Introduction to WAF
WAF stands for Web Application Firewall, and its role is to provide security protection for web applications through a series of security policies. WAF is specifically designed for web applications and can effectively prevent common web attacks such as SQL injection and XSS attacks.
WAF products typically come in three forms: software WAF, hardware WAF, and cloud WAF. Among them, hardware WAF is the most traditional and conventional product form, and this article focuses on hardware WAF.
Deployment Modes
The main deployment modes of hardware WAF include reverse proxy, transparent proxy, transparent bridge, and traffic mirroring.
Reverse Proxy
A reverse proxy is a gateway technology that aims to establish a proxy relationship between the server and the client, allowing the client to indirectly communicate with the real server through the reverse proxy gateway. The reverse proxy WAF does not change the actual request content of the client but forwards the request to the backend real server, then returns the server's response to the client. The working port of the reverse proxy WAF has its own IP address. The client actually establishes a TCP connection with the WAF, and the WAF uses its own IP to establish a request relationship with the server. A typical deployment architecture is as follows:
Its characteristic is that the real server is hidden behind the WAF, and the client's access to the server strongly relies on the proxy of the WAF. Such an architecture allows the WAF to easily perform HTTP and HTTPS protection as an intermediary.
Transparent Proxy
A transparent proxy is also a proxy technology but does not have its own IP. The target IP of the client's request is the server IP. The transparent proxy WAF is generally connected in series between the client and the server, establishing connections with the server using the server's IP and with the client using the client's IP, achieving a "two-way deception." A common deployment form is as follows:
The solid lines represent real TCP connections, while the dashed lines represent the network connections seen from the perspective of the client and server. Because it is a hijacking proxy technology, this deployment method physically requires the proxy gateway to receive all the communication content between the client and the server; otherwise, there will be connection timeouts due to incomplete TCP packet reception on one end.
The characteristic of this mode is minimal intrusion into the network's logical topology. It does not require IP resource planning for the WAF and can protect both HTTP and HTTPS as an intermediary.
Transparent Bridge
A transparent proxy WAF establishes real connections with both the client and the server. But can we achieve true transparency and perform protection by hijacking the connection? The answer is to use a transparent bridge.
The topology position of the transparent bridge deployment is similar to that of the transparent proxy, also connected in series on the path between the client and the server. However, it does not participate in the TCP connection, nor does it alter any field of the data packets. It simply protects the link in series, letting secure data packets pass through the WAF to reach the destination. Refer to the diagram below:
This mode shares the same characteristics as the transparent proxy: it does not logically intrude into the network topology. Since it does not invade the TCP layer, it can be connected or disconnected without causing interruption. If some data packets do not pass through the WAF due to routing reasons, it does not affect the connection, making it a more convenient deployment mode.
Traffic Mirroring
The above modes are all connected in series in the network, but some networks do not allow any gateways other than normal network devices to be connected in series, while still requiring security protection. Is there a way to meet this need? The answer is yes, and this is where the traffic mirroring mode comes into play.
As shown in the diagram, the traffic mirroring mode involves the client and server communicating through a switch. The switch's port mirroring function can mirror the original web request traffic frames to the WAF. The WAF restores the data frames into the original requests for traffic analysis.
The characteristic of this mode is non-intrusion to the network, providing higher reliability.
Comparison of Modes
| Deployment Mode | Deployment Position | Can Detect HTTPS | Changes Data Packet After WAF | WAF Deployment Impact on Original Link |
|---|---|---|---|---|
| Reverse Proxy | In Series | Yes | Yes | Yes |
| Transparent Proxy | In Series | Yes | Yes | Slight Impact |
| Transparent Bridge | In Series | No | No | No Impact |
| Traffic Mirroring | Parallel | No | - | No Impact |
Recommended Free WAF
I mainly use the free WAF launched by Chaitin Tech, named SafeLine WAF Community Edition. SafeLine supports hardware, software, and cloud deployment. The hardware version of SafeLine supports all the deployment modes mentioned above.
Here is the link to the SafeLine Community Edition official website for those interested: waf.chaitin.com
Top comments (0)