Traditional Culture Encyclopedia - Traditional culture - What deployment modes does our waf web application firewall support?
What deployment modes does our waf web application firewall support?
Principle:
1. When a WEB client has a connection request to the server, the TCP connection request is intercepted and monitored by the WAF, which surreptitiously proxies the session between the WEB client and the server, splitting the session into two segments and forwarding them based on the bridge mode.
2. From the WEB client's point of view, the WEB client still accesses the server directly and does not perceive the presence of the WAF;
3. From the WAF's working principle of forwarding to the same transparent bridge forwarding.
Advantages:
1, the minimum changes to the network, you can achieve zero configuration deployment;
2, through the WAF hardware Bypass function in the event of equipment failure or power failure can not affect the original network traffic, only the failure of the WAF's own functionality;
3, no need to configure the mapping
Disadvantages:
All of the network clients are still directly accessing the server.
1, all the traffic of the network (HTTP and non-HTTP) through the WAF, the WAF processing performance has certain requirements;
2, the use of this mode of operation can not realize the server load balancing function;
3, need to configure the mapping relationship
Mode 2: reverse proxy mode
Principle:
1, the real server address mapped to the reverse proxy mode. The address of the real server is mapped to the reverse proxy server, which then behaves as a real server to the outside world. Since the client is accessing the WAF, the WAF does not need to use special processing to hijack the client's session with the server and then transparently proxy for it, like other modes (e.g., transparent and routed proxy modes).
2. When a proxy server receives an HTTP request message, it forwards the request to its corresponding real server. The backend server receives the request and sends the response to the WAF device, which then sends the answer to the client.
The only difference with transparent proxy is that -
Transparent proxy client sends the request to the destination address is directly the backend server, so the transparent proxy works without the need to configure the IP mapping relationship on the WAF.
Advantages:
Can achieve load balancing on the WAF at the same time;
Disadvantages:
1, need to make changes to the network, the configuration is relatively complex;
2, in addition to configuring the WAF device's own address and routing, you also need to configure the backend of the real WEB server's address and the mapping of the virtual address relationship on the WAF
3. In addition, if the original server address is the global address (without NAT translation), you also need to change the IP address of the original server as well as change the DNS resolution address of the original server.
Mode 3: Routing Proxy Mode
The only difference with the Bridge Transparent Proxy is that --
The proxy works in Route Forwarding Mode, not Bridge Mode, and all other working principles are the same. Since it works in routed (gateway) mode it needs to be configured with an IP address and a route for the WAF's forwarding interface.
Advantages:
1, simple changes to the network, to set the device's internal and external network interface IP address and the corresponding route;
2, can be used directly as a WEB server gateway, but there is a single point of failure;
Disadvantages:
1, does not support the server load balancing function;
2, there is a single point of failure
3, to be responsible for forwarding all traffic
Mode 4: Port Mirroring Mode
Principle:
1, only HTTP traffic monitoring and alarms, do not intercept blocking;
2, this mode requires the use of the switch's port mirroring function, that is, the switch port HTTP traffic mirror a copy to WAF
2. This mode requires the use of the switch port mirroring function, which means that the HTTP traffic on the switch port will be mirrored to the WAF;
3. For the WAF, the traffic is only incoming.
Advantages:
1, does not require changes to the network;
2, it only analyzes the traffic and alarm records, and does not intercept and block malicious traffic;
3, suitable for the beginning of the deployment of the WAF, used to collect and understand the server was accessed and attacked information, for subsequent online deployment to provide an optimized configuration reference.
4. It will not have any impact on the original network.
Disadvantages:
Will not intercept and block malicious traffic.
- Previous article:Learning from the Constitution of the Chinese ****anufacturing Party
- Next article:Handmade Gifts for Double Ninth Festival in Kindergarten
- Related articles
- Formula and making method of fried seeds?
- Geography of Linshu Town
- Is craft silver the same as 925 silver?
- 100 crossword puzzle and its answers
- Development history of national traditional sports
- The original texts or excerpts of about 60- 100 words of classic ancient Chinese texts such as admonition, inspiration and guidance, which are suitable for the use of cultural walls in primary schools
- Why is Proverbs of Women's History a special aesthetic in Wei, Jin, Southern and Northern Dynasties?
- What are the characteristics of various types of ancient poems?
- Is Lijiang fun? What about the culture and folk customs there?
- What does clean energy consist of? How is it applied in the field of ordinary life?