Overview of the Wallarm Out-of-Band Deployment¶

Wallarm can be deployed as an Out-of-Band (OOB) security solution inspecting requests via a mirror of the traffic. This article explains the approach in detail.

The OOB approach involves placing the Wallarm solution on a separate network segment, where it can inspect incoming traffic without affecting the primary data path and, as a result, the application performance. All incoming requests including malicious ones reach the servers they are addressed.

Use cases¶

Traffic mirroring is a key component of the OOB approach. A mirror (copy) of the incoming traffic is sent to the Wallarm OOB solution, which operates on the copy, rather than the actual traffic.

As the OOB solution only records malicious activity but does not block it, it is an effective way to implement web application and API security for organizations with less stringent real-time protection requirements. The OOB solution is suitable for the following use cases:

• Get knowledge about all the potential threats web applications and APIs may encounter, without affecting the application performance.

• Train the Wallarm solution on the traffic copy before running the module in-line.

• Capture security logs for auditing purposes. Wallarm provides native integrations with many SIEM systems, messengers, etc.

The diagram below provides a visual representation of the general traffic flow in an out-of-band deployment of Wallarm. The diagram may not capture all possible infrastructure variations. The traffic mirror can be generated at any supporting layer of the infrastructure and sent to the Wallarm nodes. Additionally, specific setups may involve varying load balancing and other infrastructure-level configurations.

Advantages and limitations¶

The OOB approach to the Wallarm deployment offers several advantages over other deployment methods, such as in-line deployments:

• It does not introduce latency or other performance issues that can occur when the security solution operates in-line with the primary data path.

• It provides flexibility and ease of deployment, as the solution can be added or removed from the network without affecting the primary data path.

Despite the OOB deployment approach safety, it has some limitations:

• Wallarm does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.

  Wallarm only observes attacks and provides you with the details in Wallarm Console.

• Vulnerability discovery using the passive detection method does not function properly. The solution determines if an API is vulnerable or not based on server responses to malicious requests that are typical for the vulnerabilities it tests.

• The Wallarm API Discovery does not explore API inventory based on your traffic as server responses required for the module operation are not mirrored.

  An exception is the eBPF solution, which conducts API inventory discovery by analyzing response codes.

• The protection against forced browsing is not available since it requires response code analysis which is currently not feasible.

  An exception is the eBPF solution, which analyzes response codes, making it suitable for this purpose.

Supported deployment options¶

Wallarm offers the following Out-of-Band (OOB) deployment options:

• Many available Wallarm artifacts can be used to deploy Wallarm for analyzing traffic mirrored by services like NGINX, Envoy, Istio, etc. These services typically offer built-in features for traffic mirroring, and Wallarm artifacts are well-suited for analyzing traffic mirrored by such solutions.

• eBPF-based solution

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send