Intelligent CIO Africa Issue 16 | Page 72

INTELLIGENT BRANDS // Enterprise Security POWERED BY Where WAF fits into the data path ///////////////////////////// W eb application firewalls (WAFs) are an integral component of application protection, protecting against the Open Web Application Security Project (OWASP) Top 10 and are a go-to solution for addressing zero day vulnerabilities, but where do you put them? Martin Walshaw, Senior Systems Engineer at F5, says we need to think carefully about where the WAF should be plugged in. “According to a recent blog from F5, some points are less efficient, some introduce points of failure and others introduce architectural debt that incur heavy interest penalties over time,” said Walshaw. F5 recommends that businesses should ideally be deploying WAF behind the load balancing tier, which optimises for utilisation, performance and reliability, while providing the necessary protection for all apps, including those exposed on the Internet. The following are important considerations to debate when considering WAF placement on the data path. Utilisation Performance Where WAF is concerned, utilisation becomes a key factor in operational costs as higher utilisation, which is inherent to a WAF solution, leads to additional resource requirements, which consume budgets. Not only that, but performance will be affected by choosing to place in front; to increase performance and save time you will want to eliminate layers of network from the equation rather than adding to it and that means deploying your WAF behind the load balancing tier. Reliability While many WAFs scale well they can still be overwhelmed by flash traffic or attacks, so if the choice is to place the WAF in front of the load balancing tier, companies will need another load balancing tier to scale separately. Without this, you risk impact performance and availability. 72 INTELLIGENTCIO Visibility This is a key requirement for security solutions in the data path. If you cannot inspect the entire flow, much of the security functions boasted by a WAF become moot. When the WAF is behind the load balancing tier, Secure Sockets Layer/Transport Layer Security (SSL/ TLS) decryption happens before traffic is passed to the WAF for inspection. “While these are all valid considerations, a WAF can fit pretty much anywhere you want it to fit,” said Anton Jacobsz, Managing Director at Networks Unlimited, a value- added distributor of F5 in Africa. “As F5 notes, it could sit at the edge of the network, if that’s where you want it. However, best practice to optimise your architecture for performance, utilisation and reliability is to position it behind the load balancing tier and close to the application it’s protecting.” n www.intelligentcio.com