[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] thoughts on WAF deployment options?

From: "Ivan Ristic" <ivan.ristic@xxxxxxxxx>
Subject: Re: [WEB SECURITY] thoughts on WAF deployment options?
Date: Thu, 3 Jul 2008 16:50:13 +0100

Here's something I prepared for the talk I gave at OWASP AppSec Europe
this year:

http://docs.google.com/Doc?id=dcx2fmgk_67cf3dtvg9

The table will also go into WAFECv2. This is pretty much the final
version (of this one piece, not WAFECv2), as far as I am concerned.

My talk, Evaluation Criteria for Web Application Firewalls, is
available for download here:
http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf

I encourage everyone interested in WAFs to have a look at it. It gives
a "holistic" view of WAFs, which is different from the
remediation-only which is currently prevailing.


On Tue, Apr 22, 2008 at 5:56 PM, Joe White <joe@xxxxxxxxxxxxxxxxxx> wrote:
> Hey guys, I am hoping this thread does not spiral out of control over
> the contention that a WAF is not really a "firewall".  =)
>
> Seriously, I am currently evaluating WAFs for a large SaaS deployment
> and am curious to get your thoughts on benefits of various deployment
> options.  Here are my thoughts to get the ball rolling.
>
> re:  out-of-band deployment
> This seems attractive on the surface and potentially offers the least
> obtrusive to the existing architecture but upon closer examination, I
> am not convinced it makes sense because
>  1)  relying on TCP Resets (RST) to block attacks is problematic at best
>  2)  requires extra expense/installation of a network tap.  Otherwise
> you have one more device asking for a span/mirror port that is prone
> to 'clipping' of data once the ports it is mirroring get spikes in
> traffic, etc.
>
> re:  in-line (Layer 2) bridge deployment
> I am told from WAF vendors that this is the most common deployment
> scenario when a dedicated WAF appliance is used.  As I investigate
> this further, it seems to be the most robust option given the
> redundancy and load balancing options for deployment and since the
> bridge can be configured to fail open.
>
> re:  reverse proxy deployment
> I am conflicted on this because I fear that it may add more complexity
> to the network architecture than any of the other options but I am
> also intrigued by the possibility of session protection that the proxy
> option offers in terms of digitally signing cookies, etc.
>
> re:  ModSecurity (multiple deployment options)
> We have lots of Apache expertise and philosophically, I am prone to
> support the open source model but at what point does ModSecurity
> become impractical?  How many Apache servers in the web farm does it
> take for ModSecurity to become too much of an administrative burden?
>
> any thoughts?
>
> thanks,
> joe
>
> <<<>>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>



-- 
Ivan Ristic

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: [WEB SECURITY] RE: [Webappsec] Comparisons of Web Application Firewalls
Next by Date: Re: [WEB SECURITY] Comparisons of Web Application Firewalls
Previous by thread: [WEB SECURITY] Comparisons of Web Application Firewalls
Next by thread: [WEB SECURITY] [Off Topic] Judge Orders YouTube to Give All User Histories to Viacom
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site