Skip to main content

What is Citrix Web App & API Protection Service?


To understand why Citrix Web App and API Protection service is relevant, it’s worth taking a moment to think about how we use web apps, or more accurately, what we use them to do. For many organisations, web apps started out as little more than shop windows but they’ve grown significantly in recent years. Of course our public facing web services remain but there’s a notable increase in the number of web apps in our workplaces too, often replacing old school client server apps that had BAU or UX challenges.

Without going off on a tangent, ‘traditional’ client server apps have always been expensive to look after, operationally speaking, often involving VDI to help deliver them. All those bespoke line of business app vendors know this and over the last few years there has been a silent revolution brought about by advances to web browsers and enhancement to the way we deliver traffic to those web browsers.

In other words, HTML got smarter and HTTP got QUIC-er so it became possible to do pretty much everything you wanted to do in a traditional client server app set up but using a single common web browser as the client for multiple apps. True, not for every service but the vast majority are heading that way with a promise of being way more efficient and a whole other bunch of value adds. Hooray.

As a result, more and more of our LoB apps are now published as web apps and while people still interact with many of them, these web apps can often spend more time talking to other web apps than they do talking to people. Designed to automate processes, API communications are frequently extended outside the corporate network to 3rd party providers for service chaining workflows. Got a Dev/Ops team working with containers? Those micro-services love to chat using APIs too. Add a bit of IoT in the mix and we’ve already reached the point where there’s more machine to machine (M2M) traffic on the internet than traffic created by humans accessing web services with regular browsers.

Why is Citrix Web App and API Protection service (CWAAP) relevant?

Every one of these web apps, and every API call that needs to use the internet as a delivery mechanism creates more risk – there are more things exposed to potential attackers. To further add to the problem, attackers have different motives and different tools to hit services. Flood your website with spoof traffic to take you offline with a DDoS attack or inject a bit of SQL code in the relevant field to steal sensitive information from a data base, protecting everything we publish as an organisation from all of the risks each of those ‘things’ introduce is way past a dumb firewall at the network edge which is where Citrix Web App & API Protection (CWAAP) service comes in.

What does CWAAP do?

CWAAP is a cloud based Web Application Firewall and API gateway combined with advanced Distributed Denial of Service protection capability. Delivered from 14 global points of presence, CWAAP is designed to protect services published from all traditional data centre and hybrid cloud locations with automated signature updates and M2M protection for APIs and Robotic Process Automation.

Like other Citrix Secure Access solutions, CWAAP has 3 core modules that can be specified to suit the use case:

Web Application Firewall

Super low latency layer 7 firewall, constantly updated with known threat signatures and wider real time intelligence to protect services and data from malicious attack. Includes JSON and XML protection with simplified compliance management for PCI-DSS and similar use cases.

DDoS mitigation

Including a huge 12 TBps capacity sinkhole that captures DDoS traffic in Citrix Cloud and only lets legitimate traffic reach the service. Simple but very effective and way more capacity than commercially viable for the vast majority of organisations.

Bot management

While not all bots are bad, robotic processes are frequently used to either disrupt services or collect data for other purposes, typically commercial gain. CWAAP recognises the digital characteristics of bot traffic, how it differs from human behaviour and other factors before applying custom policies to manage the risk.

How easy is it to deploy?

  1. DNS records for sites to be protected are changed to point to the Citrix WAAP service.
  2. Citrix WAAP service inspects all traffic destined for the site and only forwards clean/scrubbed traffic.
  3. The perimeter firewalls protecting the site are then configured to only accept traffic from the CWAAP POP’s ensuring only clean traffic enters their sites.
  4. The links from CWAAP can optionally be GRE Tunnels to further secure the traffic.

How is the service managed?

Simplicity is a key differentiator, Citrix WAAP is managed through a single cloud dashboard, making configuration and policy management a simple process for services delivered from multiple locations.

It’s simplicity is deceiving though, as under the surface, CWAAP is a full feature Citrix ADC (NetScaler) owned and operated by Citrix on subscribers behalf. Industry renowned for it’s speed and hugely capable feature set, the WAF can be configured to protect against both known and zero day attacks with built in dashboards and reporting plus out of the box integration for popular SIEM tools like Splunk and other popular services like Slack.

Upgrading from the legacy hardware approach

Accessed via web browser or API, organisations, particularly those adopting wider digital transformation initiatives, have to provide access to sensitive data to be able to function. Controlling who or what can access this data, at a scale and speed that doesn’t impair user experience isn’t getting any easier. Keeping on top of the challenge for all of the risks presented by all of the services published, with the diverse range of tactics and tools used by malicious actors is effectively no longer possible with traditional hardware based approaches.

Citrix Web App and API Protection provides the next step in the evolution of published service protection. Deployed either as a stand alone or part of a wider Citrix Secure Access solution adoption, CWAAP makes you a significantly harder target, and that’s a very good thing.



If you would like to discuss how Citrix Web App and API Protection service and how it could protect your published digital assets from attack, call 0330 010 3443 or email email