Common WAF Deployment Modes and Free WAF Recommendation

ButterflyI8 - Aug 28 - - Dev Community

Overview

WAF, short for Web Application Firewall, is designed to provide security protection for web applications through a series of security policies. Specifically tailored for web applications, WAF can effectively prevent common web attacks such as SQL injection and XSS (Cross-Site Scripting) attacks.

WAF commonly exists in three forms: Software WAF, Hardware WAF, and Cloud WAF.

Deployment Modes

The deployment modes of hardware WAF primarily include reverse proxy, transparent proxy, transparent bridging, and traffic mirroring.

Reverse Proxy

Reverse Proxy is a type of gateway technology that establishes a proxy relationship between a server and a client, allowing the client to indirectly communicate with the actual server through the reverse proxy gateway. In the context of WAF (Web Application Firewall), a reverse proxy does not alter the actual content of the client's request but forwards it to the backend real server and then returns the server's response back to the client.

The reverse proxy WAF operates with its own IP address, and the client actually establishes a TCP connection with the WAF, which then uses its own IP to establish a request relationship with the server. A typical deployment architecture for a reverse proxy WAF looks like this:

Image description

Client → WAF (Reverse Proxy) → Real Server
The key feature of this architecture is that the real server is hidden behind the WAF, and the client's access to the server heavily relies on the WAF's proxying capabilities. This setup allows the WAF to easily perform HTTP and HTTPS protection as an intermediary.

Transparent Proxy

Transparent Proxy is another proxy technology that does not have its own IP address. When a client initiates a request, the destination IP is that of the server. A transparent proxy WAF is typically placed in series between the client and the server, establishing connections with the client using the server's IP and with the server using the client's IP, effectively "tricking" both ends. A common deployment scenario is illustrated below:

Image description

In this diagram, solid lines represent the actual TCP connections, while dashed lines represent the network connections as perceived by the client and the server. Since it employs a form of hijacking proxy technology, this deployment method requires that the proxy gateway physically intercepts all communication content between the client and the server. Failure to do so can lead to incomplete TCP packet reception at one end, resulting in connection timeouts.

The characteristics of this mode include minimal intrusion into the network's logical topology, eliminating the need to plan IP resources for the WAF. Acting as an intermediary, it can also protect both HTTP and HTTPS traffic simultaneously.

Transparent Bridge

Given that a transparent proxy WAF establishes real connections with both the client and the server, the question arises: can we achieve true transparency and intercept connections for protection? The answer is to use a Transparent Bridge.

A Transparent Bridge is deployed in a similar topological position as a transparent proxy, also placed in series along the necessary path between the client and the server. However, it does not participate in the TCP connection; it does not alter any fields in the data packets. Instead, it simply protects the connection along the series link, allowing safe data packets to pass through the WAF to their destination. The following diagram provides a visual reference:

Image description

The characteristics of this mode are similar to those of a transparent proxy, in that it does not logically intrude on the network topology. Since it does not interfere with the TCP layer, it can be added or removed without causing disruptions, and if some data packets bypass the WAF due to routing issues, it will not affect the connection. It is a more convenient deployment mode.

Traffic Mirroring

The above-mentioned modes all involve serial connections within the network, but some networks do not allow additional gateways besides normal network devices, yet still have security protection requirements. So, is there a way to meet these needs? The answer lies in the Traffic Mirroring mode.

Image description

The Traffic Mirroring mode, as illustrated in the diagram, involves the client and server communicating through a switch. In this scenario, the switch's port mirroring function can be utilized to mirror the original frames of web request traffic to the WAF. The WAF then restores the data frames into their original requests, enabling it to analyze the traffic.

The characteristics of this mode are:It has no intrusiveness on the network, making it more reliable.

To translate the information from the image into English, the table seems to outline different web application firewall (WAF) deployment modes and their characteristics. Here's an approximate translation:

Comparison of Different Modes

Deployment Mode Deployment Location Ability to Detect HTTPS Effect on Data Packets After Passing WAF Impact on Original Link
Reverse Proxy In-line Yes May alter packets Affects the original link
Transparent Proxy In-line Yes Depends on WAF specifics Can have minor impact
Transparent Bridge In-line Yes Does not alter packets No impact
Traffic Mirroring By-pass Yes Does not alter packets No impact

Free and Reliable WAF Recommendation

I mainly use the free WAF offered by Chaitin Tech, known as SafeLine. It's a simple, lightweight, and self-hosted WAF that can safeguards website against cyber attacks.

For those who are interested, here's the official website link of SafeLine: waf-ce.chaitin.cn
Installation Guide:https://docs.waf.chaitin.com/en/tutorials/install

. . . . . . . . . .