ITNewsAfrica logo

linkedin   twitter icon   facebook


Where WAF fits into the data path


JOHANNESBURG – 15 March 2018 - Web application firewalls (WAFs) are an integral component of application protection. They are excellent at protection against the OWASP (The Open Web Application Security Project) Top 10 and are a go-to solution for addressing zero day vulnerabilities – but where do you put them?

Every day data paths offer various insertion points at which a WAF can be deployed, says Martin Walshaw, senior systems engineer at F5. “However, we need to think carefully about where the WAF should be plugged in. According to a recent blog from F5, some points are less efficient, some introduce points of failure, and others introduce architectural debt that incur heavy interest penalties over time.”

F5 recommends that businesses should ideally be deploying WAF behind the load balancing tier, which optimises for utilisation, performance and reliability, while providing the necessary protection for all apps, including those exposed on the internet. The following are important considerations to debate when considering WAF placement on the data path:

Where WAF is concerned, utilisation becomes a key factor in operational costs as higher utilisation, which is inherent to a WAF solution, leads to additional resource requirements, which consume budgets.

While many WAFs scale well, they can still be overwhelmed by flash traffic or attacks, so if the choice is to place the WAF in front of the load balancing tier, companies will need another load balancing tier to scale separately. Without this, you risk impact performance and availability.

Not only that, but performance will be affected by choosing to place in front – to increase performance and save time you will want to eliminate layers of network from the equation rather than adding to it and that means deploying your WAF behind the load balancing tier.

This is a key requirement for security solutions in the data path. If you cannot inspect the entire flow, much of the security functions boasted by a WAF become moot. When the WAF is behind the load balancing tier, SSL/TLS (Secure Sockets Layer/Transport Layer Security) decryption happens before traffic is passed to the WAF for inspection.

“While these are all valid considerations, a WAF can fit pretty much anywhere you want it to fit,” says Anton Jacobsz, managing director at Networks Unlimited, a value-added distributor of F5 in Africa.

“As F5 notes, it could sit at the edge of the network, if that’s where you want it. However, best practice to optimise your architecture for performance, utilisation and reliability is to position it behind the load balancing tier and close to the application it’s protecting.”

To find out more, please contact Alexa Gerber, F5 product manager at Networks Unlimited: alexa.gerber@nu.co.za.

About F5 F5 makes apps operate faster, smarter, and safer for the world’s largest businesses, service providers, governments, and consumer brands. F5 delivers cloud and security solutions that enable organisations to embrace the application infrastructure they choose without sacrificing speed and control. For more information, go to f5.com.

About Networks Unlimited
Networks Unlimited is a value-added distributor, offering the best and latest solutions within the converged technology, data centre, networking, and security landscapes. The company distributes best-of-breed products, including Arbor Networks, Fortinet, F5, Mellanox, ProLabs, Rackmount, RSA, Rubrik, Silver Peak and Tintri. The product portfolio provides solutions from the edge to the data centre, and addresses key areas such as cloud networking and integration, WAN optimisation, application performance management, application delivery networking, Wi-Fi-, mobile- and networking security, load balancing, data centre in-a-box, and storage for virtual machines.

Since its formation in 1994, Networks Unlimited has continually adapted to today's progressively competitive and evolving marketplace, and has reaped the benefits by being a leading value-added distributor (VAD) within the Sub-Saharan Africa market. Networks Unlimited complies with the South African Broad-Based Black Economic Empowerment (B-BBEE) guidelines as a Level 4 Contributor.

Networks Unlimited, Ingrid Mulaudzi, +27 (0) 11 202 8400, ingrid.mulaudzi@nu.co.za
icomm, Vivienne Fouché, +27 (0) 82 602 1635, vivienne@pr.co.za, www.icomm-pr.co.za




ITNewsAfrica logo

Download Button