SlideShare a Scribd company logo

WAF deployment

Download as PPTX, PDF
Aravindan A
Aravindan A

WAF deployment

Technology
1 of 27
Deployment Options Topics Covered: • PhysicalAppliance Overview • Reverse ProxyMode • Bridge-PathMode • VirtualDeployment • Public Cloud Hosting
Reverse Proxy Mode • Requestsand responsesare terminated attheWAF • Configure whatshould be allowed/inspected Backend Servers Tommy WAF Request Response
Two-Arm Proxy Deployment WAF Switch Internet Firewall 192.168.0.1 WAN LAN 10.0.0.13 10.0.0.11 10.0.0.12 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130
Two-Arm Proxy Deployment • Advantages • Most secure deploymentbecauseback-endservers arecompletely isolated • FastHighAvailabilityfailover • Considerations • Mayrequirenetworkchangestoserver IPaddressesandDNSmappings • Deploymentrequirescut-overoflive services • Networkreconfigurationmayrequire youtorestore networktooriginal state
One-Arm Proxy Deployment WAF Internet Firewall 192.168.0.1 WAN LAN Switch 192.168.0.13 192.168.0.11 192.168.0.12 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130
One-Arm Proxy Deployment • Advantages • Networkinfrastructure andpartitioningunchanged • Allowsmultiple accesspathstoservers fortesting • Integrateseasilywithexisting enterpriseloadbalancers • Considerations • Mayrequire DNS,IPaddresschangesornatting • Potentiallycompromises serversecurity byprovidingdirectserveraccess
WAF Bridge-Path Mode • ActsasanL2transparentbridge • Inspectsonlythetrafficthatisconfiguredforinspection • Allothertrafficisbridged • WANandLANinterfacesmustbeonphysically separatenetworks Backend Servers Tommy Other Traffic Request HTTP Response HTTP
Bridge-Path Deployment WAF Switch Internet Firewall 192.168.0.1 WAN LAN 192.168.0.13 192.168.0.11 192.168.0.12 VIP1: 192.168.0.11 VIP2: 192.168.0.12 VIP3: 192.168.0.13 Switch
Bridge-Path Deployment • Advantages • Minimalnetworkchanges • Existing IPaddressinfrastructure isreused • RealServers keepexisting IPaddresses • Considerations • Sensitive tobroadcaststorms andaddressresolution loopingerrors • Lessresilient tonetworkmisconfiguration • ApplicationDeliveryfeaturesarenotavailable
Virtual Deployment • Only Reverse Proxymode deploymentsare supported • Requiresa64-bit capable host Image Type Supported Hypervisors OVF • VMware ESX and ESXi (vSphere Hypervisor) versions 4.x • VMware ESX and ESXi (vSphere Hypervisor) versions 5.x • Sun/Oracle VirtualBox and VirtualBox OSE version 3.2 VMX • VMware Server 2.x • VMware Workstation 6.x, Player 3.x, and Fusion 3.x XVA • Citrix XenServer 5.5+ VHD • Microsoft Hyper-V for Windows 8, 2008, 2012, and 2012 R2
Virtual Deployment - VM Configuration Model Cores - Maximum RAM - Recommended Minimum Hard Disk - Recommended Minimum 360 2 2 GB 50 GB 460 3 3 GB 50 GB 660 4 or more 4 GB 50 GB
Public Cloud Hosting
Initial Configuration Topics Covered: • Web Interface Access • Local Console Access • Networkand Administration Settings • Activate theSubscriptionStatus • UpdateFirmware andEnergize Updates Module 3–Chapter 3
Web Interface Access • WAFConfiguration settings canbechanged using: • TheWebInterface • TheRESTAPI • Defaultcredentials • Username:admin • Password:admin • 3.3 – Initial Configuration 192.168.200.100 WAF 192.168.200.200 http://192.168.200.200:8000 https://192.168.200.200 Or
Local Console Access • ConnectVGA Screen+ USBKeyboard • OpentheVMConsole forVirtualMachines • Default credentials • Username: admin • Password: admin • 3.3 – Initial Configuration
Web Interface Access • 3.3 – Initial Configuration SECTIONS PAGES (relative to the sections) Instant Search Help
Network and Administration Settings • BASIC >IP Configuration • WAN/LAN/ ManagementportsIPsettings • OperationMode • DNSConfiguration • BASIC > Administration • ChangeAdmin Password • SettheTimeZone • ADVANCED>SystemConfiguration • Configure NTPServers • 3.3 – Initial Configuration Live Demo
Activate the Subscription Status • PhysicalAppliances • Clickthelinkinthismessage warningyouthatyoumust activatetheWAF • Fill in the required fields in the pop-up window and click Activate • If the WAF cannot communicate directly to Barracuda Central servers, note the Activation Code displayed • IntheSubscription StatusoftheBASIC>Status page • Verify that your subscriptions are Current • If required, enter the Activation Code and then click Activate • 3.3 – Initial Configuration
Activate the Subscription Status • VirtualInstances • Configure theTCP/IPSettings inthe LocalConsole Interface • Make sure that the VM can reach the Internet • EnterthelicensetokenandtheDefaultDomainintheLicensing section • 3.3 – Initial Configuration
Update Firmware and Energize Updates • ADVANCED>FirmwareUpdate • Updatethe firmware tothe latestgeneralrelease • ADVANCED>Energize Update • SetAutomatic UpdatedtoON • Performmanualupdates(first time only) • ADVANCED>SystemConfiguration • Enable ShowAdvancedsettings • Configure theDefaultPatternmode • 3.3 – Initial Configuration Live Demo
Services Topics Covered: • Overview • Services Types • SSLServices • InstantSSL • HTTP andHTTPS Service configuration Module 3–Chapter 4
Services Overview • Service:a logical projection of aReal Server application • RealServer:the physical/virtual entitythat hostsacertain application • VIP:theVirtualIP Addressassociated to aService • 3.4 – Services WAF End Users Real Server HTTP Service HTTP VIP
Services Types • Services dependon thetypeof application hostedontheReal Servers • Services available inReverse ProxyMode: • HTTPandHTTPSServices • FTPandFTPSServices • InstantSSLandRedirectServices • CustomandCustom SSLServices (noUDPtraffic) • Services available inBridge Mode: • HTTPandHTTPSServices • 3.4 – Services
SSL Services • SSLSessions will be terminated attheWAF • Certificates are stored on theWAF • 3.4 – Services WAF HTTPSVIP Tommy Web Application HTTPS HTTPS HTTPS
Instant SSL • Securesan HTTP webapplicationwith HTTPS • Creates twoservices withsame VIP (HTTP[80] / HTTPS[443]) • RedirectsHTTP requeststo theHTTPS Service • RewritesHTTP to HTTPS in response body • 3.4 – Services WAF HTTP HTTPS VIP Web Application HTTP Redirect to HTTPS 1st HTTP Request HTTPWT Response Rewrite Tommy
WAF Perfect Forward Secrecy (PFS) • Generatesrandompublic keyspersession forthekeyagreement • The connection must be established witha DHE handshake • When enabled, non-ECDSACiphersarenot used • 3.4 – Services HTTPS HTTPS Backend Servers John Tommy session1 session2
HTTP and HTTPS Service Configuration • BASIC >Services • AddnewHTTPservice • BASIC >Certificates • Createanewself-signed certificate • BASIC >Services • AddnewHTTPSservice • Edit SSLsettings • Configure SSLonthe back-end • 3.4 – Services Live Demo

Recommended

Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...CloudStack - Open Source Cloud Computing Project
 
OpenStack Framework Introduction
OpenStack Framework IntroductionOpenStack Framework Introduction
OpenStack Framework IntroductionJason TC HOU (侯宗成)
 
Web servers presentacion
Web servers presentacionWeb servers presentacion
Web servers presentacionKiwi Science
 
20150511 jun lee_openstack neutron 분석 (최종)
20150511 jun lee_openstack neutron 분석 (최종)20150511 jun lee_openstack neutron 분석 (최종)
20150511 jun lee_openstack neutron 분석 (최종)rootfs32
 
NGINX, Istio, and the Move to Microservices and Service Mesh
NGINX, Istio, and the Move to Microservices and Service MeshNGINX, Istio, and the Move to Microservices and Service Mesh
NGINX, Istio, and the Move to Microservices and Service MeshNGINX, Inc.
 
Forti web
Forti webForti web
Forti webLan & Wan Solutions
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 

Recommended

Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...CloudStack - Open Source Cloud Computing Project
 
OpenStack Framework Introduction
OpenStack Framework IntroductionOpenStack Framework Introduction
OpenStack Framework IntroductionJason TC HOU (侯宗成)
 
Web servers presentacion
Web servers presentacionWeb servers presentacion
Web servers presentacionKiwi Science
 
20150511 jun lee_openstack neutron 분석 (최종)
20150511 jun lee_openstack neutron 분석 (최종)20150511 jun lee_openstack neutron 분석 (최종)
20150511 jun lee_openstack neutron 분석 (최종)rootfs32
 
NGINX, Istio, and the Move to Microservices and Service Mesh
NGINX, Istio, and the Move to Microservices and Service MeshNGINX, Istio, and the Move to Microservices and Service Mesh
NGINX, Istio, and the Move to Microservices and Service MeshNGINX, Inc.
 
Forti web
Forti webForti web
Forti webLan & Wan Solutions
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
FortiWeb
FortiWebFortiWeb
FortiWebAlireza Akrami
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Alexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneAlexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneZabbix
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshMobarak Hossain
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxingNick Straughan
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Vietnam Open Infrastructure User Group
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversVi Tính Hoàng Nam
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
Nginx
NginxNginx
NginxDhrubaji Mandal ♛
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRSAravindan A
 
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementWebinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementNetgear Italia
 

More Related Content

What's hot

IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Alexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneAlexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneZabbix
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshMobarak Hossain
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Vietnam Open Infrastructure User Group
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversVi Tính Hoàng Nam
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 

What's hot (20)

FortiWeb
FortiWebFortiWeb
FortiWeb
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Alexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneAlexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for Everyone
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Application Security
Application SecurityApplication Security
Application Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless network
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservices
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
Nginx
NginxNginx
Nginx
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 

Similar to WAF deployment

Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRSAravindan A
 
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementWebinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementNetgear Italia
 
Securely Publishing Azure Services
Securely Publishing Azure ServicesSecurely Publishing Azure Services
Securely Publishing Azure ServicesBizTalk360
 
How to be a lion tamer
How to be a lion tamerHow to be a lion tamer
How to be a lion tamerWannes Rams
 
How to be a lion tamer
How to be a lion tamerHow to be a lion tamer
How to be a lion tamerSharon James
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinChiradeep Vittal
 
Microsoft Server Virtualization and Private Cloud
Microsoft Server Virtualization and Private CloudMicrosoft Server Virtualization and Private Cloud
Microsoft Server Virtualization and Private CloudMd Yousup Faruqu
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18ShapeBlue
 
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at ScaleJUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at ScaleC2B2 Consulting
 
Server Virtualization using Hyper-V
Server Virtualization using Hyper-VServer Virtualization using Hyper-V
Server Virtualization using Hyper-VMd Yousup Faruqu
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies sushmil123
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESNazmul Hossain Rakib
 
Sutol How To Be A Lion Tamer
Sutol How To Be A Lion TamerSutol How To Be A Lion Tamer
Sutol How To Be A Lion TamerSharon James
 
eMagic- Complete Data Center Management
eMagic- Complete Data Center ManagementeMagic- Complete Data Center Management
eMagic- Complete Data Center ManagementManisha Daulatani
 
.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7Karel Zikmund
 
Cloud stack overview
Cloud stack overviewCloud stack overview
Cloud stack overviewhowie YU
 
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.Dimitris Andreadis
 
What's New In Apache CloudStack 4.17
What's New In Apache CloudStack 4.17What's New In Apache CloudStack 4.17
What's New In Apache CloudStack 4.17ShapeBlue
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware
 

Similar to WAF deployment (20)

Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRS
 
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementWebinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
 
Securely Publishing Azure Services
Securely Publishing Azure ServicesSecurely Publishing Azure Services
Securely Publishing Azure Services
 
How to be a lion tamer
How to be a lion tamerHow to be a lion tamer
How to be a lion tamer
 
How to be a lion tamer
How to be a lion tamerHow to be a lion tamer
How to be a lion tamer
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
Microsoft Server Virtualization and Private Cloud
Microsoft Server Virtualization and Private CloudMicrosoft Server Virtualization and Private Cloud
Microsoft Server Virtualization and Private Cloud
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18
 
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at ScaleJUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
 
Server Virtualization using Hyper-V
Server Virtualization using Hyper-VServer Virtualization using Hyper-V
Server Virtualization using Hyper-V
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
 
Sutol How To Be A Lion Tamer
Sutol How To Be A Lion TamerSutol How To Be A Lion Tamer
Sutol How To Be A Lion Tamer
 
eMagic- Complete Data Center Management
eMagic- Complete Data Center ManagementeMagic- Complete Data Center Management
eMagic- Complete Data Center Management
 
.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7
 
Cloud stack overview
Cloud stack overviewCloud stack overview
Cloud stack overview
 
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
 
What's New In Apache CloudStack 4.17
What's New In Apache CloudStack 4.17What's New In Apache CloudStack 4.17
What's New In Apache CloudStack 4.17
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: Networking
 

More from Aravindan A

Application delivery
Application deliveryApplication delivery
Application deliveryAravindan A
 
Barracuda WAF deployment in AWS
Barracuda WAF deployment in AWSBarracuda WAF deployment in AWS
Barracuda WAF deployment in AWSAravindan A
 
Barracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft AzureBarracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft AzureAravindan A
 
Api sec demo_updated_v2
Api sec demo_updated_v2Api sec demo_updated_v2
Api sec demo_updated_v2Aravindan A
 
WAF CC Introduction
WAF CC IntroductionWAF CC Introduction
WAF CC IntroductionAravindan A
 
System administration
System administrationSystem administration
System administrationAravindan A
 
Advanced networking
Advanced networkingAdvanced networking
Advanced networkingAravindan A
 
Application delivery
Application deliveryApplication delivery
Application deliveryAravindan A
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
application security basics
application security basicsapplication security basics
application security basicsAravindan A
 
general protocol basics
general protocol basicsgeneral protocol basics
general protocol basicsAravindan A
 

More from Aravindan A (15)

Application delivery
Application deliveryApplication delivery
Application delivery
 
Barracuda WAF deployment in AWS
Barracuda WAF deployment in AWSBarracuda WAF deployment in AWS
Barracuda WAF deployment in AWS
 
Barracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft AzureBarracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft Azure
 
Api sec demo_updated_v2
Api sec demo_updated_v2Api sec demo_updated_v2
Api sec demo_updated_v2
 
WAF CC Introduction
WAF CC IntroductionWAF CC Introduction
WAF CC Introduction
 
System administration
System administrationSystem administration
System administration
 
Devops
DevopsDevops
Devops
 
Advanced networking
Advanced networkingAdvanced networking
Advanced networking
 
Reporting
ReportingReporting
Reporting
 
Logging intro
Logging introLogging intro
Logging intro
 
Application delivery
Application deliveryApplication delivery
Application delivery
 
Access control
Access controlAccess control
Access control
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAF
 
application security basics
application security basicsapplication security basics
application security basics
 
general protocol basics
general protocol basicsgeneral protocol basics
general protocol basics
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 

Recently uploaded (20)

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

WAF deployment

  • 1. Deployment Options Topics Covered: • PhysicalAppliance Overview • Reverse ProxyMode • Bridge-PathMode • VirtualDeployment • Public Cloud Hosting
  • 2. Reverse Proxy Mode • Requestsand responsesare terminated attheWAF • Configure whatshould be allowed/inspected Backend Servers Tommy WAF Request Response
  • 3. Two-Arm Proxy Deployment WAF Switch Internet Firewall 192.168.0.1 WAN LAN 10.0.0.13 10.0.0.11 10.0.0.12 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130
  • 4. Two-Arm Proxy Deployment • Advantages • Most secure deploymentbecauseback-endservers arecompletely isolated • FastHighAvailabilityfailover • Considerations • Mayrequirenetworkchangestoserver IPaddressesandDNSmappings • Deploymentrequirescut-overoflive services • Networkreconfigurationmayrequire youtorestore networktooriginal state
  • 5. One-Arm Proxy Deployment WAF Internet Firewall 192.168.0.1 WAN LAN Switch 192.168.0.13 192.168.0.11 192.168.0.12 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130
  • 6. One-Arm Proxy Deployment • Advantages • Networkinfrastructure andpartitioningunchanged • Allowsmultiple accesspathstoservers fortesting • Integrateseasilywithexisting enterpriseloadbalancers • Considerations • Mayrequire DNS,IPaddresschangesornatting • Potentiallycompromises serversecurity byprovidingdirectserveraccess
  • 7. WAF Bridge-Path Mode • ActsasanL2transparentbridge • Inspectsonlythetrafficthatisconfiguredforinspection • Allothertrafficisbridged • WANandLANinterfacesmustbeonphysically separatenetworks Backend Servers Tommy Other Traffic Request HTTP Response HTTP
  • 9. Bridge-Path Deployment • Advantages • Minimalnetworkchanges • Existing IPaddressinfrastructure isreused • RealServers keepexisting IPaddresses • Considerations • Sensitive tobroadcaststorms andaddressresolution loopingerrors • Lessresilient tonetworkmisconfiguration • ApplicationDeliveryfeaturesarenotavailable
  • 10. Virtual Deployment • Only Reverse Proxymode deploymentsare supported • Requiresa64-bit capable host Image Type Supported Hypervisors OVF • VMware ESX and ESXi (vSphere Hypervisor) versions 4.x • VMware ESX and ESXi (vSphere Hypervisor) versions 5.x • Sun/Oracle VirtualBox and VirtualBox OSE version 3.2 VMX • VMware Server 2.x • VMware Workstation 6.x, Player 3.x, and Fusion 3.x XVA • Citrix XenServer 5.5+ VHD • Microsoft Hyper-V for Windows 8, 2008, 2012, and 2012 R2
  • 11. Virtual Deployment - VM Configuration Model Cores - Maximum RAM - Recommended Minimum Hard Disk - Recommended Minimum 360 2 2 GB 50 GB 460 3 3 GB 50 GB 660 4 or more 4 GB 50 GB
  • 13. Initial Configuration Topics Covered: • Web Interface Access • Local Console Access • Networkand Administration Settings • Activate theSubscriptionStatus • UpdateFirmware andEnergize Updates Module 3–Chapter 3
  • 14. Web Interface Access • WAFConfiguration settings canbechanged using: • TheWebInterface • TheRESTAPI • Defaultcredentials • Username:admin • Password:admin • 3.3 – Initial Configuration 192.168.200.100 WAF 192.168.200.200 http://192.168.200.200:8000 https://192.168.200.200 Or
  • 15. Local Console Access • ConnectVGA Screen+ USBKeyboard • OpentheVMConsole forVirtualMachines • Default credentials • Username: admin • Password: admin • 3.3 – Initial Configuration
  • 16. Web Interface Access • 3.3 – Initial Configuration SECTIONS PAGES (relative to the sections) Instant Search Help
  • 17. Network and Administration Settings • BASIC >IP Configuration • WAN/LAN/ ManagementportsIPsettings • OperationMode • DNSConfiguration • BASIC > Administration • ChangeAdmin Password • SettheTimeZone • ADVANCED>SystemConfiguration • Configure NTPServers • 3.3 – Initial Configuration Live Demo
  • 18. Activate the Subscription Status • PhysicalAppliances • Clickthelinkinthismessage warningyouthatyoumust activatetheWAF • Fill in the required fields in the pop-up window and click Activate • If the WAF cannot communicate directly to Barracuda Central servers, note the Activation Code displayed • IntheSubscription StatusoftheBASIC>Status page • Verify that your subscriptions are Current • If required, enter the Activation Code and then click Activate • 3.3 – Initial Configuration
  • 19. Activate the Subscription Status • VirtualInstances • Configure theTCP/IPSettings inthe LocalConsole Interface • Make sure that the VM can reach the Internet • EnterthelicensetokenandtheDefaultDomainintheLicensing section • 3.3 – Initial Configuration
  • 20. Update Firmware and Energize Updates • ADVANCED>FirmwareUpdate • Updatethe firmware tothe latestgeneralrelease • ADVANCED>Energize Update • SetAutomatic UpdatedtoON • Performmanualupdates(first time only) • ADVANCED>SystemConfiguration • Enable ShowAdvancedsettings • Configure theDefaultPatternmode • 3.3 – Initial Configuration Live Demo
  • 21. Services Topics Covered: • Overview • Services Types • SSLServices • InstantSSL • HTTP andHTTPS Service configuration Module 3–Chapter 4
  • 22. Services Overview • Service:a logical projection of aReal Server application • RealServer:the physical/virtual entitythat hostsacertain application • VIP:theVirtualIP Addressassociated to aService • 3.4 – Services WAF End Users Real Server HTTP Service HTTP VIP
  • 23. Services Types • Services dependon thetypeof application hostedontheReal Servers • Services available inReverse ProxyMode: • HTTPandHTTPSServices • FTPandFTPSServices • InstantSSLandRedirectServices • CustomandCustom SSLServices (noUDPtraffic) • Services available inBridge Mode: • HTTPandHTTPSServices • 3.4 – Services
  • 24. SSL Services • SSLSessions will be terminated attheWAF • Certificates are stored on theWAF • 3.4 – Services WAF HTTPSVIP Tommy Web Application HTTPS HTTPS HTTPS
  • 25. Instant SSL • Securesan HTTP webapplicationwith HTTPS • Creates twoservices withsame VIP (HTTP[80] / HTTPS[443]) • RedirectsHTTP requeststo theHTTPS Service • RewritesHTTP to HTTPS in response body • 3.4 – Services WAF HTTP HTTPS VIP Web Application HTTP Redirect to HTTPS 1st HTTP Request HTTPWT Response Rewrite Tommy
  • 26. WAF Perfect Forward Secrecy (PFS) • Generatesrandompublic keyspersession forthekeyagreement • The connection must be established witha DHE handshake • When enabled, non-ECDSACiphersarenot used • 3.4 – Services HTTPS HTTPS Backend Servers John Tommy session1 session2
  • 27. HTTP and HTTPS Service Configuration • BASIC >Services • AddnewHTTPservice • BASIC >Certificates • Createanewself-signed certificate • BASIC >Services • AddnewHTTPSservice • Edit SSLsettings • Configure SSLonthe back-end • 3.4 – Services Live Demo