Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE Web App Architecture...and Signature Updates.

Hi,

I have some questions regarding the Cisco ACE Web Application Firewall, Looking for the complete architecture and traffic flow on ACE Web App. In case of integration with Cisco ACE how the traffic is forced to check the web application signatures, profiles and rules defined on ACE Web App Manager.

Another question is how built in or pre-defined signatures in ACE Web App manager gets updates how frequently and from which source and how to obtain signature files and updates.

Thanks

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ACE Web App Architecture...and Signature Updates.

Hello,

I'm not sure I can answer your entire question on the complete architecture and traffic flow, but I'll try to shed more light on the integration between the two products.

There are many network designs that can be deployed, but I'll give one common scenario.  Perhaps the ACE will host a public VIP.  Clients connect to this VIP and the ACE will load balance those connections across one or more WAF gateways.  The WAF gateways will also be configured to listen for traffic destined to the configured VIP, host, and/or port for each Web Application.  The WAF gateways will then perform the desired inspection using the profile assigned to each Web Application.  Once the inspection is finished, the gateways would then open a connection to another backend VIP on the ACE, which would then load balance the connections to the real web servers within a serverfarm.

Obviously, the WAF cannot inspect encrypted traffic, so SSL termination would need to occur on either the ACE or WAF.  The traffic could then be re-encrypted after inspection and before heading off to the real web server(s).

Rules are made up of signatures, and Profiles are made up of Rules.  Then you can determine the level of security you want.

As for updates, the built-in rules and signatures have to be manually updated when they become available on Cisco.com.  The come in the form of a file that is imported on the Rules and Signatures screen.  These files are downloadable from the same page as where you would download a software update.  Please see the following link for more details on this topic:

Base Configuration

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_waf/v61/release/note/acewafrn61.html#wp171154

Hope this helps,

Sean

1 REPLY
Silver

Re: ACE Web App Architecture...and Signature Updates.

Hello,

I'm not sure I can answer your entire question on the complete architecture and traffic flow, but I'll try to shed more light on the integration between the two products.

There are many network designs that can be deployed, but I'll give one common scenario.  Perhaps the ACE will host a public VIP.  Clients connect to this VIP and the ACE will load balance those connections across one or more WAF gateways.  The WAF gateways will also be configured to listen for traffic destined to the configured VIP, host, and/or port for each Web Application.  The WAF gateways will then perform the desired inspection using the profile assigned to each Web Application.  Once the inspection is finished, the gateways would then open a connection to another backend VIP on the ACE, which would then load balance the connections to the real web servers within a serverfarm.

Obviously, the WAF cannot inspect encrypted traffic, so SSL termination would need to occur on either the ACE or WAF.  The traffic could then be re-encrypted after inspection and before heading off to the real web server(s).

Rules are made up of signatures, and Profiles are made up of Rules.  Then you can determine the level of security you want.

As for updates, the built-in rules and signatures have to be manually updated when they become available on Cisco.com.  The come in the form of a file that is imported on the Rules and Signatures screen.  These files are downloadable from the same page as where you would download a software update.  Please see the following link for more details on this topic:

Base Configuration

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_waf/v61/release/note/acewafrn61.html#wp171154

Hope this helps,

Sean

218
Views
0
Helpful
1
Replies