Web Application Firewall Architecture

WAF Placement

Appliance-based WAF deployments typically dwell directly behind an enterprise firewall and in front of organizational web servers. Deployments are ofttimes done in-line with all trade flowing through the web application firewall. However, some solutions can be "out of fillet" with the use of a network monitoring port. If network based deployments are not preferred, organizations possess another option. Host or server based WAF applications are installed absolutely onto corporate web servers and collect for use similar feature sets by processing traffic before it reaches the web server or applying.

Security Model

A WAF typically follows one or the other a positive or negative security type when it comes to developing shelter policies for your applications. A existing in fact security model only allows traffic to deliver which is known to be genial, all other traffic is blocked. A negative assurance model allows all traffic and attempts to stop up that which is malicious. Some WAF implementations make trial to use both models, but in the usual course of things products use one or the other. "A WAF using a indisputable security model typically requires more shape and tuning, while a WAF through a negative security model will rely more on behavioral learning capabilities." (Young, 2008)

Operating Modes

Web Application Firewalls can operate in several distinct modes. Vendor names and undergo for different modes vary, so obstacle each product for specific details granting that a particular mode is desired. Each gradation offers various pros and cons what one. require organizations to evaluate the true fit for their organization.

 

Reverse Proxy – The well stocked reverse proxy mode is the ~ numerous common and feature rich deployment in the film application firewall space. While in opposite proxy mode a device sits in rope and all network traffic passes end the WAF. The WAF has published IP addresses and all incoming connections terminate at these courtship. The WAF then makes requests to back end web servers on behalf of the originating browser. This gradation is often required for many of the adscititious features that a WAF may contract due to the requirement for alliance termination. The downside of a turn end for end proxy mode is that it be able to increase latency which could create problems as far as concerns less forgiving applications.

Transparent Proxy – When used being of the kind which a transparent proxy, the WAF sits in race between the firewall and web server and acts resembling to a reverse proxy but does not get an IP address. This mode does not enjoin any changes to the existing infrastructure, excepting cannot provide some of the superadded services a reverse proxy can.

Layer 2 Bridge – The WAF sits in put into between the firewall and web servers and acts fit like a layer 2 switch. This fashion provides high performance and no eminently expressive network changes, however does not engage the advanced services other WAF modes may prepare.

Network Monitor/Out of Band – In this prevailing style, the WAF is not in parallel direction and watches network traffic by sniffing from a monitoring port-wine. This mode is ideal for testing a WAF in your environment out of impacting traffic. If desired, the WAF be possible to still block traffic in this modification by sending TCP resets to cease for a time unwanted traffic.

Host/Server Based - Host or server based WAFs are software applications that are installed on web servers themselves. Host based WAFs behave not provide the additional features that their network based counterparts may furnish. They do, however, have the superior situation of removing a possible point of failure which network based WAFs introduce. Host based WAFs answer increase load on web servers in the way that organizations should be careful when introducing these applications attached heavily used servers.

Additional Features

WAF expedients are often either add-on components of existing petition delivery controllers or include additional features to improve the trustworthiness and performance of web applications. These adscititious features can help make the cover for implementing a WAF for organizations not before that time taking advantage of such features. Not tot~y WAF solutions have these features and people are dependent upon the deployment mode chosen. Typically a reverse-proxy deployment behest support each of these features.

Caching – Reducing lade on web servers and increasing consummation by caching copies of regularly requested membrane content on the WAF thus reducing repeated requests to back cessation servers.

Compression – In order to procure for more efficient network transport, never-failing web content can be automatically compressed by the WAF and then decompressed by the browser.

SSL Acceleration – Use of hardware based SSL decryption in a WAF to accelerate SSL processing and reduce the freight on back-end web servers.

Load Balancing – Spreading incoming structure requests across multiple back end suffusion servers to improve performance and reliableness.

Connection Pooling – Reduces back end server TCP overhead by allowing multiple requests to conversion to an act the same back end connection.