[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] thoughts on WAF deployment options?

From: "Adam Muntner" <adam.muntner@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] thoughts on WAF deployment options?
Date: Tue, 22 Apr 2008 16:37:41 -0700

------=_Part_24757_6006081.1208907461541
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

If the web app(s) are supported languages, meaning Java or .NET, another
option Fortify RTA (formerly called Defender).

http://www.fortify.com/products/detect/in_production.jsp

It's a totally different paradigm from the other products in this category.

(disclaimer: we are Fortify consulting partners)

-- 
Adam Muntner, CISSP
Managing Partner
QuietMove, Inc.
http://www.quietmove.com

On Tue, Apr 22, 2008 at 9:56 AM, Joe White <joe@cyberlocksmith.com> wrote:

> Hey guys, I am hoping this thread does not spiral out of control over
> the contention that a WAF is not really a "firewall".  =)
>
> Seriously, I am currently evaluating WAFs for a large SaaS deployment
> and am curious to get your thoughts on benefits of various deployment
> options.  Here are my thoughts to get the ball rolling.
>
> re:  out-of-band deployment
> This seems attractive on the surface and potentially offers the least
> obtrusive to the existing architecture but upon closer examination, I
> am not convinced it makes sense because
>  1)  relying on TCP Resets (RST) to block attacks is problematic at best
>  2)  requires extra expense/installation of a network tap.  Otherwise
> you have one more device asking for a span/mirror port that is prone
> to 'clipping' of data once the ports it is mirroring get spikes in
> traffic, etc.
>
> re:  in-line (Layer 2) bridge deployment
> I am told from WAF vendors that this is the most common deployment
> scenario when a dedicated WAF appliance is used.  As I investigate
> this further, it seems to be the most robust option given the
> redundancy and load balancing options for deployment and since the
> bridge can be configured to fail open.
>
> re:  reverse proxy deployment
> I am conflicted on this because I fear that it may add more complexity
> to the network architecture than any of the other options but I am
> also intrigued by the possibility of session protection that the proxy
> option offers in terms of digitally signing cookies, etc.
>
> re:  ModSecurity (multiple deployment options)
> We have lots of Apache expertise and philosophically, I am prone to
> support the open source model but at what point does ModSecurity
> become impractical?  How many Apache servers in the web farm does it
> take for ModSecurity to become too much of an administrative burden?
>
> any thoughts?
>
> thanks,
> joe
>
> <<<>>>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>

------=_Part_24757_6006081.1208907461541
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

If the web app(s) are supported languages, meaning Java or .NET, another option Fortify RTA (formerly called Defender).<br><br><a href="http://www.fortify.com/products/detect/in_production.jsp";>http://www.fortify.com/products/detect/in_production.jsp</a><br>
<br>It&#39;s a totally different paradigm from the other products in this category.<br><br>(disclaimer: we are Fortify consulting partners)<br><br>-- <br>Adam Muntner, CISSP<br>Managing Partner<br>QuietMove, Inc.<br><a href="http://www.quietmove.com";>http://www.quietmove.com</a>
<br><br><div class="gmail_quote">On Tue, Apr 22, 2008 at 9:56 AM, Joe White &lt;<a href="mailto:joe@cyberlocksmith.com";>joe@cyberlocksmith.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hey guys, I am hoping this thread does not spiral out of control over<br>
the contention that a WAF is not really a &quot;firewall&quot;. &nbsp;=)<br>
<br>
Seriously, I am currently evaluating WAFs for a large SaaS deployment<br>
and am curious to get your thoughts on benefits of various deployment<br>
options. &nbsp;Here are my thoughts to get the ball rolling.<br>
<br>
re: &nbsp;out-of-band deployment<br>
This seems attractive on the surface and potentially offers the least<br>
obtrusive to the existing architecture but upon closer examination, I<br>
am not convinced it makes sense because<br>
 &nbsp;1) &nbsp;relying on TCP Resets (RST) to block attacks is problematic at best<br>
 &nbsp;2) &nbsp;requires extra expense/installation of a network tap. &nbsp;Otherwise<br>
you have one more device asking for a span/mirror port that is prone<br>
to &#39;clipping&#39; of data once the ports it is mirroring get spikes in<br>
traffic, etc.<br>
<br>
re: &nbsp;in-line (Layer 2) bridge deployment<br>
I am told from WAF vendors that this is the most common deployment<br>
scenario when a dedicated WAF appliance is used. &nbsp;As I investigate<br>
this further, it seems to be the most robust option given the<br>
redundancy and load balancing options for deployment and since the<br>
bridge can be configured to fail open.<br>
<br>
re: &nbsp;reverse proxy deployment<br>
I am conflicted on this because I fear that it may add more complexity<br>
to the network architecture than any of the other options but I am<br>
also intrigued by the possibility of session protection that the proxy<br>
option offers in terms of digitally signing cookies, etc.<br>
<br>
re: &nbsp;ModSecurity (multiple deployment options)<br>
We have lots of Apache expertise and philosophically, I am prone to<br>
support the open source model but at what point does ModSecurity<br>
become impractical? &nbsp;How many Apache servers in the web farm does it<br>
take for ModSecurity to become too much of an administrative burden?<br>
<br>
any thoughts?<br>
<br>
thanks,<br>
joe<br>
<br>
&lt;&lt;&lt;&gt;&gt;&gt;<br>
<br>
----------------------------------------------------------------------------<br>
Join us on IRC: <a href="http://irc.freenode.net"; target="_blank">irc.freenode.net</a> #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a href="http://www.webappsec.org/lists/websecurity/"; target="_blank">http://www.webappsec.org/lists/websecurity/</a><br>
<br>
Subscribe via RSS:<br>
<a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>
<br>
<br>
</blockquote></div><br><br>

------=_Part_24757_6006081.1208907461541--

References:
- [WEB SECURITY] thoughts on WAF deployment options?
  - From: Joe White

Prev by Date: Re: [WEB SECURITY] thoughts on WAF deployment options?
Next by Date: Re: [WEB SECURITY] thoughts on WAF deployment options?
Previous by thread: Re: [WEB SECURITY] thoughts on WAF deployment options?
Next by thread: Re: [WEB SECURITY] thoughts on WAF deployment options?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site