2023年7月4日星期二

Personal insights on the location of WAFs in data centers【关于数据中心中WAF位置的个人见解】

 The first is the simplest data center architecture, as you can see in the figure the entire link is strung down, in this case waf deployment protection is the simplest.

第一种是最简单的数据中心架构,如图可以看到整个链路都是串下来的,在这种情况下waf部署防护是最简单的。




In this case, just configure layer 2 pass-through to the waf and then deploy a policy-protected back-end server on the waf.
Of course, if you can, it would be great to add an ssl offload device on the ahead of the waf to be used exclusively for ssl offload.
在这种情况下,只需给waf配置二层透传,然后在waf上部署策略防护后端的服务器即可。
当然如果可以,waf前端加一个ssl卸载设备专门用来做ssl卸载就更棒了。


The second is also a more ideal architecture, will be in the Internet area inside a special piece out to do dmz area, and then only dmz area can be connected to the external network or can map out the Internet services, so as to achieve the effect of hiding the server.
第二种也是比较理想的架构,会在互联网区域里面专门划一块出来做dmz区,然后只有dmz区域可以连外网或者可以映射出互联网服务,从而达到把server隐藏的效果。
This architecture, in fact, is no different from the first, in terms of traffic, the back end after dmz configuration ssl and forwarding, the traffic to the waf here is theoretically http, protection to configure the policy is very easy.
这种架构下,其实跟第一种没什么区别,从流量上来说,后端经过dmz配置ssl和转发,到了waf这里的流量理论上都是http的,防护起来配置策略非常轻松。



The third architecture is the more common one. dmz zone machines are used for load balancing, reverse proxy and ssl offload, and server zone machines are not on the network, thus achieving the effect of hiding.
第三种架构是比较常见的架构。dmz区机器用来做负载均衡、反向代理和ssl卸载,server区域的机器不出网,从而达到隐藏的效果。

The difficulty with this architecture is that when the machine in the dmz area acts as a load balancing and configuration https, waf does the configuration workload becomes very large, and each time the ssl changes, waf has to follow the machine in the dmz area with the change, otherwise there will be a certificate error problem.
Of course, in the premise of not adding additional equipment, there is a relatively non-mainstream solution, is waf to release router to dmz traffic, only to protect the dmz to server area traffic, because this time dmz area has decrypted the ssl traffic, so waf configuration is also relatively simple.
The disadvantage of this is also very prominent, is that waf can not see the real attacker ip, see the source ip are dmz area forwarder.
这种架构下的难点在于,当在于dmz区域的机器充当负载均衡和配置https的时候,waf做配置的时候会工作量变得非常大,且每次ssl变更的时候,waf得跟着dmz区的机器一起变更,否则会出现证书错误的问题。
当然,在不增加额外设备的前提下,有一种比较非主流的解决办法,就是waf放行router往dmz的流量,只防护dmz往server区的流量,因为这时候dmz区已经解密了ssl流量,所以waf配置起来也比较简单。
这样搞缺点也很突出,就是waf看不到真实的攻击者ip,看到的来源ip都是dmz区的转发器。