Upload
others
View
16
Download
1
Embed Size (px)
Citation preview
版本 V1
Writer Date Version
Bill Chen 2019/6 Base Alteon 32.2
Includes the basic network, the opening of WAF business and the corresponding
configuration of Huawei cloud.
目录
1. Introduction ............................................................................................................................................... 4
2. Deployment Topology ............................................................................................................................ 4
2.1 VA Resource Requirements ........................................................................................................... 5
2.2 Standalone Deployment Topology.............................................................................................. 5
2.3 Extended Deployment Topology (Recommendation) ............................................................ 5
3. Configuration guide ................................................................................................................................ 6
3.1. Purchase ECS ..................................................................................................................................... 6
3.2. Alteon Basic Configuration............................................................................................................ 9
3.3. Alteon Application Configuration ............................................................................................... 9
3.3.1. Interface and gateway configuration ................................................................................. 9
3.3.2. Create VIP and connect to Web Server ............................................................................ 11
3.3.3. Enable WAF Service ............................................................................................................... 14
3.3.4. Connect VIP to Alteon VA .................................................................................................... 16
1. Introduction Radware's Ateon Virtual Device (VA), a market-leading application delivery controller,
ensures that applications are always available, responsive and secure. Alteon VA provides all
standard ADC functions - high-level 4-7 local server load balancing, global server load
balancing, SSL unloading and compression, and advanced services such as WAF, WEB front-
end acceleration and application performance monitoring services. Providing protection for
web applications is the core of Radware security products. Through ICSA Lab Certified Web
Application Firewall - AppWall - and its enterprise cloud WAF service, Radware provides
complete Web security protection, including OWASP top 10 coverage, advanced attack
protection and zero-day attack protection, which can automatically adjust your protection to
adapt to changing threats.
Agility: Customize the required application delivery service packages through Alteon VA's On
Demand Architecture
Embedded Next Generation Services: Application Performance Monitoring, Web Application
Firewall and Web Performance Acceleration
Automation: Advanced ADC services can be launched and maintained using operator
toolbox's personalized wizard by simply pressing the Next button
2. Deployment Topology Radware Alteon Appwall VA Accessing to VPC in reverse proxy mode, VA by default
requires an out-of-band management interface and at least one business interface ,
Deployment requires at least the following IP addresses
MAN IP MAN Port Physical IP Proxy IP Virtual IP/Port Server IP/Port
192.168.1.100 443/22 192.168.2.100 192.168.2.80 192.168.2.80/80 192.168.2.10/80
Note: 1. Out-of-band management interface is completely isolated from service interface, and
different subnets can be separated by using the same segment address.
2. Virtual IP is WAF service address. It is necessary to create virtual IP on VPC and bind it to
business interface network card.
3. Proxy IP is the source address used by the VA access server and can be shared with virtual
IP.
2.1 VA Resource Requirements
Configuration vCPU GB RAM GB Disk Space Notes
Alteon AppWall VA 4 8/16 40
2.2 Standalone Deployment Topology
In stand-alone deployment mode, EIP is directly bound to virtual IP addresses.
2.3 Extended Deployment Topology (Recommendation)
Extended deployment mode, WAF service performance can be scaled horizontally by
deploying ELB, while preventing single point failure of Alteon Appwall. At this point EIP
is bound to ELB's virtual IP。
3. Configuration guide
3.1. Purchase ECS
Select S3.xlarge.2 or s3.xlarge.4
Adding extended network cards and assigning security groups, security groups need
to open ports 22 and 443 to provide out-of-band management access.
Allocate EIP for out-of-band management interfaces
Password here is useless, but you have to set it as requirement.
3.2. Login Alteon Appwall
Login Alteon AppWall via WebUI or SSH.
Default username: admin
Default Password:admin
If you Login via SSH, Alteon will ask you to change the default password for the first
login.
From Menu : Configuration-System-License check license MAC address,Provide Radware
with the Mac address and apply for a license.
Input the License and click Set License
License Example:
Throughput license:100Mbps-w3IIKRy1
Feature license:aas-secure-cookie
3.3. Alteon Basic Configuration
The basic configuration includes time, time zone, log server, NTP server and so on. It is
not introduced here. Please contact Radware Engineer for configuration guidance.
Alteon configuration requires clicking "Apply Required" before it takes effect
Click "Save Required" to save the configuration, otherwise the VA restart will lose the
configuration.
3.4. Alteon Application Configuration
3.4.1. Interface and gateway configuration
Click on the Alteon VA to see the interface address assigned by another interface, as shown in
the following figure
Click menu Configuration-Network-Layer3-IP interfaces,click“+”create interface ip address
Note:Interface ID : 1~256,
VLAN : If only one interface is allocated , the interface is belong to VLAN1
Confirm VPS gateway address
Create Alteon VA default GW
Menu Configuration-Network-Layer3-Gateways,Click “+”
Note:Gateway ID must set to 1
3.4.2. Create VIP and connect to Web Server
❖ Apply VIP in VPC
❖ Define Web Server
Click Configuration-Application Delivery-Server Resources-Real server,Create web“+”
server with click “+”
❖ Create group connect to Web Server
Configuration-Application Delivery-Server Resources-Server Group,Click right“+”
❖ Create VIP connect to group
Menu Configuration-Application Delivery-Virtual Services , Click right “ + ”,
Configure the virtual IP applied in VPC to Virtual Server
Create a virtual service association protection server group by clicking ‘+’under
virtual services
Note: Application must choose http, otherwise WAF service cannot be opened.
Real server port serves the real server port
❖ Config Proxy IP
Click on the PIP menu, and NAT mode selects Address/subnet. Proxy IP can be shared
with VIP.
3.4.3. Enable WAF Service
❖ Configuring WAF services for virtual services
❖ Under the virtual service menu, click HTTP, and after Secured Web Application, click the
"+"
Create WAF Service name
注:Operation Mode Include Out-Of-Path and Inline
Out-Of-Path :Bypass deployment mode, only monitoring and attack warning
Inline: Real-time protection and attack warning
❖ Enable WAF(license need)
Configuration-Security-Web Security, Click ”Enable AppWall”
So far, the Web server has included the protection function of the basic WAF, and the
advanced configuration can be clicked on the figure above.
3.4.4. Connect VIP to Alteon VA
Enter the network console, click on the virtual private cloud, find the location of the
virtual IP, and click on the binding server.
Binding Alteon VA Application port