Cloudten techblog: WAF Sandwich with Nginx/mod_security

In an earlier post we presented an overview of the various types of web application firewalls and how they are used in cloud based environments. In this post we’ll further explore how to set up a scalable, cost effective security solution using open source tools.

One of the key benefits of cloud infrastructure is the ability to dynamically scale up and down depending on load. The concept of auto scaling groups that can manage changes in capacity, coupled with elastic load balancing technologies that can automatically accommodate this flexing offers true on-demand capability. From a security perspective this can allow us to intercept and absorb a wide range of attacks without burdening backend systems.

The figure on the right represents a possible three tiered solution that makes use of multiple auto-scaling zones. Inbound internet traffic is targeted to a load balancer address that distributes requests out to an autoscaling group of WAF instances. The WAF will then filter out malicious traffic and forward on legitimate traffic to a second tier load balancer which in turn will map requests out to the application layer.

In the event of a heavy traffic based attack, such as a DDOS, the load on the WAF tier will increase significantly. If the correct auto-scaling trigger points are in place then additional WAF instances will be created to absorb the load without impacting the secondary tier. The industry appears to have adopted the term “WAF sandwich” to convey this concept of concentrating an on demand tier between two sets of load balancers.

Aside from the obvious security benefits, this can be a cost effective strategy as it minimises scaling events on the back end tiers which would usually have higher capacity ( i.e. more expensive ) and be more complex ( take longer to start ) than the WAF instances.

Cloudten Opensource WAF

As we mentioned in our earlier blog, there are a number of options when it comes to provisioning WAFs in the cloud. There are a wide variety of vendors that offer dedicated virtual appliances with flexible licensing models as well as externally managed services that control all traffic to your site. Whilst these are an excellent option for enterprise customers, the relatively high cost of these products is a barrier to many projects and organisations.

At Cloudten, we have developed a custom machine image that uses open source tools to provide an extremely cost effective and viable alternative to the high end commercial offerings. The extremely lightweight WAF comprises of the following:

  • A hardened Linux OS kernel:
    • This is a minimalist server build that only runs the core services required for WAF functionality.
  • A custom compiled set of Nginx modules :
    • We have incorporated additional modules for performance and security including SPDY and SSL and removed a number of unnecessary modules from the default Nginx distribution. In addition we have made some changes to the source code headers to restrict what server information is displayed via a remote query.
    • On top of this is a tightened service configuration that enforces the latest security standards
  • A Mod_Security plugin :
    • We have compiled the opensource mod_security application firewall into the Nginx stack and linked it to the latest rule set which is automatically updated on a regular basis. The configuration can easily be changed to use the commercial rule set.
    • Once traffic has been filtered by mod_security, legitimate content is then proxied to a backend load balancer which can distribute traffic to a variety of application servers.
  • A monit self monitoring utility :
    • In order to provide a more resilient service the tool monit is installed to check the health of the Nginx engine in a number of ways. It can be set up to alert and/or restart processes depending on predefined conditions.
  • A log forwarding agent :
    • In order to be truly cloud friendly, there should be no reliance on any single running instance. It is essential that security and access logs be stored and processed centrally in near real time. There are a number of log management solutions out there. We include a Splunk and AWS Cloudwatch Log agent in our image

Why Nginx ?

When it comes to open source web servers there are two main choices; Apache and Nginx.

Apache has been around since the very early days of the internet and is the defacto standard globally with just under 40% total market share. It is a mature and stable platform with a plethora of available plugins and support for a wide range of features and products. There are a number of development streams for it and it has been ported to various operating systems.

Nginx, is a relative newcomer in the market but has had a fairly major impact due to its focus on throughput and memory optimisation. Whilst it is not as feature rich, in the sense that there are not as many plugins or supported platforms, its threading and worker process model make it a good candidate for environments that will potentially have a high number of connections and endure rapid spikes in load.

For many functions, Apache would still remain the web server of choice, however, after performing numerous functional and load tests, it was determined that Nginx was a better choice for what is essentially a secure reverse proxy.


Cloudten Industries © is an Australian cloud practice and a recognised consulting partner of AWS. We specialise in the design, delivery and support of cloud based solutions. Don’t hesitate to contact us if you have any queries about this post or any cloud related topic.