[AusNOG] Application Firewall Recommendations

Amante Alvaran mants at tpg.com.au
Tue Aug 6 19:05:08 EST 2013


You may want to look at Riverbed Stingray as well for this requirements, they are very easy to use and robust. It can run as VM or on top of your server 08/12 as an application firewall. 
If you need more information let me know happy to help.

----- Reply message -----
From: "Tim March" <march.tim at gmail.com>
To: <ausnog at lists.ausnog.net>
Subject: [AusNOG] Application Firewall Recommendations
Date: Tue, Aug 6, 2013 2:23 PM

+1 for NetScaler WAF.

I've run pretty large mod_security installations and while it's a great
solution it can be a handful to manage at scale. There's a couple of
deployment scenarios;

1. You run it on each of the application servers. This is a handful
because you're making changes in a bunch of places every time you want
to update the ruleset (eg. even if you're pulling the rule
configurations from a single shared location you're still reloading
individual HTTPD's each time you update it).

It also presents ruleset analytics problems if you're not collating all
server logs in one place with something like Splunk (eg. trying to track
down a particular server triggering a particular edge-case rule that's
breaking your app)

2. You run it on a small cluster of reverse proxies with something like
Apache mod_proxy and loop your traffic through that service before it
hits your application servers. This is a good way to collate the service
management down to a small subset of configuration points.

The Citrix NetScaler WAF is a really robust product and probably a
better solution for your situation. It runs on both the physical and MPX
appliances and I'm pretty sure you can spin it up in AWS now as well.
These are much easier to manage and will do everything mod_security will do.

I'm not sure how this ties in with ELB but if there's not already some
Citrix punters on the list drop me a note and I'll put you in touch with
someone there who can help you architect something.



T.

On 6/08/13 1:03 PM, Luke Notley wrote:
> Ed,
> We have moved from TMG/ISA to Citrix Netscaler virtual appliances and
> have found them good.
> If you're after free, you could check out pfSense or Vyatta, I'm not
> 100% sure they have a like for like functionality replacement, it
> depends what functionality you're trying to replace. If you need help
> feel free to contact off list.
>
> Cheers
>
> *Luke Notley**| *Senior Technical Cloud Consultant
>
> Red Ember Solutions | 210 Stirling Street, Perth WA 6000
>
> email: luke.notley at redember.com.au <mailto:luke.notley at redember.com.au>
>
> mobile: +61 410 465 990 office: +61 8 6188 7500 support: +61 8 6188 7501
>
> ------------------------------------------------------------------------
> *From:* AusNOG [ausnog-bounces at lists.ausnog.net] On Behalf Of Ed Hallett
> [ed at teltech.net.au]
> *Sent:* Tuesday, 6 August 2013 8:11 AM
> *To:* ausnog at lists.ausnog.net
> *Subject:* [AusNOG] Application Firewall Recommendations
>
> Hi people,
> Just a simple question, but with a not so simple answer.
> We manage considerable clients with ‘cloud’ based servers within
> Telstra’s utility hosting.
> We used to use TMG as a firewall / gateway / security for clients who
> requested these features,  but this is no longer possible.
> I need recommendations on application based (non VM) firewalls which can
> be installed on server 08 / 12 and capable of the same feature set as
> TMG. Not as easy to find now..
> So, I ask my esteemed peers for words of wisdom.
> Well, words, anyway.
> Kind regards,
> Ed Hallett
>
> ------------------------------------------------------------------------
> "Perth based hosting solution provider - get in the cloud with Red Ember
> Solutions - http://www.redember.com.au"
>
> ------------------------------------------------------------------------
> This message and its attachments are confidential to our organisation
> and subject to legal privilege. If you have received them in error,
> please advise the sender immediately and delete this message. This email
> is subject to copyright, no part of it should be reproduced, adapted or
> transmitted without prior written consent of the copyright owner. Any
> views expressed in this message are those of the individual and may not
> necessarily reflect the view of the company.
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130806/a8cf6f23/attachment.html>


More information about the AusNOG mailing list