[WEB SECURITY] thoughts on WAF deployment options?

Neil Correa ncorrea at barracuda.com
Tue Apr 22 14:03:57 EDT 2008


Hi Joe,

Warning vendor response:

I would also include proxy one-arm mode (aka "on a stick") as a
deployment mode.  You point DNS/Firewall to the VIPs on the WAF and it
forwards traffic to the backend server(s) using just one interface.  You
still proxy the traffic, but the WAF is technically not inline.  Should
something go wrong, you would point your firewall directly to the
backend server(s).  Of course, you definitely want to have a network
firewall in front of the WAF in this configuration to prevent users from
circumventing the WAF and going directly to the backend server(s).  In
addition, in this configuration, the backend server(s) when initiating
connections (i.e. dns lookups, windows update, etc) do not need to route
traffic through the WAF.

--Neil

-----Original Message-----
From: feedyourhead at gmail.com [mailto:feedyourhead at gmail.com] On Behalf
Of Joe White
Sent: Tuesday, April 22, 2008 9:57 AM
To: WASC Forum
Subject: [WEB SECURITY] thoughts on WAF deployment options?

Hey guys, I am hoping this thread does not spiral out of control over
the contention that a WAF is not really a "firewall".  =)

Seriously, I am currently evaluating WAFs for a large SaaS deployment
and am curious to get your thoughts on benefits of various deployment
options.  Here are my thoughts to get the ball rolling.

re:  out-of-band deployment
This seems attractive on the surface and potentially offers the least
obtrusive to the existing architecture but upon closer examination, I
am not convinced it makes sense because
  1)  relying on TCP Resets (RST) to block attacks is problematic at
best
  2)  requires extra expense/installation of a network tap.  Otherwise
you have one more device asking for a span/mirror port that is prone
to 'clipping' of data once the ports it is mirroring get spikes in
traffic, etc.

re:  in-line (Layer 2) bridge deployment
I am told from WAF vendors that this is the most common deployment
scenario when a dedicated WAF appliance is used.  As I investigate
this further, it seems to be the most robust option given the
redundancy and load balancing options for deployment and since the
bridge can be configured to fail open.

re:  reverse proxy deployment
I am conflicted on this because I fear that it may add more complexity
to the network architecture than any of the other options but I am
also intrigued by the possibility of session protection that the proxy
option offers in terms of digitally signing cookies, etc.

re:  ModSecurity (multiple deployment options)
We have lots of Apache expertise and philosophically, I am prone to
support the open source model but at what point does ModSecurity
become impractical?  How many Apache servers in the web farm does it
take for ModSecurity to become too much of an administrative burden?

any thoughts?

thanks,
joe

<<<>>>

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------
Barracuda Networks makes the best spam firewalls and web filters. www.barracudanetworks.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list