Implementing WAAS with Firewall

Answered Question
Jun 23rd, 2010

Hello,

I'm about to run a WAAS implementation Project but I have got below prerequisites that it should be taken on firewalls from one of my colleague, can you please let me know whether this is true?

1) disable checking the TCP Sequence Number Fields

2) to allow TCP option modifications.

Doing this may leave the Customer LAN environment vulnerable to DoS attacks.  In addition, Cisco has encountered many challenges getting WAAS to work even when both of these items have been changed on the FWs.

I have this problem too.
0 votes
Correct Answer by Zach Seils about 6 years 5 months ago

The ports/protocols you need to open are the same as WAAS not being there.  It's the security/normalization checks that you'll have to turn off.  The problems I would anticipiate are:

  • Unknown TCP Options - We use TCP option 33 (0x21) for auto-discovery between WAAS devices.  The firewall should be configured to allow this option to change unmodified.
  • TCP Sequence Numbers - TCP sequence number checking for optimized connections will need to be disabled.
  • Deep Packet Inspection - DPI for packets where we have performed compression will likely fail.

Regards,

Zach

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Zach Seils Mon, 06/28/2010 - 06:09

Thanks.  I see the following options for deploying WAAS:

  1. Disable a bunch of security checks on the firewall(s) to allow WAAS traffic to flow through
  2. Use Direrected Mode in WAAS to tunnel optimized traffic through the firewall
  3. Place the WAAS devices "outside" the firewalls so that the firewall(s) only see the LAN side (i.e. unoptimized) traffic

I'm personally not a fan of (1) or (2) above, since they reduce the level of benefit provided by the firewall(s) or hide optimized traffic from them all together.  Option (3) may be an option,  but it depends on your topology.

Do you have a topology diagram of your deployment that you can share?

Thanks,

Zach

a4ter Mon, 06/28/2010 - 21:41

Thanks Zach,

our network is rather difficult to explain because they are not optimized and very complicated, it would be eaiser for us to put WAAS behind the firewall which will be easier for us but outside of Firewall that is a mass.

unfortunately I can not share the diagram due to our security policy.

for the option #1, what kind of port or protocol needs to be open? just wanted to feel how big they are.

Correct Answer
Zach Seils Tue, 06/29/2010 - 04:56

The ports/protocols you need to open are the same as WAAS not being there.  It's the security/normalization checks that you'll have to turn off.  The problems I would anticipiate are:

  • Unknown TCP Options - We use TCP option 33 (0x21) for auto-discovery between WAAS devices.  The firewall should be configured to allow this option to change unmodified.
  • TCP Sequence Numbers - TCP sequence number checking for optimized connections will need to be disabled.
  • Deep Packet Inspection - DPI for packets where we have performed compression will likely fail.

Regards,

Zach

Actions

This Discussion