When all services are deployed on cloud servers, finding a suitable Web Application Firewall (WAF) is crucial for enterprise security. After experimenting with various commercial and open-source WAF solutions, we finally settled on SafeLine. This open-source WAF met our needs without disrupting business operations. Although there are other viable options, SafeLine stood out due to its adaptability and open-source nature.
Building a Complete Security Solution Around SafeLine
This article focuses on our experience with SafeLine, acknowledging some limitations but emphasizing its potential as the core of an open-source web traffic security solution. SafeLine acts as the “CPU” of this setup, but additional components are needed to address the challenges mentioned.
Here’s a brief overview of the solution we implemented:
-
Security Event Aggregation with SIEM
To aggregate security events, we integrated SafeLine with a Security Information and Event Management (SIEM) system using the ELK stack (Elasticsearch, Logstash, and Kibana). This setup allowed us to create a basic SIEM tailored to SafeLine’s data.
-
Alerting with ElastAlert
We configured alerts for high-risk events using ElastAlert, ensuring that critical incidents trigger notifications. With further development, this setup could even evolve into a full-fledged open-source Security Operations Center (SOC).
Conclusion
This article provides a high-level overview rather than a detailed implementation guide. It outlines the basic architecture we used to enhance SafeLine’s capabilities, offering a starting point for others exploring similar solutions. SafeLine WAF, while not without its challenges, offers significant potential for those willing to build around it. If you have other ideas or improvements, I’d love to hear from you!