For customers who have 3rd party Web Application Firewall (WAF), but the following pain points should look this client deployment has been done recently (courtesy of one of our SE Citrix fees in the west coast of the United States)
- once a WAF hits a limit that they stop traffic forwarding
- SSL transactions limited per second (TPS)
- needs a horizontally scalable WAF sandwich
- If the transactions are important and want to bypass the WAF existing 3rd party before they are overloaded
- once WAF hits a high load processing time becomes unpredictable - high latency for certain transactions and fast for others - difficult for capacity planning
Not the most elegant setup, but it did the trick for this scenario using NetScaler
FrontEnd NetScaler service
• Use a "any-any" Vserver to receive traffic
• "" will use different shears on NetScalers Backend (ping through) and / or use Responder to see if WAF work
• another WAF monitoring option could be used for outside monitoring band (SNMP)
• Set Max Clients do not overload WAF
• Create a "dummy" Service bypassing WAF for overflow traffic
Backend NetScaler
• Use an "All - All" Vserver to receive the internal network traffic (may or may not be necessary)
• This level will also terminate SSL connections (SSL configured vservers) for traffic background server, but on an internal IP subnet.
• "services" use the shears on different NetScalers Frontend (ping through) and use or to see if WAF Responder function
• This level can also be horizontally scaled because it is doing SSL and L7 activities (adding more Netscalers)
other benefits to consider with this approach:
- operational efficiency - iT Admins can do upgrades inline whenever necessary. Test the new code with a small percentage of traffic, quickly move traffic out if there was a problem
- Mixing different styles - As time passes and new models of WAF are deployed - this approach can easily change the load differently to different models
- Reducing overall costs of protection - instead of having to buy the largest unit, iT admins can grow with the best cost effective model -. usually two models smaller than the larger model
- bypass and overflow - When the load goes high, NetScaler has a dynamic overflow capacity. Nobody should interfere. Bypass mode can be activated quickly to push all traffic on the coverage path if something is massively wrong with the WAF
- Programmable -. NetScaler easily adaptable API to make automatic changes based on what logic and data IT Admins should work out.
Another way to scale is of course using NetScaler WAF building on Pay-Grow, the approach of the hybrid model, PCI compliance and other differentiations of the other WAF .
0 Komentar