I took my car in for some work a while back. They had to replace a gasket on the engine because it was leaking a bit of oil. When they looked at the problem, they told me that I should replace a few other parts.
This was interesting because the parts were working and not causing any issues. The parts they wanted to replace were reasonably inexpensive, but in order to get to the failing gasket they had to spend a lot of time taking apart the engine. The time and labor to dismantle my engine outweighed the cost of the parts that they recommended replacing. It made sense to do this other work at the same time while they were easy to access. In the long run, this would save me money by not having to take apart the engine later when these components would eventually go bad.
When I look at ADC technologies, I can apply a similar principle. The ADC is acting as a proxy for connections to the applications it is supporting. This means that the ADC is often decrypting the traffic using the information it can see to steer the session to the appropriate server. Decrypting and encrypting application content is resource intensive and ADCs are built to offer high performance encryption functionality.
Do once, leverage twice
Web application firewalls (WAF) are solutions that inspect content going to servers and block malicious content that can cause problems or exploit vulnerabilities. Since the ADC is already decrypting the session if it encrypted, it makes sense to leverage this work and also pass the session to a WAF to make sure no vulnerabilities are being exposed.
The optimal way to do this is to integrate the WAF technology into the ADC so the functions can be performed seamlessly in a single solution to deliver all of your traffic steering and web security functions. This is much easier to deploy and manage compared to a multi-box and multi-vendor solution.
Integrating means enhancing
Keeping this in mind, we can take this a step further. The benefit increases if we are able to add the WAF functionality to the ADC solution. But, only if we can ensure that the WAF does not become a bottleneck or impact the performance of the access to the application.
Now, we are talking about an out-of-path WAF where the ADC is decrypting the traffic once, and steering it to the appropriate application server. At the same time, the ADC can replicate the decrypted session to the WAF for the security inspection. Then, if a threat is detected, the WAF can notify the appropriate security mitigation solutions to block the attacker and protect the application.
Just like my car maintenance where my mechanic is telling me to dismantle the engine once to perform multiple tasks, we need to see how we can leverage the capabilities built into ADC technologies to make the functionality of the WAF more efficient. In this case, we also obtain an enhanced benefit where we can reduce the impact of the WAF on application performance and availability by taking it out of path while retaining its functionality.