For customers that have 3rd party Web Application Firewall (WAF) but have the following pain points should look at this customer deployment that was done recently (courtesy from one of our cool Citrix SEs in the West Coast US):
- Once a WAF hits a limit they stop forwarding traffic
- Limited SSL Transactions Per Second (TPS)
- Need a horizontally scalable WAF sandwich
- If transactions are important and want to bypass the existing 3rd party WAF before they are overloaded
- Once WAF hits a high load level the processing time becomes unpredictable – high latency for some transactions and fast for others – hard for capacity planning
Not the most elegant setup but it did the trick for this scenario using NetScaler
• Use a “Any–Any” Vserver to receive traffic
• “Services” will use the different SNIPs on the Backend NetScalers (ping through) and/or use Responder to see if WAFs are functioning
• Another WAF Monitoring option could be used for out of band monitoring (SNMP)
• Set Max Clients not to overload the WAF
• Create a “dummy” service bypassing WAFs for overflow traffic
• Use a “Any – Any” Vserver to receive traffic from the internal network (may or may not be needed)
• This tier will also be terminating SSL connections (SSL vservers configured) for backend server traffic, but on an internal IP subnet.
• “Services” will use the different SNIPs on the Frontend NetScalers (ping through) and or use Responder to see if WAFs are functioning
• This tier can be also horizontally scaled since it is doing SSL and L7 activities (by adding more Netscalers)
Other benefits to consider with this approach:
- Operational efficiency – IT Admins can do inline upgrades any time it is needed. Test out new code with a small percentage of traffic, quickly move traffic off if there was a problem
- Mixing different models – As time passes and new models of WAFs are deployed – this approach can easily scale the load differently to different models
- Reduced overall protection costs – Instead of having to buy the biggest unit, IT Admins can scale with the best cost effective model – usually two models smaller than the biggest model.
- Bypass and overflow – When load gets high, NetScaler has a dynamic overflow capability. No one has to intervene. Bypass mode can be activated quickly to push all traffic to the overflow path if something is massively wrong with the WAF.
- Programmable – Easily adaptive NetScaler API to make automatic changes based on whatever logic and data IT Admins have to operate off of.
Another way to scale is of course using NetScaler WAF
leveraging Pay-Grow, Hybrid Model approach, PCI Compliance and other differentiations from other WAFs.