0

I am looking at different solution for datacenter need of a web application. Below is my requirement. I would first like to have a solution which offers it all in one box to have it as simple as possible

  • Edge Firewall(as we only have web application, need firewall connected to world without traditional firewall like cisco asa)
  • Load balancer
  • Can create DMZ and firewall traffic between world, dmz and internal
  • Can Handle SSL
  • Web Application Firewall (PCI-Dss compliant)
  • Reverse-proxy
  • VPN (SSL) - this will be only point of entry into network for us so need full access through VPN

Our datacenter will have two redundant machine for above solution then application servers like web, app and database servers. No router, no another firewall.

I know there are army of companies that offer load balancer, firewall, VPN solutions but are there any offer single solution? If already have used how was your experience?

mamu
  • 342
  • 1
  • 7
  • 18

2 Answers2

3

I'm pretty sure there is no solution for that as ready-to-buy commercial appliance.

You could build it yourself using open source components, fx:

  • Linux
  • Linux' Netfilter firewall, perhaps using a management frontend such as Shorewall.
  • Apache 2.2 for SSL, L7 load balancing, and with Mod_Security as web application level firewall.
  • Squid or Varnish for caching (reverse proxy).
  • OpenVPN for SSL VPN.

Building that is a pretty major project unless you have strong Unix sysadmin expertise. I would not advise it.

Some of your concerns seem to go in the wrong direction. I don't see how you reduce complexity to cramming this much functionality into just one device. I would suggest to split this up on multiple devices along the boundaries that are normally used in our industry, and perhaps let consultants handle the parts that you are less familiar with.

0

We're using DenyAll.com's rWeb, and it's a sad mess from a usability point of view. It's very expensive, has theoretically a lot of interesting features, but since it's so hard to use, it can't be used properly, so it doesn't give any more security than a basic (and free) mod_security setup.

The UI is a joke (it's so unusable it's revolting), the command line is a pain in the ass, and logging is terrible (i.e. you have to refer to their doc/kb for every single line)

In any case it looks like it does basic string pattern matching and does not even try really hard to parse the content of the requests.

I don't know about other commercial WAF, but they're probably just as bad and expensive.

niXar
  • 2,043
  • 17
  • 23