Citrix's NetScaler product line was originally all about accelerating Web site performance, but now its mission is expanding to secure Web sites at scale. Citrix (NASDAQ: CTXS) on Monday unveiled new Web Application Firewall (WAF) capabilities for five of its NetScaler MPX hardware appliances.

"The Citrix NetScaler Application Firewall appliances are full-fledged WAFs that protect Web and Web services applications from attack, and also stop leakage of sensitive customer information (e.g., credit card data) to help meet strict information security mandates, such as PCI-DSS (Payment Card Industry Data Security Standard)," Sunil Potti, Citrix's vice president of product management and product marketing, told

The new application firewall for the NetScaler MPX is not the first time that Citrix has had WAF type capabilities, Potti noted. But the MPX deployment contains some new capabilities, as well as an expanded scale. Citrix debuted the NetScaler MPX in 2008 as a multi-core Web acceleration appliance product line.

"The NetScaler Application Firewall is now being made available on existing MPX appliances (5500, 7500, 9500, 10500 and 12500)," Potti said. "What is significant is that Citrix is now leveraging the massive performance of the MPX architecture to provide multi-gigabit application firewall performance. Again, we made this investment based upon customer demand for faster application security solutions."

With the high-end MPX 12500, Citrix's Application Firewall has support for up to 5 Gbps of traffic throughput. A WAF is a different type of security technology than a regular firewall or a network IPS , Potti explained.

"An application firewall has specific defenses to detect and defeat security threats aimed at the application layer (L7)," he said. "For example, there are attacks that are based on entering malicious information into Web-based forms or manipulating cookies, which are used in almost every Web application. These types of attacks cannot be prevented by either network firewalls or IPS solutions. Web app firewalls are complementary to these other categories of security products."

From a competitive standpoint, WAF technology is also now being deployed at cloud scale by content delivery network provider Akamai by way of a partnership with Breach Security. For the Akamai deployment the companies are leveraging the open source mod_security rule set for the WAF rules. Breach Security is one of the leading commercial sponsors behind the mod_security project. Citrix and Akamai also have a partnership on Web acceleration, though it is not currently marketed as a cloud-based WAF service.

The Citrix WAF rules have a different basis than open source rules, according to Potti.

"The NetScaler Application Firewall uses what is called a positive security model," he said. "With a positive security model, the application firewall automatically learns what is legal, expected behavior of the application. Any user activity that falls outside of this behavioral model is blocked. This eliminates reliance on databases of attack signatures, which require constant updates and cannot defend against new attacks, including zero day threats."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.