top of page

WAF, where to deploy?

Hello everybody, here I am again.

Several days I have been thinking that I would like to release "Best-Practices" category. As a first idea, I though to write about the need of SSL Decryption, but this week I have attended to Imperva SecureSphere online course and it gave me the idea to write about where you put a WAF inside an enviroment without it.

I am just a begginer in WAF, but summarazing, there is a mandatory question to do when we want to put a WAF in an environment, that is where to put it, before or after an ADC/Load Balancer.

There are too many posibilities here. The first thing we have to evaluate is the manufacturer of the WAF, I mean, not all manufacturers work at same way, for example, there are manufacturers that can perform both features (WAF and ADC) at the same appliance like F5. It is only neccesary to license both modules (LTM for ADC and ASM for WAF). There are other like Imperva which only perform WAF features, and there are other like Fortinet wich are in the middle, they use different appliances for WAF/ADC but WAF (Fortiweb) has basic Load Balance capabilities and its ADC (FortiADC) has basic WAF capabilities too, so it depends of the environment and what/how we want to protect and we can use, one, other or both…

Anyway, finally we just have to decide if we put WAF before or after ADC and here you are the consecuences/concerns from both ways (WAF point of view):

  • WAF BEFORE / ADC AFTER:

  • The first thing to keep in mind is that we will receive the real source IP at the WAF.

  • Destination IP always have to be an ADC Virtual IP (from a listening Virtual Server).

  • Regarding SSL Certificates, it is neccesary to upload to the WAF in order to let it inspect properly.

  • ADC BEFORE / WAF AFTER:

  • We will receive an obfuscated source IP from the ADC (not real IP) in order to see, evaluate and take decisión base don source IP we have to enable X-Forwarded-for or something like that.

  • Destination address have to be configured again (all of them).

  • No SSL Certificates neccesaries if ADC performs ssl offloading.

My personal opinión on that is clear, I would prefer to deploy WAF before ADC, I think this is the most secure and easy to deploy way.

Most secure because sometimes, Load Balancers could have more tan one IP address directed to a Web Application and if we putt he WAF after ADC, maybe we forget to protect all that IPs, meanwhile if we put WAF first, or we set all that IPs or they will not work.

Most easy to deploy because we have just to connect the WAF VIP to the ADC VIP.

Anyway, in case we have to deploy WAF after an ADC, although I think it is a Little bit less secure, we can put it as transparent mode in order to simplify deployment.

That´s all for today, see you son!!

Highlighted entries
Recent entries
Archive
Follow me
  • Icono social LinkedIn
bottom of page