Advice for WAF selection and implementation

Viewing 3 reply threads
  • Author
    • #7610

      So, if I were to get a WAF that also doubled as a load balancer, does anyone have any advice on a good option? I’ve been looking at F5, Netscaler, Fortiweb, Armorlogic, and Baracuda. I’d consider Imperva as well, but it doesn’t have load balancing capabilities. Most of the reviews I’ve found are dated, so I’d love to hear some opinions!

      Also, I have a question on implementation. Do you see problems with deploying a WAF/Load Balancer as a virtual machine on the same ESX server as the web servers? I prefer to have them as physically separate and have some concerns about putting them on the same box, but I’m not sure if I’m just over-thinking it.

      Thanks guys!

    • #47535

      You’ve got quite a range of budget there. F5 and Barracuda in the same sentence! It’s been awhile since I was in this space so take this fwiw.

      I’ve used F5 products in the past as well as Barracuda. F5 makes a tremendous product with a lot of flexibility. The barracuda products are good for the price point and kind of just work out of the box. I’ve never used the Cuda WAF but if its anything like their other products, its going to be OK.

      I agree with your assessment of the WAF as a VM on the same host as your web boxes. Physically separate would be ideal, even from simply a performance standpoint. However, I’m sure with enough resources you could stuff it all on one host. From a security perspective you’re really talking about jumping out of a guest and into another guest, which in my opinion, is probably low risk if you’re doing everything correctly. I suppose there could be a potential for VLAN hopping too. I would make sure F5 even offers the VM solution instead of the appliance.

    • #47536

      Yeah, that budget range definitely is all over the place. Right now I don’t think there is a defined budget, which is why the plan went from ModSecurity to F5, and may go back to ModSecurity! It’s up in the air right now, but I’m assuming I have budget backing.

      F5 is definitely what I’d like to go with and seems like a mature product. I’m glad you agree with me on the VM question. F5 does have a virtual solution, but I’ve heard some criticism on it. Security concerns aside, it just seems like a better option to keep the security boxes separate for the sake of simplicity and even performance as you said. It seems weird to me to have the load balancer on the same system that you’re balancing the load for…

      Anyway, thanks for your input, I wanted to make sure I wasn’t way off in my thinking.

    • #47537

      Keep in mind that configuring services in a secure way, and using an up to date stable application without any vulnerable add-ons, will eliminate most attacks. Of course the operating system should be hardened and the environment chrooted, in case it isn’t already.  🙂

      That being said, I don’t know the mentioned WAFs, but I do know that you can configure mod_security specifically for a web application, so if integer input is expected, only integer input should be allowed.

      I don’t really see any problems deploying a WAF / Load Balancer on the same box, even though they should be physically separate. What’s more important is that they’re securely configured in the virtual environment, so that e.g. direct access to the actual web server is not allowed / possible when the WAF / Load Balancer is not available.

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?