When a WAF is implemented within an ADC the benefits are obvious by virtue of where the ADC resides. ADCs sit at the border between data centres serving Web applications and the wider Internet, effectively acting as a load balancing proxy and intelligent cache for application transactions and content.
ADCs get a complete view of the whole messaging stack (L2-L7) and are routinely involved in packet manipulation such as IP address, port mapping and URL rewrite. While the most obvious use of the ADC is for load balancing, high availability (HA) and content caching across applications servers, this privileged position of trust and oversight in the network topology means it is becoming increasingly common for ADCs to provide value-added security at scale, reducing risk and improving both information security and availability.
These security features include pre-authentication, SSL Offload, SSL Intercept, and DDoS mitigation. Typically a high-end ADC will also include custom scripting to enable Deep Packet Inspection (DPI) and manipulation of traffic, endpoint information and even Web content.
In essence, a WAF as part of an ADC is a natural and complementary extension to the core application delivery functions. While conventional firewalls have a key role to play in perimeter security, the ADC typically sits in front of Web application servers as the last stop in the chain of defence. This enables organisations to deal with both internal and external misuse attempts, with the confidence that policy enforcement is being done in the right place, at an appropriate level, and with intimate knowledge of application logic and associated vulnerabilities.
This is particularly important if the organisation is deploying virtualisation, and wishes to implement different policies for different virtual domains. More importantly, a WAF may be the last word in internal security controls, and important with the increased trend towards BYOD, where mobile technology is increasingly brought inside the workplace, bypassing many of the perimeter controls.
The author is Vice President South APAC, A10 Networks.
Sign up for MIS Asia eNewsletters.