Summary
This article describes the functional differences between Citrix Application Firewall 5.5 and Citrix NetScaler Application Firewall 8.0.
Detailed comparison
As of May 2007, the General Availability release of NetScaler Application Firewall 8.0 has many functional differences from Application Firewall 5.5. NetScaler Application Firewall 8.0 has many new features and improved performance over Application Firewall. Refer to the following outline and table for more information:
High-performance NetScaler operating system Application Firewall:
• Integrated as a module in NetScaler 8.0
• Also available as a standalone device
Offloads all network housekeeping to the NetScaler operating system:
• TCP Session Management
• Distributed Denial-of-service (DDoS) Protection
• SSL Termination
• Compression
Improved performance:
• NetScaler Application Firewall basic mode is up to 10 times faster than Application Firewall 5.5 Standard Edition
Policy engine integration:
• Greater flexibility in security policy creation
• Uses feature-rich, Perl-compatible regular expressions instead of basic POSIX regular expressions
Network and Application Management
Network | Application Firewall 5.5 | NetScaler Application Firewall 8.0 |
TCP Multiplexing | Supported | Supported |
SSL Acceleration/ Offload | Supported | Supported |
L7 Caching | Not supported | Supported |
L7 Compression | Supported | Supported |
L7 Content Switching | Not supported | Supported |
L7 Load Balancing | Not supported | Supported |
NetScaler Application Firewall 8.0 provides additional deployment options within a network for more flexibility. Refer to the following table:
Deployment Options
Application Firewall 5.5 | NetScaler Application Firewall 8.0 | |
One-arm | Not supported | Supported |
Bridge | Not supported | Supported |
Reverse Proxy | Supported | Supported |
Mixed Mode | Not supported | Supported |
VLAN Support | Not supported | Supported |
Scalability | No limit to the number of applications or servers | No limit to the number of applications or servers |
NetScaler Application Firewall 8.0 supports routing traffic across multiple VLANs both in front and behind the Application Firewall. Also supported for specific deployment scenarios is using a single interface for all incoming (WAN), outgoing (LAN), and management instead of the mandatory three interfaces required by Application Firewall 5.5. Finally, NetScaler Application Firewall 8.0 can also work in a transparent layer 2 bridge mode where IP addresses are not required to route traffic.
Some functions available in the Application Firewall are not yet implemented in NetScaler Application Firewall. The following table lists the most significant ones:
Application Firewall | NetScaler Application Firewall | |
URL Body Rewriting | Supported | Not supported |
Web Authentication | Lightweight Directory Access Protocol (LDAP), Active Directory, SiteMinder | Not supported |
XML Threat Protection | Supported | Not supported |
SAFE Object Plugins | Supported | Not supported |
Basic Defaults Session Failover | Supported | Supported |
Advanced Defaults Session Failover | Supported | Not supported |
Large Cluster Management | Supported | Requires Command Center |
Federal Information Processing Standards (FIPS) Support | L2/L3 | Not supported |
ICSA Certification | Supported | Not supported |
ICSA Certification testing is in process and certification is expected soon.
FIPS L2/L3-compliant NetScaler 9000 hardware will be available in Q3 2007.
NetScaler Application Firewall 8.0 currently supports Uniform Resource Identifier (URI) and header rewriting. Full URL body rewriting will be available in a later release.
Citrix NetScaler Command Center (an optional product) is required to manage NetScaler Application Firewall 8.0 clusters.
Performance Chart
Platform | Application Firewall 5.5 | NetScaler Application Firewall 8.0 Basic Profiles | NetScaler Application Firewall 8.0 Advanced Profiles |
Bandwidth | |||
7000 | 60 megabytes (MB)/second | 500 MB/second | 300 MB/second |
12000 | 120 MB/second | 1.8 gigabytes (GB)/second | 850 MB/second |
Requests/second | |||
7000 | 1,300 requests/second | 6,800 requests/second | 3,800 requests/second |
12000 | 2,600 requests/second | 23,000 requests/second | 11,000 requests/second |
