INTELLIGENT BRANDS // Enterprise Security
POWERED BY
Where WAF fits into the data path
/////////////////////////////
W
eb application firewalls (WAFs)
are an integral component of
application protection, protecting
against the Open Web Application
Security Project (OWASP) Top 10 and are
a go-to solution for addressing zero day
vulnerabilities, but where do you put them?
Martin Walshaw, Senior Systems Engineer
at F5, says we need to think carefully about
where the WAF should be plugged in.
“According to a recent blog from F5, some
points are less efficient, some introduce
points of failure and others introduce
architectural debt that incur heavy interest
penalties over time,” said Walshaw.
F5 recommends that businesses should
ideally be deploying WAF behind the load
balancing tier, which optimises for utilisation,
performance and reliability, while providing
the necessary protection for all apps,
including those exposed on the Internet. The
following are important considerations to
debate when considering WAF placement on
the data path.
Utilisation Performance
Where WAF is concerned, utilisation
becomes a key factor in operational costs
as higher utilisation, which is inherent to a
WAF solution, leads to additional resource
requirements, which consume budgets. Not only that, but performance will be
affected by choosing to place in front; to
increase performance and save time you will
want to eliminate layers of network from the
equation rather than adding to it and that
means deploying your WAF behind the load
balancing tier.
Reliability
While many WAFs scale well they can still
be overwhelmed by flash traffic or attacks,
so if the choice is to place the WAF in front
of the load balancing tier, companies will
need another load balancing tier to scale
separately. Without this, you risk impact
performance and availability.
72
INTELLIGENTCIO
Visibility
This is a key requirement for security solutions
in the data path. If you cannot inspect the
entire flow, much of the security functions
boasted by a WAF become moot. When the
WAF is behind the load balancing tier, Secure
Sockets Layer/Transport Layer Security (SSL/
TLS) decryption happens before traffic is
passed to the WAF for inspection.
“While these are all valid considerations,
a WAF can fit pretty much anywhere you
want it to fit,” said Anton Jacobsz, Managing
Director at Networks Unlimited, a value-
added distributor of F5 in Africa.
“As F5 notes, it could sit at the edge of
the network, if that’s where you want it.
However, best practice to optimise your
architecture for performance, utilisation and
reliability is to position it behind the load
balancing tier and close to the application
it’s protecting.” n
www.intelligentcio.com