[WEB SECURITY] thoughts on WAF deployment options?

Arian J. Evans arian.evans at anachronic.com
Tue Apr 22 15:56:35 EDT 2008

<inline> I wrote a paper on this about 5 years ago, that
continues to evolve and maybe it's finally time to release it.
I've held off because I didn't want to alienate any WAF vendors.

Disclaimer at bottom

On Tue, Apr 22, 2008 at 9:56 AM, Joe White <joe at cyberlocksmith.com> wrote:
> Hey guys, I am hoping this thread does not spiral out of control over
>  the contention that a WAF is not really a "firewall".  =)

No worries. I beat that dead horse previously because of all the
recent uninformed garbage about Layer 3 "firewalls" and webappsec.
On to the meat:

>  Seriously, I am currently evaluating WAFs for a large SaaS deployment
>  and am curious to get your thoughts on benefits of various deployment
>  options.  Here are my thoughts to get the ball rolling.

FWIW -- you are not alone. I've been talking too/work with a lot of
folks in your shoes.

>  re:  out-of-band deployment
>  This seems attractive on the surface and potentially offers the least
>  obtrusive to the existing architecture but upon closer examination, I
>  am not convinced it makes sense because
>   1)  relying on TCP Resets (RST) to block attacks is problematic at best
>   2)  requires extra expense/installation of a network tap.  Otherwise
>  you have one more device asking for a span/mirror port that is prone
>  to 'clipping' of data once the ports it is mirroring get spikes in traffic, etc.

OoB is the most common deployment I've seen in the real
world.  I have had experience, and confirmed, over and over,
that all of the WAFs tend to crash & burn on production systems.

With no exceptions. The only thing I've seen vary is the frequency
with which they fail. It's a tough problem though. People do CRAZY
things with their webapp syntax, and those things have to parse it.

>  re:  in-line (Layer 2) bridge deployment
>  I am told from WAF vendors that this is the most common deployment
>  scenario when a dedicated WAF appliance is used.  As I investigate
>  this further, it seems to be the most robust option given the
>  redundancy and load balancing options for deployment and since the
>  bridge can be configured to fail open.

No one has stats on "common deployment scenarios". My
observations are split 50% roughly between OoB (Imperva)
and inline proxy (F5, Mod, Breach, and Citrix).

>  re:  reverse proxy deployment
>  I am conflicted on this because I fear that it may add more complexity
>  to the network architecture than any of the other options but I am
>  also intrigued by the possibility of session protection that the proxy
>  option offers in terms of digitally signing cookies, etc.

I do not know of anyone who has gone this route, that
has meaningful web app traffic (short of a few small
companies) that has succeeded. I know a lot of folks
that have failed. A very large bank recently told me
they did this and loved it , but then they told me that
they just started rolling it out 2 weeks ago. Knowing
how poor performance and uptime is for the WAF they
are rolling out, I seriously doubt they find success.

So you could still keep checksum/state of cookies OoB or
L2 mode, vendors argue. But they can't and don't. Too
expensive performance-wise.

There are some really smart things that can and
must be done inline, but the only vendor I've heard
tell me a smart inline story regarding uptime and
failover is F5. (note disclaimer below)

I've heard nothing bad about F5 inline re: outages,
but I have many horror stories from the others.

>  re:  ModSecurity (multiple deployment options)
>  We have lots of Apache expertise and philosophically, I am prone to
>  support the open source model but at what point does ModSecurity
>  become impractical?  How many Apache servers in the web farm does it
>  take for ModSecurity to become too much of an administrative burden?

n+ 1 is a burden, IMO, for something this complicated.
I know of hardly anyone running mod in production,
minus a few government sites that rarely get it configured
properly w/out weeks (or months) of consulting time.

>  any thoughts?

Yes, and they are:

1) YMWV (your milage will vary)

Pick a few scenarios, and make sure you test in your environment.
This is the only way to achieve success.

2) Imperva & F5 seem to have the most clients.

3) I get nothing but excellent feedback about Breach's webdefend solution.

4) Another important facet is how you want to deploy,
e.g. "Magic Elf" mode or "Virtual Patch" mode.

Many vendors like Imperva and Citrix cling to this
"magic elf mode" where they magically secure and
block everything. Imperva has some notion of policies
that some clients have told me don't work. I'm not
sure what the Citrix solution looks like today, but
the marketing 1.5 years ago was fairly insane.

There's a big difference between point-fixing issues
you know about, and full on magic-elf inside the
box configuring it mode.

Disclaimer: I work for a company that is partnered
with F5, and Breach, and could be partnered with
other WAF vendors in the future.

Anyone who knows me professionally knows that
this will not change my candor and honesty about
the strengths and weaknesses of said products.

Good subject. I'd like to see more case studies
and bakeoffs by competent folks. (none of the
online securty/infoworld mag type reviews I've
seen have any useful webappsec facts).

There's some folks on this list that have performed
bakeoffs of WAFs recently, and hopefully they
can publish info, but I believe the vendors have
tied the hands of everyone I've talked to (so they can't)

What a shame. I think the database industry
does this same thing though too. Probably
most software companies avoid bakeoffs that
are out of their configuration control, for
legitimate reasons.

--> Contact me offline if you want to have a
more candid discussion including specifics
about what vendor deployments I am aware
of that have succeeded and failed.


Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.

ps - Remember to block Finger.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list