Cilium-based WAF alternative (vs NGINX-based)
Problem to solve
Our current Web Application Firewall is implemented using nginx and ModSecurity. We had some issues with this combination lately, and would like to explore alternatives in the future.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
During one of our brainstorming session, we evaluated our options with regards to alternatives to our current WAF offering. In case we continue to see instability and problematic behavior in the future. We mentioned the possibility to leverage the L7 capabilities of Cilium (example), another component we already use for our Network Policy MVC. In the end, we mostly care about enforcing the OWASP Core Rules Set, which is the role of ModSecurity. There's probably a way to make the CRS usable with Cilium. Maybe the ModSecurity library could be used in Cilium directly.
Reusing existing components is generally a good idea to limit maintenance and technical debt. Having a WAF based on Cilium would probably be more performant than the actual Nginx-ingress implementation, and independent from the ingress used.
Proposal
This issue has been created to gather our findings on this topic, and maybe decide later to implement an MVC based on our findings.
Permissions and Security
TODO
Documentation
TODO
Availability & Testing
TODO
What does success look like, and how can we measure that?
TODO
What is the type of buyer?
Links / references
refs gitlab-foss#65192 (moved)
/cc @gitlab-org/defend