Open Telekom Cloud for Business Customers

How use a Web Application Firewall solution on the Open Telekom Cloud

How does a WAF work?

A Web Application Firewall (WAF) filters, monitors, and blocks HTTP traffic to and from a web application. While regular firewalls serve as a safety filter between servers, a WAF can filter the content of specific web applications. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and security misconfigurations. When used in environments such as e-commerce platforms and enterprise portals, a WAF is one of the most important security elements to defend the entire platform against attacks.

This article not only describes a solution which can easily be used on the Open Telekom Cloud but also shows how to deploy this approach. The Open Telekom Cloud already provides an anti-DDoS service which compliments and enhances the customer’s whole security solution. Our solution is composed of Open Telekom Cloud public cloud capabilities and the Imperva WAF product. Please note that the Imperva license and application has to be purchased then downloaded separately.

Recommended Architecture for leveraging WAF in the Cloud

The graph below shows the overall architecture concept for leveraging WAF in the Open Telekom Cloud.

Architecture concept for leveraging WAF in the Open Telekom Cloud Recommended Architecture for Using WAF on Open Telekom Cloud

Recommended Architecture for Using WAF on Open Telekom Cloud

End users send access requests to an external ELB (Elastic Load Balancer). This ELB forwards the traffic to several WAF gateway nodes. All WAF gateway nodes and the management node are in one VPC, but in different subnets. As the solution is based on cross AZ (availability zone) architecture, each AZ has one gateway node. The WAF gateway connects to Web APP through reverse proxy mode. The Nginx servers shown are an optional element of the solution. In the next section, we will examine the resources needed to deploy the suggested architecture on Open Telekom Cloud.

Resources Required to deploy the architecture

The set-up requires three elastic compute servers (4 vCPU/16 GB RAM), one VPC with three subnets and an NSG (Network Security Group in VPC), and additionally an external ELB. Furthermore, Imperva software is essential; one Imperva SecureSphere WAF V 2500 Management for Xen in the management subnet, and two Imperva SecureSphere WAF AV 2500 Gateway for Xen in the DMZ subnets (for the gateways).

Deployment

Deployment is undertaken in four steps, beginning with resource preparation. Initially, you should create your VPC and subnets, followed by creating and configuring the NSG. Add the external ELB and optionally deploy an inner VM for domain name service, if you need a domain name resolution.

The second step focuses on image import; create a temporary VM and import the WAF app package to the data disk on this VM. Decompress the package, shut down the temporary VM and re-mount the data disk as a system disk. Start the temporary VM and create a private image.

The third step initializes the device; begin with a WAF gateway node then initialize the WAF management node.

To check the deployment, run a web console test. Log in to the WAF management console and check the gateway status. As the console is web-based, you can log in with the default URL provided by WAF.


Book now and claim starting credit of EUR 250* (code: 4UOTC250)
24/7 Service
Take advantage of our consulting services!

Our experts will be happy to help you.

We will answer any questions you have regarding testing, booking and usage – free and tailored to your needs. Try it out today!

Hotline: 24 hours a day, seven days a week 

0800 33 04477 from Germany
00800 44 556 600 from abroad

* Voucher can be redeemed until June 30, 2020. Please contact us when using the voucher for booking. The discount is only valid for customers with a billing address in Germany and expires two months after conclusion of the contract. The credit is deducted according to the valid list prices as per the service description. Payment of the credit in cash is excluded.


  • Test it today – with no obligation and free of charge

    Book now and claim starting credit of EUR 250*
    Code: 4UOTC250

    Book now

  • Telefon

    Free expert hotline

    Our certified cloud experts provide you with personal service free of charge.

    0800 33 04477 (from Germany)

    24 hours a day, seven days a week

  • E-Mail

    Our customer service is available free of charge via E-Mail

    Write an E-Mail

  • Arrange an appointment

    Our Open Telekom Cloud experts provide you with free, non-binding and idividual support

    Arrange an appointment