Let the cloud era WAF more than one form
In recent years, the upsurge of cloud computing has promoted the development of IT industry. Many companies' products or services are doing their best to hook up with the cloud". Among them, in the information security market at home and abroad, but also a new concept, that is, "cloud WAF."
Cloud WAF, also known as WEB application firewall cloud model. It is a new model of information security products. This model allows users to install software programs or deploy hardware devices in their networks without any need for security protection. Anti SQL injection, anti XSS, anti DDOS, etc., these features exist on traditional WAF, cloud WAF also has. From the user's point of view, the cloud WAF is more like a security service, but this service is not through artificial implementation.
Technology implementation of cloud WAF
t's called cloud WAF because all of its WAF features are provided through the cloud without having to deploy products locally. The main use of this is DNS technology.
As everyone knows, each web site has its own domain name, which corresponds to the IP address of the WEB server. When the client browser to access the site through the domain name, first by the website specified DNS server parses the WEB domain name corresponding to the IP address of the server, so that the client to the server initiated normal access request, and then completed a full HTTP session.
Cloud WAF is the use of this mechanism. Through the transfer of domain name rights to the website, to achieve security protection of the site.
Normally, the cloud WAF system consists of two parts, the control center and the end node. The control center is equipped with DNS server, scheduling system, etc., which is used to analyze and schedule the client's access request to the website. The end node employs multiple distributed deployments, each of which is a separate hardware WAF device designed to filter illegal web requests. The specific implementation process is as follows: the user first needs to transfer the domain name of the protected website to the cloud WAF system (using the way of modifying the domain name, the NS record or the CNAME record). Domain name right transfer is completed, all of the protected site requests will be parsed and dispatch control center to the specified end point. The traffic is filtered by the end node and then submitted to the original WEB server.
Figure 1: cloud WAF system implementation principle
Advantages and disadvantages of cloud WAF
A great deal never happens. After analyzing the implementation principle of cloud WAF, we found. The emergence of cloud WAF, although to protect the site brought a new model. However, from the means and ability of security protection, cloud WAF is still dependent on the end node hardware devices, and there is no essential change. Well, compared with the deployment of traditional hardware devices, the use of cloud WAF is what brings advantages or disadvantages? Here to analyze one or two, for the vast number of site managers reference.
Benefits of cloud WAF (1): zero deployment, zero maintenance
This is also the most valuable cloud WAF, the most attractive user point. You don't need to install any software programs or deploy hardware devices, and you can add your site to the protection of your cloud WAF system by simply switching DNS. Moreover, the cloud WAF provider is responsible for updating the system maintenance and protection rules library, administrators do not have to worry about may be due to negligence or hackers using the latest means of attack and make the site threatened.
Benefits of cloud WAF (two): providing CDN functionality
Site access speed is an important indicator of the business capabilities of a web site. Some large sites tend to use CDN services in order to increase access rates. The larger cloud WAF system is based on distributed computing architecture, multi line intelligent analysis scheduling across operators, the single point cloud website resources dynamic load node to the user, traffic is directed to the nearest cloud node. And through dynamic compression of the content of the request, the static content distribution cache, to provide users with CDN services, to enhance the access speed of the site.
The above two points, so that some users of cloud WAF "love at first sight"". But from a more professional point of view, there are also serious problems with cloud WAF behind these features.
Disadvantages of cloud WAF: risk of being bypassed easily
As we all know, local WAF implements the protection of websites, mainly using reverse proxy technology. By configuring the proxy port and setting the address mapping rules, the purpose of hiding the real server is achieved. However, the difference is that cloud WAF systems need to rely on DNS for access scheduling. All access traffic on the site is only filtered by the designated DNS server before being towed to the protected nodes of the cloud WAF system for filtering. As a result, if hackers use related means (specific means not detailed here) access to the original WEB server IP address, and then through the mandatory domain name resolution, you can bypass the cloud WAF system against the original server easily.
Disadvantages of cloud WAF (two): lack of system reliability
Cloud WAF system to handle a site access request, at least through the DNS analysis, request scheduling, traffic filtering and other links. Among them, cooperative cooperative work involving multiple systems. As long as there is a link problems, it will lead to the site can not access properly. At present, the cloud WAF system has not yet relatively perfect mechanism to solve such problems, if necessary, can only manually transfer the domain name right back to the original DNS server, so that the site traffic is not through the cloud WAF system. However, domain name resolution switching takes effect a certain amount of time. This approach is significantly less efficient than the Bypass capabilities of hardware devices.
Disadvantages of cloud WAF (three): Web access data is less secure
Web access data are confidential and important data for some enterprise organizations. Because it may contain the user's privacy and market information. Storing the data locally is relatively safe. However, if the site uses the cloud WAF system, all data access sites will be recorded in the control center node and upload, equivalent to the data given to someone else, there will be a risk of serious leaks.
After analyzing the pros and cons, we found that the cloud WAF is currently only applicable to some of the lower security needs of small and medium enterprises, websites or personal websites. For some of the higher security needs of the site, such as the government, finance, operators and so on, whether in terms of policies and regulations, or business characteristics, cloud WAF can not meet the requirements. Therefore, the proposed site managers need to be based on the actual situation of the site, a clear demand, select the most appropriate security products and services.