Blog

An introduction to A10 Next-Gen WAF.


A10 Networks has partnered with Fastly, to deliver a next-gen WAF solution that drastically improves the former WAF technologies included in previous ACOS releases. A10 Next-Gen WAF, powered by Fastly, leverages advanced technology to effectively block malicious traffic while minimizing false positives. The promise is to say goodbye to the headaches of managing a complex and ineffective security system. In this article we will go over an introduction of this integration, and explain briefly how the feature is configured on a Thunder ADC device

What is WAF and why is it important?

A web application firewall (WAF) helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

By deploying a WAF in front of a web application, a protection mechanism is placed between the web application and the Internet. It is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.

In today's digital landscape, web application security is of paramount importance. Organizations must defend their applications against ever-evolving threats while ensuring optimal performance and availability.

The Need for Next-Gen WAFs

A modern WAF such as the one that Fasly offers, should provide protection against a broad range of applications attacks, aim to reduce opex, have simplified deployment and operations models and identify and block attacks accurately, without compromising legitimate interactions.

Traditional WAFs often rely on regular expression pattern-matching rules, which can be difficult to manage and result in false positives that block legitimate traffic. This is why it is always a hard endeavor to put a traditional WAF in production, as it also blocks legitimate traffic without careful fine-tuning which is hard to do. Fastly's Next-Gen WAF takes a fundamentally different approach, utilizing advanced technologies such as SmartParse, threshold-based blocking, and the Network Learning Exchange (NLX) to effectively detect and block malicious traffic without the need for constant rules tuning. This is how Fastly achieved an impressive 90% customer base deployed in blocking mode.

A10 Next-Gen WAF, powered by Fastly, brings together the power of Fastly Next-Gen Web Application Firewall (WAF) and A10's SLB cutting-edge technology as we will see next

A10 and Fastly, the what, when and how

A10 Next-Gen WAF is a collaboration that leverages advanced technology to provide a comprehensive and effective web application security solution. The Next-Gen WAF, offers a layered defense against modern web threats, combining the expertise of A10 in SLB and the proven technology of Fastly's WAF.

In this sense, Fastly module-agent pair is integrated with Thunder ADC devices, to provide an efficient point of protection for the web services, without adding load to the web application servers. The Thunder ADC device still works as a load balancing device, while streaming metadata to the Fastly Cloud Engine as required.

In Fastly's terms, the ADC device implements a Module and Agent pair that interact with the requests made to the servers. This pair is responsible for performing detection and decisioning against requests (application traffic), to allow the request through to the application or log/block it (depending on the mode set in the configuration). Also, the cloud engine from fastly offers a cloud-hosted analytics backend that enriches the agent asynchronously with intelligence gathered from external and proprietary sources to make dynamic, application-specific detections.

In A10 ADC devices terms, the Agent-Module pair installs per partition, and if configured becomes part of the data-path for traffic analysis, according to the protection rules and thresholds defined.

It is important to mention that communication to the Cloud engine is asynchronous via metadata, and that as the rules to be implemented are downloaded to the ADC devices, security policies continue to operate properly even after loss of Cloud communication. Also, communication to the Cloud engine occurs over TLS 1.3, and via Metadata, so only information to process signals is sent. Following the communication flows are presented.

Key Benefits of A10 Next-Gen WAF

Layered Defense: By integrating the Next-Gen WAF with A10's ADC, the solution provides a centralized and scalable web security stack. It intercepts traffic at the application ingress point, offloading process-intensive tasks and shrinking the surface area of attacks. This approach ensures efficient protection against OWASP top 10 vulnerabilities, DDoS attacks, authentication issues, TLS/SSL decryption challenges, virtual patching for code and Common Vulnerabilities and Exposures (CVE) and protection against Zero-day attacks and recon scanning.

Simplification via Consolidation: The solution offers a integrated single appliance solution, consolidating web application security and acceleration under the A10 umbrella. By leveraging ADC caching and Fastly's cloud service, organizations can simplify their infrastructure while enhancing performance and availability.

Ease of Use With A10 Fastly, there are near-zero false positives. Fastly users run the WAF in blocking mode, trusting its accuracy and reliability. This eliminates the frustration and inefficiency associated with managing a complex security system.

Setting Up and configuring the Next-Gen WAF

The lightweight agent of A10 Next-Gen WAF is deployed on Thunder devices (Up to one agent per partition, for up to eight partitions). Offloading SSL/TLS transactions to the Thunder ADC appliance eliminates the decryption overhead typically associated with traditional WAFs, resulting in faster and more efficient performance.

1. Preparing your A10 Thunder device for NG-WAF

In order to deploy next-gen WAF services you will need a Fastly Next-Gen WAF Corp account/access for your company, which will give you access to all Next-Gen WAF services and rules configurations. Also, a license needs to be added to be able to use 'NGWAF' commands.

To do so, you would upload the license file in the GUI of your Thunder device. After adding the license, you can verify that it is correctly installed by issuing the 'show license-info' command

Following the installation of the update, it is necessary to reboot the device to activate the new set of commands that oversee ng-waf operations. After the reboot, you can confirm the availability of the ng-waf option in the command-line interface. Additionally, ensure that the following command options are accessible in the CLI:

2. Fastly Integration

In order to integrate Fastly's NG-WAF services, you must download the agent-module pair in your Thunder device, and register your agent in your Fastly Corp account, in a site. To do so, first you should download the module in your device as shown next (if management port is used explicitly use this keyword even if app-management-port is enable)

Next, you should log into your corp Fastly account, create a site and navigate to the agents dashord in the site. Here you should select “view agent keys”, and take note of your 'accesskeyid' and 'secretaccesskey'. This information is added in your Thunder device to register your agent module as shown next:

Lastly, verify that the agent is installed and key and secret set.

NOTE: status will be set to down until a WAF VIP is activated in your SLB configuration

3. Enabling a NG-WAF protected Virtual IP (VIP)

Once the service is up-and-running, we can configure a NG-WAF protected VIP using the following basic template for example:

And with this, we can verify that the deployed agent in the Thunder device gets activated.

Lastly, go to Fastly portal, and in your corresponding Site validate that the agent name is consistent with the NG-WAF activated. With this, you are all set to start configuring your protection templates and protect your web applications.

Key Takeaways

A10 Next-Gen WAF is built on proven cutting-edge technology, trusted by organizations worldwide. Gartner has recognized Fastly as the Customers' Choice for WAF for the past five years. A10 offers a next-generation web application security solution that combines advanced technology, ease of use, and cost-effectiveness. With the Next-Gen WAF, organizations can easily protect their applications against a wide range of threats, ensure availability, and achieve peace of mind in an ever-changing threat landscape.

As Prefered PS partner of A10 networks, Auben can help you design, deploy and operate this solution according to your specific needs, to protect your applications without causing any impact to your services.