop infrastructure White Paper 2

Today’s enterprises are rapidly adopting desktop

virtualization to reduce operating costs, enable
workplace flexibility, increase business agility and
bolster their information security and compliance
posture. Actually realizing these benefits, however,
depends upon ensuring the security and availability
of the virtual desktop infrastructure (VDI).
The combination of Citrix NetScaler and Palo Alto
Networks next-generation firewalls secures virtual
desktops and ensures their availability, performance
and scalability. This solution not only preserves the
benefits promised by VDI, it maximizes them. This
joint solution is tested and validated for securing
Citrix XenApp and Citrix XenDesktop VDI.

The desktop virtualization security situation

Migrating from traditional desktop deployment and management approaches to
virtual desktop technologies is a top initiative for enterprises of all types and sizes
worldwide. Indeed, Gartner expects adoption of hosted virtual desktops (HVDs)
alone to reach 76 million users by 2016.1 Driving this growth is a compelling set
of benefits. With a full-featured desktop virtualization solution, enterprises can
substantially and sustainably reduce desktop ownership and operating costs,
enable complete workplace flexibility and increase business agility by providing
rapid support for strategic initiatives such as mergers and acquisitions, geographic
expansion and dynamic partnership arrangements.

Desktop virtualization significantly strengthens information security and compliance

by centralizing all data and applications in the corporate datacenter. Because users
view and manipulate their desktops remotely, there is no need to distribute or store
potentially sensitive material on the local device.

VDI enhances desktop security because centralization of desktop applications

and operating systems increases the IT administrators’ control over these crucial
resources. Centralized control not only makes it easier to pursue standardization
that reduces complexity, cost and an organization’s attack surface, but also boosts
the ease, speed and thoroughness of implementing updates and security patches.
Another advantage of a centralized model is speed and efficiency when granting
and revoking access rights and privileges. Moreover, there’s no dependence
on having users return distributed devices, software or data—because, with
desktop virtualization, there aren’t any devices to return.

citrix.com
Virtual desktop infrastructure White Paper 3

Security is a primary concern

Desktop virtualization clearly has a lot to offer today’s enterprises. However,
fully realizing its benefits is not a given. To preserve potential gains, organizations
must, among other tasks, ensure the security of their desktop virtualization
implementations. This may sound a bit circular—organizations must invest in
one set of security measures to gain the full benefits of the second—but that’s
exactly the point. To maximize the desktop and data security benefits of virtual
desktops, the VDI must be secured.

Remote access: With mobility and telecommuting initiatives on the rise, a

substantial percentage of users are likely to require access to their desktops
from a remote location, often over an insecure public network. Unlike a standard
desktop scenario, where an attacker needs possession of the device to get local
access, desktop virtualization attacks require access to the network.

Device proliferation: Consumerization of IT is requiring IT to support diverse

client devices with widely varying security characteristics and profiles. This task
is further complicated by the fact that most of these devices are no longer owned
or controlled by the enterprise. Although desktop virtualization can eliminate
local retention of sensitive data, a compromised client device still poses a threat.
Sensitive data could still be viewed and the rights attributed to the user/device
could be exploited to launch a far more damaging attack.

Extent of access: With desktop virtualization users have access to an entire

desktop. In addition to their immediate applications and data, they can also get
to all the downstream network resources accessible from their desktops. This
elevates the importance of security in general, and access control in particular.

Concentration of resources: A robust defense is important because desktop

virtualization places many of an organization’s eggs in a single basket. In contrast
to the conventional, distributed model of desktop computing, a single, successful
attack now has the potential to impact a substantial number of users and
desktop systems.

There is also the big picture to consider. Today’s hackers are highly organized and
motivated to cause damage and/or make off with valuable data. As a result, robust
defenses are generally necessary, if for no other reason than to provide protection
from an increasingly sophisticated and hostile threat landscape.

How NetScaler and Palo Alto Networks next-generation

firewalls can help
NetScaler, an advanced solution for delivering apps and cloud and enterprise
services, provides an extensive set of capabilities that make it an ideal choice
for front-ending an organization’s desktop virtualization infrastructure. Particularly
relevant are the numerous security mechanisms and features that NetScaler
delivers to help protect VDI.

citrix.com
Virtual desktop infrastructure White Paper 4

Palo Alto Networks next-generation firewalls complement NetScaler capabilities by

segmenting the VDI in the datacenter and protecting it from threats. By leveraging
user authentication information from the VDI, the firewalls control access to
applications and data based on security policies. The combination of NetScaler
and Palo Alto Networks next-generation firewall is a best-in-class solution that
effectively protects the underlying datacenter and keeps users highly productive
from anywhere they happen to be. The solution facilitates security for virtual
desktop deployments by enabling real-time orchestration of individual technologies
and capabilities. A step-by-step deployment guide to securing Citrix XenApp and
XenDesktop infrastructure using this joint solution is available.

Secure remote access

Citrix NetScaler Gateway is a full-featured SSL VPN and an integral component
of NetScaler. It gives administrators granular, application-level control while
empowering users with remote access to their virtual desktops from anywhere.
With NetScaler Gateway, IT administrators can manage access control and limit
actions within sessions based on both user identity and attributes of the endpoint
device. The result is better application security, data protection and compliance
management.

Palo Alto
Citrix Networks
NetScaler NGFW

• Secure Access • Next-gen Firewall Virtual

• Application Security • Threat Protection Desktop
• High-availability • High-availability Infrastructure

Figure 1. Citrix NetScaler and Palo Alto Networks next-generation firewall secures VDI

NetScaler Gateway enables secure remote access to virtual desktops by providing

an encrypted tunnel and supporting a wide range of user authentication methods.
Desktop sessions traversing public networks are protected from eavesdropping.

Next up is granular and adaptive access control. With NetScaler Gateway,

administrators can tightly control access to virtual desktops using policies
comprised of both fixed and dynamic attributes, including user identity and role,
strength of authentication, location, time of day, and identity and security status
of the client device. In addition, NetScaler Gateway supports existing directory
and identity management infrastructure.

Supporting this capability is another important security feature: endpoint analysis.

Integrated endpoint scanning can continually monitor client devices to determine
if client security software—such as antivirus, personal firewall or other mandatory
programs—is active and up-to-date. Devices that fail these checks can be denied
access, granted limited access or quarantined by restricting their access to sites
that provide the tools necessary to restore them to a compliant configuration.

citrix.com
Virtual desktop infrastructure White Paper 5

Advanced action and data control capabilities provide yet another crucial layer
of protection, particularly given the proliferation of client devices and growing
tendency toward user ownership and self-management. Related features include:

• Enhanced split tunneling control, where users can access their desktop and
the client’s local subnet but are prevented from directly accessing the Internet

• Adaptive action control, where local printing, copy, paste and save-to-disk
functionality can be restricted via adaptive policies

• Browser cache cleanup, where objects and data stored on the local browser
are removed upon completion of the virtual desktop session

Authentication, confidentiality and encryption

NetScaler provides authentication, confidentiality and encryption for the VDI.
NetScaler integrates with Citrix secure ticketing authority (STA) Kerberos-style
ticketing to eliminate the possibility of session hijacking with cookie-based
authentication schemes. The NetScaler proxy architecture, coupled with HTTP/
URL rewrite and Layer 7 (L7) and NetScaler Application Firewall content filtering
capabilities, allows virtual desktop administrators to shield connection brokers
and other downstream VDI components from direct TCP and UDP connections
initiated by external users, thereby reducing their exposure to malware and other
types of attacks. NetScaler provides cloaking and content security to effectively
hide server error codes, real URLs and other pieces of information that could give
hackers the details they need to formulate custom attacks automatically, and to
thwart many types of denial of service (DoS) attacks that exploit gaps in common
protocols. NetScaler ICA file encryption and AppExpert templates make it simple
to configure a highly secure environment to protect XenApp and XenDesktop
environments and StoreFront/AppController SSO authentication-based services.
StoreFront enables you to create centralized enterprise stores to deliver desktops,
applications and other resources to users on any device, anywhere. AppController
enables single sign-on services for mobile applications.

Network-layer protection
NetScaler provides core, network-layer protection for VDI in several ways. To begin
with, administrators can use NetScaler to enforce a basic level of access control
using straightforward, Layer 3 and 4 access control lists (ACLs) to selectively
permit legal traffic while blocking traffic deemed unsafe. In addition, a couple
of key design features automatically protect any infrastructure front-ended by
NetScaler. For example, NetScaler incorporates a high-performance, enhanced,
standards-compliant TCP/IP stack that:

• automatically drops malformed traffic that could pose a threat to the entire VDI;

• prevents disclosure of low-level connection information (e.g., IP addresses,

server port numbers) that could prove useful to hackers intent on perpetrating
an attack; and

• automatically thwarts many types of DoS attacks that exploit gaps

in common protocols.

citrix.com
Virtual desktop infrastructure White Paper 6

Safe enablement for datacenter applications

Users may have access to other applications in the datacenter besides their virtual
desktop. Palo Alto Networks next-generation firewalls enable advanced, identity-
based, granular application control, threat prevention and content leak protection
for resources accessed from virtual desktops. This means virtual desktop users
may only access applications allowed by their security policy.

One of the key benefits of the Palo Alto Networks integration with XenApp and
XenDesktop applications is the ability to integrate user identity information, which
allows organizations to set up firewall policies based on an individual or group
basis, and provides visibility into user activity via detailed reports and logs. The
interaction between the VDI and the Palo Alto Networks next-generation firewall
simplifies policy creation and management, allowing the firewall to dynamically
identify users and enforce security policies.

Using the integration organizations can:

• Establish segmentation by application, user and content in the datacenter

• Accurately identify and control the use of more than a thousand applications
(including common social networking and cloud-based services), regardless
of port, protocol or any evasive techniques used to mask their operation

• Dynamically identify users and enforce security policies for granular application
access based on user or group, and generate logs and reports with user,
application and content information for further analysis and forensic investigation

• Detect and respond to threats and sensitive data contained in employee

communications

Next-generation threat protection

Attackers today have evolved into bona fide cybercriminals, often motivated by
significant financial gain and sponsored by criminal organizations, nation-states or
radical political groups. These groups have more time, resources and a higher level
of motivation, which allows them to mount more-complex, long-term operations
against bigger targets. As a result, a wide array of tactics, from targeted malware
and spyware to phishing attacks and social engineering, in addition to exploits, are
being observed at many organizations. This situation calls for protection against a
variety of attacks at scale.

Palo Alto Networks next-generation firewalls deliver a comprehensive suite of

essential network security for preventing both known and unknown threats. They
provide robust defenses designed to thwart app-specific threats, including zero-
day attacks targeting app-layer vulnerabilities. In contrast, NetScaler Application
Firewall protects against web application-layer attacks, such as SQL injection,
cross-site scripting and buffer overflow threats.

citrix.com
Virtual desktop infrastructure White Paper 7

The joint solution offers the following:

• Granular user and app-focused access control that reduces the scope of attack
by controlling applications that may carry threats

• Complete, integrated threat framework with high-performance, stream-based

protection against viruses, spyware and exploits

• Advanced protection against modern malware and targeted/zero-day attacks

• Comprehensive web application protection via the industry’s

highest-capacity firewall

Equally important, however, is the ability to provide all of this protection at scale.
Both NetScaler and Palo Alto Networks products are designed on purpose-built
hardware platforms—optimized for performance. Palo Alto Networks also features
an innovative Single Pass Parallel Processing architecture that reduces latency by
performing security functions only once. This software architecture, coupled with a
multi-core hardware processing architecture, ensures delivery of high-performance
protection under the most demanding conditions.

Additional considerations
Although critically important, network security is only one piece of a complete
security strategy for VDI Besides network security, enterprises should consider
the need for:

• Client security. Despite desktop virtualization’s centralized operating model,

accessing a virtual desktop from a compromised client device still poses a
threat to the environment. NetScaler endpoint analysis, action control and data
cleanup features can help organizations ensure that the client device is secure.
Under certain high-risk access scenarios, however, it may also be necessary
to implement a comprehensive suite of endpoint security software.

• Virtual system security. Maintaining good virtual machine hygiene means

ensuring virtual desktops use the latest, fully patched versions of embedded
apps and operating systems, and retiring virtual machines that are no longer
in use. It also entails providing network isolation for all VDI components and
potentially implementing encryption for associated storage volumes, given
the concentration of resources involved.

Beyond security
By itself, adequately securing the VDI is not sufficient to fully preserve the
benefits of desktop virtualization. Enterprises also need to ensure the availability,
performance and scalability of whatever solution they decide to implement. After
all, users will not be happy if the environment is not available when needed, or if it
suffers from performance issues that make it unusable. NetScaler truly excels as a
front-end solution for an organization’s desktop virtualization infrastructure, helping
ensure that organizations obtain both the performance and scalability they need.
In addition to its compelling set of network security features, NetScaler delivers:

citrix.com
Virtual desktop infrastructure White Paper 8

• A combination of enterprise-class server load balancing, global server load

balancing and health monitoring capabilities to ensure virtual desktop availability
and business continuity

• An extensive collection of mechanisms that not only enhance virtual desktop

performance over the network but also streamline the user experience

• Intelligent load distribution and server offload capabilities that enable seamless
scalability of VDI

Palo Alto Networks next-generation firewalls support active/passive and active/

active high availability configuration, complete with session and configuration
synchronization. To ensure that management is accessible during periods of
heavy traffic, the next-generation firewall separates the data plane and the
control plane, each with dedicated processing and memory. The data plane
houses dedicated processing and memory for networking, security and
content inspection, while dedicated management processing and memory
reside on the control plane.

Conclusion
By delivering a robust set of granular application identification and controls,
remote access and threat protection capabilities, the combined NetScaler
and Palo Alto Networks firewall solution not only preserves but also extends
the benefits organizations have come to expect when embracing desktop
virtualization. IT managers can substantially improve the availability, performance
and scalability of their virtual desktop implementations while ensuring security
and compliance for their virtual desktop users.
1 Forecast: Hosted Virtual Desktops, Worldwide, 2010-2016. Gartner, June 2012.

citrix.com
 Virtual desktop infrastructure White Paper 9

About Palo Alto Networks

Palo Alto Networks, Inc. has pioneered the next generation of network security
with our innovative platform that allows you to secure your network and safely
enable an increasingly complex and rapidly growing number of applications.
At the core of this platform is our next-generation firewall, which delivers visibility
and control over applications, users, and content within the firewall using a highly
optimized hardware and software architecture.

Our platform uniquely offers you the ability to identify, control, and safely
enable applications while inspecting all of your content for all threats all the time.
These capabilities, combined with superior performance, surpass all traditional
approaches including UTM and software blade. Our approach allows you to
simplify your network security infrastructure and eliminate a variety of stand-alone
and bolt-on security devices. Our platform can address a broad range of your
network security requirements - from your datacenter to your enterprise
perimeter, to the far edges of your network and more - including branch
offices and mobile devices.

Corporate Headquarters India Development Center Latin America Headquarters

Fort Lauderdale, FL, USA Bangalore, India Coral Gables, FL, USA

Silicon Valley Headquarters Online Division Headquarters UK Development Center

Santa Clara, CA, USA Santa Barbara, CA, USA Chalfont, United Kingdom

EMEA Headquarters Pacific Headquarters

Schaffhausen, Switzerland Hong Kong, China

About Citrix
Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, easily
and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing,
Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more
than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.

Copyright © 2013 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, XenApp, XenDesktop, ICA and NetScaler Gateway are trademarks
of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names
mentioned herein may be trademarks of their respective companies.

0813/PDF citrix.com