[AusNOG] Application Firewall Recommendations

Tim March march.tim at gmail.com
Tue Aug 6 14:23:17 EST 2013


+1 for NetScaler WAF.

I've run pretty large mod_security installations and while it's a great 
solution it can be a handful to manage at scale. There's a couple of 
deployment scenarios;

1. You run it on each of the application servers. This is a handful 
because you're making changes in a bunch of places every time you want 
to update the ruleset (eg. even if you're pulling the rule 
configurations from a single shared location you're still reloading 
individual HTTPD's each time you update it).

It also presents ruleset analytics problems if you're not collating all 
server logs in one place with something like Splunk (eg. trying to track 
down a particular server triggering a particular edge-case rule that's 
breaking your app)

2. You run it on a small cluster of reverse proxies with something like 
Apache mod_proxy and loop your traffic through that service before it 
hits your application servers. This is a good way to collate the service 
management down to a small subset of configuration points.

The Citrix NetScaler WAF is a really robust product and probably a 
better solution for your situation. It runs on both the physical and MPX 
appliances and I'm pretty sure you can spin it up in AWS now as well. 
These are much easier to manage and will do everything mod_security will do.

I'm not sure how this ties in with ELB but if there's not already some 
Citrix punters on the list drop me a note and I'll put you in touch with 
someone there who can help you architect something.



T.

On 6/08/13 1:03 PM, Luke Notley wrote:
> Ed,
> We have moved from TMG/ISA to Citrix Netscaler virtual appliances and
> have found them good.
> If you're after free, you could check out pfSense or Vyatta, I'm not
> 100% sure they have a like for like functionality replacement, it
> depends what functionality you're trying to replace. If you need help
> feel free to contact off list.
>
> Cheers
>
> *Luke Notley**| *Senior Technical Cloud Consultant
>
> Red Ember Solutions | 210 Stirling Street, Perth WA 6000
>
> email: luke.notley at redember.com.au <mailto:luke.notley at redember.com.au>
>
> mobile: +61 410 465 990 office: +61 8 6188 7500 support: +61 8 6188 7501
>
> ------------------------------------------------------------------------
> *From:* AusNOG [ausnog-bounces at lists.ausnog.net] On Behalf Of Ed Hallett
> [ed at teltech.net.au]
> *Sent:* Tuesday, 6 August 2013 8:11 AM
> *To:* ausnog at lists.ausnog.net
> *Subject:* [AusNOG] Application Firewall Recommendations
>
> Hi people,
> Just a simple question, but with a not so simple answer.
> We manage considerable clients with ‘cloud’ based servers within
> Telstra’s utility hosting.
> We used to use TMG as a firewall / gateway / security for clients who
> requested these features,  but this is no longer possible.
> I need recommendations on application based (non VM) firewalls which can
> be installed on server 08 / 12 and capable of the same feature set as
> TMG. Not as easy to find now..
> So, I ask my esteemed peers for words of wisdom.
> Well, words, anyway.
> Kind regards,
> Ed Hallett
>
> ------------------------------------------------------------------------
> "Perth based hosting solution provider - get in the cloud with Red Ember
> Solutions - http://www.redember.com.au"
>
> ------------------------------------------------------------------------
> This message and its attachments are confidential to our organisation
> and subject to legal privilege. If you have received them in error,
> please advise the sender immediately and delete this message. This email
> is subject to copyright, no part of it should be reproduced, adapted or
> transmitted without prior written consent of the copyright owner. Any
> views expressed in this message are those of the individual and may not
> necessarily reflect the view of the company.
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>



More information about the AusNOG mailing list