My team has built an intranet portal in Amazon AWS for a client, and on it, we have used WebSockets to do things like notifications and other minor stuff. We mostly send events from the server, but we also use it so the client can quickly notify the server of user presence.
One of the client's requirements was that we use an application-level firewall to screen out malicious requests and things like that. We installed Sophos UTM to handle this. For the HTTP traffic, this works great. However, UTM doesn't support WebSockets, and so we basically had to configure it to just blindly proxy requests through. For reasons I don't fully understand (even after hours of deubgging), this was a huge bottleneck, and made everything slow (even though the CPU and memory usage was fine).
We then decided that if UTM isn't filtering the traffic anyway, let's put nginx in to split out the socket traffic, and let UTM handle the regular traffic. This setup works very well, and performance is fantastic.
However, the client's security guy is concerned that the WebSocket traffic is not being screened.
Thus, I have three related questions:
-
Is this a concern? If not, is there anything I can show that will explain this better than I can?
-
If it is a concern, are there any application firewalls that might help us? I don't really know what we'd be filtering against, but hopefully that's the firewall's job.
EDIT: I was incorrect, we are actually doing bi-directional communication on the sockets, though it is still fairly trivial. It's things like, "is user looking at this tab", "has user acknowledged a notification", etc.
Best Answer
If you need a WAF with Websocket support, look into Wallarm It installs directly into NGINX as a software module and is able to parse Websocket starting with version 2.0. More info here