1. Introduction to WAF
A Web Application Firewall (WAF) is designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It provides a security layer specifically designed to defend against common web attacks like SQL injection, Cross-Site Scripting (XSS), and others.
There are three common forms of WAF: software-based, hardware-based, and cloud-based. This article focuses primarily on hardware-based WAF, which is the most traditional and widely used form.
2. Deployment Models
Hardware WAFs can be deployed using several models, including Reverse Proxy, Transparent Proxy, Transparent Bridge, and Traffic Mirroring.
2.1 Reverse Proxy
A Reverse Proxy is a gateway technology that establishes a proxy relationship between the server and the client, allowing the client to communicate indirectly with the real server. In this setup, the WAF forwards the client's requests to the server and returns the server's responses to the client. The WAF has its own IP address, and the client actually establishes a TCP connection with the WAF rather than the real server. Here's a typical deployment architecture:
The main feature of this model is that the real server is hidden behind the WAF, and the client's access to the server is highly dependent on the WAF. This architecture makes it easy for the WAF to protect both HTTP and HTTPS traffic.
2.2 Transparent Proxy
A Transparent Proxy is another proxy technology, but unlike the Reverse Proxy, it doesn’t have its own IP address. Instead, the client’s request is sent to the server’s IP address directly. The Transparent Proxy WAF is placed between the client and the server, establishing connections with both sides, effectively "tricking" them into thinking they are directly connected. Here's a common deployment form:
In this model, the solid lines represent the real TCP connections, and the dashed lines represent the perceived network connections from the client and server's perspectives. Because this is a hijacking proxy technology, it requires the proxy gateway to intercept all traffic between the client and server to avoid incomplete TCP connections and potential timeouts.
The key feature of this model is that it minimally disrupts the network's logical topology and does not require separate IP resources for the WAF. It can protect both HTTP and HTTPS traffic as a man-in-the-middle.
2.3 Transparent Bridge
The Transparent Proxy WAF establishes real connections with both the client and server. But is it possible to protect connections without altering them? The answer is yes, through a Transparent Bridge.
The Transparent Bridge is deployed similarly to the Transparent Proxy but does not participate in the TCP connection. It doesn't modify any data packets; instead, it simply filters the traffic as it passes through. Secure packets are allowed to pass through the WAF and reach their destination. Here's a diagram for reference:
The main advantage of this model is that it does not interfere with the network's logical topology. Since it doesn’t alter the TCP layer, it can be seamlessly integrated or removed without causing interruptions in traffic. Even if some packets bypass the WAF due to routing decisions, it won't affect the connection.
2.4 Traffic Mirroring
The above models involve inserting the WAF into the network, but what if the network cannot accommodate additional gateways? Traffic Mirroring can solve this problem.
In the Traffic Mirroring model, as illustrated above, traffic between the client and server passes through a switch. The switch’s port mirroring feature can be used to copy the web traffic’s original frames to the WAF, which then reconstructs the data frames into original requests for analysis.
This model’s primary advantage is its non-intrusive nature, offering higher reliability.
3. Comparison of Deployment Models
| Deployment Model | Position | Can Inspect HTTPS? | Does WAF Alter Data Packets? | Impact on Original Network? |
|---|---|---|---|---|
| Reverse Proxy | Inline | Yes | Yes | Yes |
| Transparent Proxy | Inline | Yes | Yes | Slight Impact |
| Transparent Bridge | Inline | No | No | None |
| Traffic Mirroring | Out-of-band | No | - | None |
4. Recommended Free WAF
I personally use the free community edition of SafeLine WAF, developed by Chaitin Technology. SafeLine supports deployment in hardware, software, and cloud environments, with the hardware edition supporting all the models mentioned above.
Check out the website here if you're interested: https://waf.chaitin.com
Top comments (0)