WAF with CDN
34 views
Skip to first unread message
Blason R
Nov 15, 2022, 1:20:50 AM11/15/22
to ModSecurity Core Rule Set project
Hi Team,
This may sound of the forum but I have been asked by my manager to work on a use case of WAF with CDN.
I am not sure what and how could waf be used with cdn? For my scenario for example i have 5 webservers hosted on premise and I am currently using nginx reverse proxy with modsec and coreruleset 3.3.0.
Now as I said above my management demands me to look for cdn option with waf like many other current cloud waf providers and giving this as a option.
I am again not sure in what scenarios this might suit me if I have web app servers on Prem. Can someone please explain me a general usecase behind customers demanding waf services with cdn?
Christian Folini
Nov 15, 2022, 2:55:25 AM11/15/22
to Blason R, ModSecurity Core Rule Set project
Hello Blason,
This is an interesting question.
On Tue, Nov 15, 2022 at 11:50:36AM +0530, Blason R wrote:
> This may sound of the forum but I have been asked by my manager to work on
> a use case of WAF with CDN.
>
> I am not sure what and how could waf be used with cdn? For my scenario for
> example i have 5 webservers hosted on premise and I am currently using
> nginx reverse proxy with modsec and coreruleset 3.3.0.
If we assume the CDN gives you a WAF setup of similar capabilities, then you
can offload the operating of the WAF to the CDN. So ideally, this frees
operational resources.
In reality and based on everything I have seen, the WAFs CDNs give you are
less capable, more restricted in the features they support, less flexible,
harder to monitor and harder to tune. Under the line they cost more than
running ModSec yourself with a small team of capable engineers / operators
who know what they are doing.
There is a different use case, though: DDoS and other high load scenarios.
If you are expecting attacks or peaks that will grow beyond the size of
your servers, then the CDN can be used to filter the traffic or offload
requests for static files. That's what most people use CDNs for.
A complementary capability that some WAF CDNs deliver is the entire range
of anti-automation features and anti-brute force stuff. ModSec is notoriously
bad at this outside of very simple setups and CDNs can help you if that
is a problem for you. Otherwise, brute-force can often be fought with fail2Ban
on the login.
In a CDN scenario, you can use the WAF of the CDN in addition to your WAF or
you leave it away and just use the additional filtering capabilities.
Personally, I try to limit the WAF to a single layer or debugging can get
hairy, but I am sure this can be solved.
I think it is useful to think about this all in terms of your use case
and security need.
Best regards,
Christian
--
One can acquire everything in solitude - except character.
-- Stendhal
This is an interesting question.
On Tue, Nov 15, 2022 at 11:50:36AM +0530, Blason R wrote:
> This may sound of the forum but I have been asked by my manager to work on
> a use case of WAF with CDN.
>
> I am not sure what and how could waf be used with cdn? For my scenario for
> example i have 5 webservers hosted on premise and I am currently using
> nginx reverse proxy with modsec and coreruleset 3.3.0.
can offload the operating of the WAF to the CDN. So ideally, this frees
operational resources.
In reality and based on everything I have seen, the WAFs CDNs give you are
less capable, more restricted in the features they support, less flexible,
harder to monitor and harder to tune. Under the line they cost more than
running ModSec yourself with a small team of capable engineers / operators
who know what they are doing.
There is a different use case, though: DDoS and other high load scenarios.
If you are expecting attacks or peaks that will grow beyond the size of
your servers, then the CDN can be used to filter the traffic or offload
requests for static files. That's what most people use CDNs for.
A complementary capability that some WAF CDNs deliver is the entire range
of anti-automation features and anti-brute force stuff. ModSec is notoriously
bad at this outside of very simple setups and CDNs can help you if that
is a problem for you. Otherwise, brute-force can often be fought with fail2Ban
on the login.
In a CDN scenario, you can use the WAF of the CDN in addition to your WAF or
you leave it away and just use the additional filtering capabilities.
Personally, I try to limit the WAF to a single layer or debugging can get
hairy, but I am sure this can be solved.
I think it is useful to think about this all in terms of your use case
and security need.
Best regards,
Christian
--
One can acquire everything in solitude - except character.
-- Stendhal
Achim
Nov 15, 2022, 1:20:08 PM11/15/22
to ModSecurity Core Rule Set project
Am 15.11.22 um 07:20 schrieb Blason R:
When using the WAF in the cloud you should think about following:
* all traffic targeted to your on prem server may leave your country
* only some WAF providers give you a written confirmation that the analysing
engine resides on the server you purchased (means does not leave the server);
* depending on the technology, you need to share or hand over your certificate's
private key; using wildcard certificates is security bad practice;
* some WAF share the payloads; the promise is that "their" AI then may detect
0-day attacks (believe it or not;-)
Just thinking: their seems to be a good reason when the server is on prem, most
likely because of sensitive data, then using a cloud service with deep packet
analysis on none-controllable servers sounds self-defeating, somehow ...
just my 2 pence
* all traffic targeted to your on prem server may leave your country
* only some WAF providers give you a written confirmation that the analysing
engine resides on the server you purchased (means does not leave the server);
* depending on the technology, you need to share or hand over your certificate's
private key; using wildcard certificates is security bad practice;
* some WAF share the payloads; the promise is that "their" AI then may detect
0-day attacks (believe it or not;-)
Just thinking: their seems to be a good reason when the server is on prem, most
likely because of sensitive data, then using a cloud service with deep packet
analysis on none-controllable servers sounds self-defeating, somehow ...
just my 2 pence
Reply all
Reply to author
Forward
0 new messages