[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] thoughts on WAF deployment options?

From: "Rafal @ IsHackingYou" <rafal@xxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] thoughts on WAF deployment options?
Date: Tue, 22 Apr 2008 17:02:43 -0500

Joe - if I may chime in...

- re: out-of-band deployment -- Out-of-band deployment can be done, and done well. Breach Security does a pretty good job at this, last time I checked (it's been >12mo since I last evaluated them)... but in the grand scheme of things you're absolutely right, out-of-band is pretty silly in a high-traffic web environment

- re: in-line (Layer 2) bridge deployment -- This is the way I last deployed a WAF device, and it worked astonishingly well. There are considerations here, you will have to decide whether to fail-open or fail-closed. In a realistic scenario for security you'll fail-closed, but in reality I suspect you'll need to fail-open (make sure you read those PCI standards if they apply to you, regarding this). There are also architectural challenges here, as scaling becomes an issue. Also keep in mind you will be dropping in an in-line device into your existing, production network... so your business stakeholders may not be so keen on this - it took me a lifetime (>12 mo) to get the right approvals, level of testing, and change windows to do this...

- re: reverse proxy deployment -- Reverse proxy is a viable alternative - but you're absolutely right, complexity becomes an issue. Who needs yet another transient network between your devices? Although... on the flipside of that coin... this may be a good idea if you can implement it right (such as a "router on a stick" configuration, where no additional nets are necessary?)

- re: ModSecurity (multiple deployment options) -- Ivan's ModSecurity was my first foray into WAF-like installations... and he personally spent much time tuning it to the application I was working with - which brought me to a good point, and ultimately why I chose a commercial route - we didn't have the in-house expertise nor the support to handle this on our own. We had/have <200 sites... but at anything over a dozen or so - the maintenance becomes a non-starter.

I hope this helped... just throwing you some experience from the past 3 years; and no, I do not work for a WAF vendor...


Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal@xxxxxxxxxxxxxxxx
Direct:  +1 (404) 606-6056
- gPGP:    0xFFC63B33
- Blog:    http://preachsecurity.blogspot.com
- Web:     http://www.ishackingyou.com
- LinkedIn:http://www.linkedin.com/in/rmlos

--------------------------------------------------
From: "Joe White" <joe@xxxxxxxxxxxxxxxxxx>
Sent: Tuesday, April 22, 2008 11:56 AM
To: "WASC Forum" <websecurity@xxxxxxxxxxxxx>
Subject: [WEB SECURITY] thoughts on WAF deployment options?

Hey guys, I am hoping this thread does not spiral out of control over
the contention that a WAF is not really a "firewall".  =)

Seriously, I am currently evaluating WAFs for a large SaaS deployment
and am curious to get your thoughts on benefits of various deployment
options.  Here are my thoughts to get the ball rolling.

re:  out-of-band deployment
This seems attractive on the surface and potentially offers the least
obtrusive to the existing architecture but upon closer examination, I
am not convinced it makes sense because
 1)  relying on TCP Resets (RST) to block attacks is problematic at best
 2)  requires extra expense/installation of a network tap.  Otherwise
you have one more device asking for a span/mirror port that is prone
to 'clipping' of data once the ports it is mirroring get spikes in
traffic, etc.

re:  in-line (Layer 2) bridge deployment
I am told from WAF vendors that this is the most common deployment
scenario when a dedicated WAF appliance is used.  As I investigate
this further, it seems to be the most robust option given the
redundancy and load balancing options for deployment and since the
bridge can be configured to fail open.

re:  reverse proxy deployment
I am conflicted on this because I fear that it may add more complexity
to the network architecture than any of the other options but I am
also intrigued by the possibility of session protection that the proxy
option offers in terms of digitally signing cookies, etc.

re:  ModSecurity (multiple deployment options)
We have lots of Apache expertise and philosophically, I am prone to
support the open source model but at what point does ModSecurity
become impractical?  How many Apache servers in the web farm does it
take for ModSecurity to become too much of an administrative burden?

any thoughts?

thanks,
joe

<<<>>>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] thoughts on WAF deployment options?
  - From: Joe White

Prev by Date: Re: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Next by Date: Re: [WEB SECURITY] thoughts on WAF deployment options?
Previous by thread: Re: [WEB SECURITY] thoughts on WAF deployment options?
Next by thread: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site