Solved: ACE Web App Architecture...and Signature Updates.

itlogical · ‎02-16-2010

Hi,

I have some questions regarding the Cisco ACE Web Application Firewall, Looking for the complete architecture and traffic flow on ACE Web App. In case of integration with Cisco ACE how the traffic is forced to check the web application signatures, profiles and rules defined on ACE Web App Manager.

Another question is how built in or pre-defined signatures in ACE Web App manager gets updates how frequently and from which source and how to obtain signature files and updates.

Thanks

Regards,

Sean Merrow · ‎02-17-2010

Hello,

I'm not sure I can answer your entire question on the complete architecture and traffic flow, but I'll try to shed more light on the integration between the two products.

There are many network designs that can be deployed, but I'll give one common scenario. Perhaps the ACE will host a public VIP. Clients connect to this VIP and the ACE will load balance those connections across one or more WAF gateways. The WAF gateways will also be configured to listen for traffic destined to the configured VIP, host, and/or port for each Web Application. The WAF gateways will then perform the desired inspection using the profile assigned to each Web Application. Once the inspection is finished, the gateways would then open a connection to another backend VIP on the ACE, which would then load balance the connections to the real web servers within a serverfarm.

Obviously, the WAF cannot inspect encrypted traffic, so SSL termination would need to occur on either the ACE or WAF. The traffic could then be re-encrypted after inspection and before heading off to the real web server(s).

Rules are made up of signatures, and Profiles are made up of Rules. Then you can determine the level of security you want.

As for updates, the built-in rules and signatures have to be manually updated when they become available on Cisco.com. The come in the form of a file that is imported on the Rules and Signatures screen. These files are downloadable from the same page as where you would download a software update. Please see the following link for more details on this topic:

Base Configuration

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_waf/v61/release/note/acewafrn61.html#wp171154

Hope this helps,

Sean

View solution in original post

Sean Merrow · ‎02-17-2010

Hello,

I'm not sure I can answer your entire question on the complete architecture and traffic flow, but I'll try to shed more light on the integration between the two products.

There are many network designs that can be deployed, but I'll give one common scenario. Perhaps the ACE will host a public VIP. Clients connect to this VIP and the ACE will load balance those connections across one or more WAF gateways. The WAF gateways will also be configured to listen for traffic destined to the configured VIP, host, and/or port for each Web Application. The WAF gateways will then perform the desired inspection using the profile assigned to each Web Application. Once the inspection is finished, the gateways would then open a connection to another backend VIP on the ACE, which would then load balance the connections to the real web servers within a serverfarm.

Obviously, the WAF cannot inspect encrypted traffic, so SSL termination would need to occur on either the ACE or WAF. The traffic could then be re-encrypted after inspection and before heading off to the real web server(s).

Rules are made up of signatures, and Profiles are made up of Rules. Then you can determine the level of security you want.

As for updates, the built-in rules and signatures have to be manually updated when they become available on Cisco.com. The come in the form of a file that is imported on the Rules and Signatures screen. These files are downloadable from the same page as where you would download a software update. Please see the following link for more details on this topic:

Base Configuration

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_waf/v61/release/note/acewafrn61.html#wp171154

Hope this helps,

Sean