May 31, 2012 at 12:39 pm #7610eyenit0Participant
So, if I were to get a WAF that also doubled as a load balancer, does anyone have any advice on a good option? I’ve been looking at F5, Netscaler, Fortiweb, Armorlogic, and Baracuda. I’d consider Imperva as well, but it doesn’t have load balancing capabilities. Most of the reviews I’ve found are dated, so I’d love to hear some opinions!
Also, I have a question on implementation. Do you see problems with deploying a WAF/Load Balancer as a virtual machine on the same ESX server as the web servers? I prefer to have them as physically separate and have some concerns about putting them on the same box, but I’m not sure if I’m just over-thinking it.
May 31, 2012 at 2:15 pm #47535cd1zzParticipant
You’ve got quite a range of budget there. F5 and Barracuda in the same sentence! It’s been awhile since I was in this space so take this fwiw.
I’ve used F5 products in the past as well as Barracuda. F5 makes a tremendous product with a lot of flexibility. The barracuda products are good for the price point and kind of just work out of the box. I’ve never used the Cuda WAF but if its anything like their other products, its going to be OK.
I agree with your assessment of the WAF as a VM on the same host as your web boxes. Physically separate would be ideal, even from simply a performance standpoint. However, I’m sure with enough resources you could stuff it all on one host. From a security perspective you’re really talking about jumping out of a guest and into another guest, which in my opinion, is probably low risk if you’re doing everything correctly. I suppose there could be a potential for VLAN hopping too. I would make sure F5 even offers the VM solution instead of the appliance.
May 31, 2012 at 6:02 pm #47536eyenit0Participant
Yeah, that budget range definitely is all over the place. Right now I don’t think there is a defined budget, which is why the plan went from ModSecurity to F5, and may go back to ModSecurity! It’s up in the air right now, but I’m assuming I have budget backing.
F5 is definitely what I’d like to go with and seems like a mature product. I’m glad you agree with me on the VM question. F5 does have a virtual solution, but I’ve heard some criticism on it. Security concerns aside, it just seems like a better option to keep the security boxes separate for the sake of simplicity and even performance as you said. It seems weird to me to have the load balancer on the same system that you’re balancing the load for…
Anyway, thanks for your input, I wanted to make sure I wasn’t way off in my thinking.
June 3, 2012 at 8:35 am #47537MaXeParticipant
Keep in mind that configuring services in a secure way, and using an up to date stable application without any vulnerable add-ons, will eliminate most attacks. Of course the operating system should be hardened and the environment chrooted, in case it isn’t already. 🙂
That being said, I don’t know the mentioned WAFs, but I do know that you can configure mod_security specifically for a web application, so if integer input is expected, only integer input should be allowed.
I don’t really see any problems deploying a WAF / Load Balancer on the same box, even though they should be physically separate. What’s more important is that they’re securely configured in the virtual environment, so that e.g. direct access to the actual web server is not allowed / possible when the WAF / Load Balancer is not available.
- You must be logged in to reply to this topic.