[WEB SECURITY] thoughts on WAF deployment options?

Joe White joe at cyberlocksmith.com
Tue Apr 22 12:56:51 EDT 2008

Hey guys, I am hoping this thread does not spiral out of control over
the contention that a WAF is not really a "firewall".  =)

Seriously, I am currently evaluating WAFs for a large SaaS deployment
and am curious to get your thoughts on benefits of various deployment
options.  Here are my thoughts to get the ball rolling.

re:  out-of-band deployment
This seems attractive on the surface and potentially offers the least
obtrusive to the existing architecture but upon closer examination, I
am not convinced it makes sense because
  1)  relying on TCP Resets (RST) to block attacks is problematic at best
  2)  requires extra expense/installation of a network tap.  Otherwise
you have one more device asking for a span/mirror port that is prone
to 'clipping' of data once the ports it is mirroring get spikes in
traffic, etc.

re:  in-line (Layer 2) bridge deployment
I am told from WAF vendors that this is the most common deployment
scenario when a dedicated WAF appliance is used.  As I investigate
this further, it seems to be the most robust option given the
redundancy and load balancing options for deployment and since the
bridge can be configured to fail open.

re:  reverse proxy deployment
I am conflicted on this because I fear that it may add more complexity
to the network architecture than any of the other options but I am
also intrigued by the possibility of session protection that the proxy
option offers in terms of digitally signing cookies, etc.

re:  ModSecurity (multiple deployment options)
We have lots of Apache expertise and philosophically, I am prone to
support the open source model but at what point does ModSecurity
become impractical?  How many Apache servers in the web farm does it
take for ModSecurity to become too much of an administrative burden?

any thoughts?



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list