Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  Replace NGINX (without load balancing) with Imperva's on-prem WAF

    Posted 11-17-2023 04:18

    Hello Imperva Community,

    I am exploring the possibility of replacing our current NGINX setup with an on-premises WAF solution and would appreciate your insights on this matter. Below is a summary of our current NGINX configuration:

    

    

    # Configuration Highlights
    


    - SSL configuration with TLSv1.3 and specific ciphers.
    


    - Client certificate validation.
    


    - Detailed proxy settings and header manipulations.
    


    - Access and error logging configurations.
    


    - Specific location block for /payments with custom proxy settings.
    


    - Security directives like hiding server tokens and limiting methods.

    Given this setup, my question is: Can an on-premises WAF from Imperva fully replace this NGINX configuration, particularly with respect to SSL/TLS handling, client certificate validation, and the detailed proxy and header settings we currently have in place?

    Additionally, how would the Imperva WAF handle the following aspects:

    • Complex SSL/TLS setups and client authentication.
    • Detailed access control and logging.
    • Proxying requests with specific header modifications.
    • Security measures like method restriction and server information obfuscation.

    I am particularly interested in understanding any limitations or additional considerations that may be relevant in transitioning to an on-prem WAF solution.

    Thank you in advance!


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Lasha Lomjaria
    Cybersecurity engineer
    Green Systems LLC
    Tbilisi
    ------------------------------


  • 2.  RE: Replace NGINX (without load balancing) with Imperva's on-prem WAF

    Posted 12-01-2023 03:59
    Edited by Dimitar Georgiev 12-01-2023 03:59

    Hi Lasha,

    A significant chunk of the functionalities you requested could be replaced by Imperva WAF (on-premises), but not all I am afraid. Specifically, some advanced proxy settings and header manipulation is something that WAF doesn't do - you simply can't strip, modify or add headers apart from adding the IP of the original request origin in reverse proxy mode. Furthermore, you can't use WAF as a load balancer if that's what your current reverse proxy does.

    Could you also please elaborate more on the concept of "hiding server tokens"?

    Everything else seems to be something that you can easily do with WAF.

    Greetings,
    Dimitar



  • 3.  RE: Replace NGINX (without load balancing) with Imperva's on-prem WAF
    Best Answer

    Posted 12-12-2023 08:21
    Edited by John Thompson 02-08-2024 21:19

    Hi Lasha,

    Let me firstly refer directly to the list you provided:

    - SSL configuration with TLSv1.3 and specific ciphers.
    Fully supported starting from v14.4. 
    - Client certificate validation.
    Fully supported.
    - Detailed proxy settings and header manipulations.
    I don't know exactly what do you mean by "detailed proxy setting". If you mean - routing the request to multiple backend microservices based on request URL then this is supported in Reverse Proxy rules. Header manipulations are not supported on WAF Gateway, but it is supported on Cloud WAF. 
    - Access and error logging configurations.
    Access log is not supported. The log entry (Security Event) can be generated in case of security violation (like detecting malicious activity). 
    - Specific location block for /payments with custom proxy settings.
    The specific location can be blocked by security rule and the specific URL/prefix can be routed to specific backend service with Reverse Proxy rules. 
    - Security directives like hiding server tokens and limiting methods.
    Yes, this is fully supported. 
    Please note, that Imperva WAF gateway is a WAF solution. The primary goal is to block malicious attempts to attack the application, not to implement Ingress Controller functions, hence customers usually do not replace NIGINX with our WAF solution. We do have an Envoy (Istio) integration to by able to add WAF functionalities to Ingress Controller/Service Mesh deployments. Moreover, we do plan to support Nginx integration soon. 



    ------------------------------
    Bartosz Chmielewski
    SE
    Imperva
    ------------------------------