Newbie Questions: How-to monitor/control unauthorized uses of our IPs and DNS zones?

William Herrin bill at herrin.us
Mon Aug 23 16:51:28 UTC 2021


On Thu, Aug 19, 2021 at 7:47 AM Bill Woodcock <woody at pch.net> wrote:
> > 4. Does that mean I need a big Web Application Firewall (WAF)
>
> Absolutely not.  I have no idea what a Web Application Firewall is, but if it’s anything like it sounds like, I wouldn’t let one anywhere near anything I was responsible for securing.

Hi Bill,

A WAF is a filtering reverse-web proxy. It can sanitize incoming
requests to obstruct hacking against the web server. It's often used
for TLS offload as well since it must decrypt the traffic anyway. You
give the "real" web server RFC 1918 addresses and put a WAF on the
public IP addresses.

It also tends to break web sockets, so there's a capability penalty if
you use one.

A WAF is the second-best answer to Pirawat's problem since it can
filter web requests which arrive without an acceptable "Host" header,
corresponding to the DNS name the browser used.

The best answer is: don't do that. If you have such little trust for
your web staff, replace them with trustworthy people.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the NANOG mailing list