With the popularity of e-commerce, online banking, e-government, business value WEB server load increasing, WEB server security threats faced by also increased, therefore, for the defense WEB application layer has become an inevitable trend, WAF (WebApplicationFirewall, WEB application firewall) products became popular.
WAF products in accordance with the form can be divided into three, hardware, software and cloud services. Since the software WAF functionality and defect performance, it has gradually eliminated by the market. Cloud WAF past two years, only just emerging products and markets are not yet ripe. Compared with the previous two forms, hardware WAF after years of application, in all respects relatively mature and perfect, is currently the mainstream market in the form of WAF products.
Since it is hardware, network deployment for users, is an issue that must be considered. Looking at domestic hardware WAF product, usually a product will support multiple deployment modes. It also gives users a confusion at the time of purchase or deploy the product. The following hardware will WAF several common deployment patterns make a brief introduction, I hope you can help relieve the majority of users confused.
· WAF deployment location
Typically, WAF in foreign enterprises provide web services on the DMZ area or area of data center services, such as may be connected in series with the firewall or IPS gateway devices together (less frequently). In short, the decision to deploy the WAF position is the position of WEB server. Because WEB server is WAF protected object. Of course, as close as possible to make the WAF WEB server deployment.
· WAF deployment pattern classification
Depending on the WAF working methods and principles can be divided into four operating modes: transparent proxy mode, reverse proxy mode, routing proxy mode and port mirroring mode. The first three modes are also referred to as online mode, generally required to be deployed in serial WAF WEB server front end, for detecting an abnormal traffic and block. Port mirroring mode is also referred to as off-line mode, the deployment is relatively simple, just to WAF WEB server connected to the bypass upstream of the switch for detecting only the abnormal traffic.
Figure 1: WAF deployment pattern classification
Several technical principles · WAF deployment model
(1) transparent proxy mode (also known as bridge proxy mode): the principle of transparent proxy mode, when the WEB client to server connection request, TCP connection requests are intercepted and WAF monitoring. WAF secretly WEB proxy session between the client and the server, the session is divided into two sections, and forwarded based bridge mode. From the perspective of WEB client's perspective, the client still WEB direct access to the server, not perceive the presence of WAF; WAF working from the principle of forward looking and forward, like transparent bridge, so called transparent proxy mode, also known as a transparent bridge mode.
Typical topology
(2) reverse proxy mode: reverse proxy mode is to map the address of the real server to the reverse proxy server. At this point the external proxy server on the performance of a real server. Because the client access is WAF, WAF and therefore do not need to be like other modes (such as routing and transparent proxy mode) like the need to adopt special treatment to hijack a session with the server and the client do its transparent proxy. When the proxy server receives the HTTP request packet, the request is forwarded to the corresponding real server. Backend server receives a request response after the first device transmits to the WAF, the WAF device then transmits a response to the client. This process is transparent proxy and it works similar to previously described, the destination address of the request only difference is transparent proxy client is sent directly to the background server, so transparent proxy works do not need to configure IP mapping in the WAF.
Typical topology
(3) routing proxy mode: routing proxy mode, the only difference between it and the bridge transparent proxy is forwarding the agency work in routing mode instead of bridge mode, other works are the same. Since work in routing (gateway) mode it is necessary to WAF forwarding interface configuration IP address and routing.
Typical topology
(4) Port Mirroring mode: when port mirroring mode operation, the WAF only HTTP traffic monitoring and alarm, not intercept block. This mode requires a port mirroring function of the switch, that is, HTTP traffic mirroring to a port on the switch to the WAF. For the WAF, flow not only into.
Typical topology
· WAF advantages and disadvantages of several deployment models
(1) transparent proxy mode (also known as bridge proxy mode): This mode changes to network deployment minimum, can achieve zero configuration deployment. Also can not affect the existing network traffic during equipment failure or power-down by WAF hardware Bypass functions, just WAF itself ineffective. The disadvantage is that all network traffic (HTTP and non-HTTP) have been WAF there are certain requirements for processing performance WAF, using this mode of operation can not achieve server load balancing.
(2) reverse proxy mode: This mode requires the deployment of the network changes, configuration is relatively complex, in addition to the device disposed outside WAF own address and routing, also you need to configure the real address and virtual address back WEB server on WAF Mapping relations. Also, if the original server address is the global address of words (not after NAT translation) it is usually also need to change the IP address of the original server and change the original DNS server to resolve addresses. The advantage of using this mode can simultaneously load balancing on WAF.
(3) routing proxy mode: This mode requires the deployment of the network changes simple, and to set the IP address corresponding to the route in the network device and the external network interface port. Work in routing proxy mode, can be directly used as a gateway WEB server, but there are single points of failure, but also is responsible for forwarding all traffic. The operating modes do not support server load balancing.
(4) port mirroring mode: This mode does not require the deployment of the network changes, but it is only for traffic analysis and alarm recording, will not have malicious traffic and block interception, suitable for beginning the deployment of WAF, for collecting information and understanding of the server to be accessed and attacked provide optimal allocation of reference for the follow-up online deployment. This deployment model, have any impact on the existing network will not.
[Cited several web firewall on the market]
Open source Web application firewall FreeWAF released http://www.oschina.net/news/42772/freewaf-code-opened
Security treasure - Website Security Expert | anti-hacker, anti-DDoS, speed up the site permanently free http://www.anquanbao.com/
Security dog - Enterprise Security Solutions | Cloud Security | Server Security | Site Security http://www.safedog.cn/index.html
_ Credible assessment of the credibility cloud cloud cloud services to buy, first on the trusted cloud - Data Center Alliance http://www.dca.org.cn/html/kexinyun/index.html
YUNDUN- anti DDoS_ CC attack _ anti-high anti-intelligent DNS_ free CDN acceleration _WAF cloud defense http://www.yundun.com/
Niu Dun cloud security - anti-hacker, anti-DDoS attack site, anti-CC attack site, site acceleration, high anti-intelligent DNS permanent free https://www.newdefend.com/
------------- ---
original link: https: //blog.csdn.net/enweitech/article/details/51905922