4

My team has built an intranet portal in Amazon AWS for a client, and on it, we have used WebSockets to do things like notifications and other minor stuff. We mostly send events from the server, but we also use it so the client can quickly notify the server of user presence.

One of the client's requirements was that we use an application-level firewall to screen out malicious requests and things like that. We installed Sophos UTM to handle this. For the HTTP traffic, this works great. However, UTM doesn't support WebSockets, and so we basically had to configure it to just blindly proxy requests through. For reasons I don't fully understand (even after hours of deubgging), this was a huge bottleneck, and made everything slow (even though the CPU and memory usage was fine).

We then decided that if UTM isn't filtering the traffic anyway, let's put nginx in to split out the socket traffic, and let UTM handle the regular traffic. This setup works very well, and performance is fantastic.

However, the client's security guy is concerned that the WebSocket traffic is not being screened.

Thus, I have three related questions:

  1. Is this a concern? If not, is there anything I can show that will explain this better than I can?

  2. If it is a concern, are there any application firewalls that might help us? I don't really know what we'd be filtering against, but hopefully that's the firewall's job.

EDIT: I was incorrect, we are actually doing bi-directional communication on the sockets, though it is still fairly trivial. It's things like, "is user looking at this tab", "has user acknowledged a notification", etc.

Mike Caron
  • 237
  • 2
  • 13
  • Some [simple changes](http://resources.infosecinstitute.com/websocket-security-issues/) in your application can mitigate any security issues with WebSockets. As far as I know there's no application-layer firewall that handles them, and probably never will be. – Michael Hampton Jul 01 '15 at 19:05
  • If you're doing push only, you might want to look at HTML5 Server-Sent Events, aka "EventSource," if for no other reasons than (a) the firewall might support it, since it's just http and (b) I haven't yet encountered anything in my push-only applications that made me think "this would be easier with websites." In push-only, replacing one with the other is pretty straightforward and the EventSource API makes some things a little easier. http://www.html5rocks.com/en/tutorials/eventsource/basics – Michael - sqlbot Jul 02 '15 at 01:41
  • @MichaelHampton Good link! I'll definitely give that a go. In case no one else posts an actual answer, you may want to post that. – Mike Caron Jul 02 '15 at 10:49
  • @Michael-sqlbot I was informed that we actually are doing bi-directional communication. Nothing significant, but it's just enough that SSE would be a real pain to implement. Though, who knows, we might end up there. – Mike Caron Jul 02 '15 at 10:51

1 Answers1

1

If you need a WAF with Websocket support, look into Wallarm It installs directly into NGINX as a software module and is able to parse Websocket starting with version 2.0. More info here

Renata B
  • 11
  • 1