Hello Blason,
This is an interesting question.
On Tue, Nov 15, 2022 at 11:50:36AM +0530, Blason R wrote:
> This may sound of the forum but I have been asked by my manager to work on
> a use case of WAF with CDN.
>
> I am not sure what and how could waf be used with cdn? For my scenario for
> example i have 5 webservers hosted on premise and I am currently using
> nginx reverse proxy with modsec and coreruleset 3.3.0.
If we assume the CDN gives you a WAF setup of similar capabilities, then you
can offload the operating of the WAF to the CDN. So ideally, this frees
operational resources.
In reality and based on everything I have seen, the WAFs CDNs give you are
less capable, more restricted in the features they support, less flexible,
harder to monitor and harder to tune. Under the line they cost more than
running ModSec yourself with a small team of capable engineers / operators
who know what they are doing.
There is a different use case, though: DDoS and other high load scenarios.
If you are expecting attacks or peaks that will grow beyond the size of
your servers, then the CDN can be used to filter the traffic or offload
requests for static files. That's what most people use CDNs for.
A complementary capability that some WAF CDNs deliver is the entire range
of anti-automation features and anti-brute force stuff. ModSec is notoriously
bad at this outside of very simple setups and CDNs can help you if that
is a problem for you. Otherwise, brute-force can often be fought with fail2Ban
on the login.
In a CDN scenario, you can use the WAF of the CDN in addition to your WAF or
you leave it away and just use the additional filtering capabilities.
Personally, I try to limit the WAF to a single layer or debugging can get
hairy, but I am sure this can be solved.
I think it is useful to think about this all in terms of your use case
and security need.
Best regards,
Christian
--
One can acquire everything in solitude - except character.
-- Stendhal