[WEB SECURITY] thoughts on WAF deployment options?
Arian J. Evans
arian.evans at anachronic.com
Tue Apr 22 16:58:21 EDT 2008
> One correction - Breach's WebDefend is out of line (you had it in the
> inline transparent bridge group).
To clarify my post (correct me again if wrong): Mod runs inline proxy
only, and WedDefend OoB. (I knew there was another OoB product
I'd seen besides Imperva, but couldn't remember it)
To be clear -- I am not working with Breach WebDefend products.
The *only* WAF I've worked wtih recently is F5, though I've worked
with most of them on the market over the last 7 years.
I *have* heard multiple positive things about WebDefend's technology
from both technical peers at VARs, and several customers I work with.
While second-hand info, they are opinions from smart folks, hence
my recommendation to put that on the investigation list.
btw// I hear a lot of *talk* about Modsecurity, but I don't know anyone
who actually runs it (another topic of discussion).
Thanks for catching me. Cheers
> On 4/22/08, Arian J. Evans <arian.evans at anachronic.com> wrote:
> > <inline> I wrote a paper on this about 5 years ago, that
> > continues to evolve and maybe it's finally time to release it.
> > I've held off because I didn't want to alienate any WAF vendors.
> > Disclaimer at bottom
> > On Tue, Apr 22, 2008 at 9:56 AM, Joe White <joe at cyberlocksmith.com> wrote:
> > > Hey guys, I am hoping this thread does not spiral out of control over
> > > the contention that a WAF is not really a "firewall". =)
> > No worries. I beat that dead horse previously because of all the
> > recent uninformed garbage about Layer 3 "firewalls" and webappsec.
> > On to the meat:
> > > Seriously, I am currently evaluating WAFs for a large SaaS deployment
> > > and am curious to get your thoughts on benefits of various deployment
> > > options. Here are my thoughts to get the ball rolling.
> > FWIW -- you are not alone. I've been talking too/work with a lot of
> > folks in your shoes.
> > > re: out-of-band deployment
> > > This seems attractive on the surface and potentially offers the least
> > > obtrusive to the existing architecture but upon closer examination, I
> > > am not convinced it makes sense because
> > > 1) relying on TCP Resets (RST) to block attacks is problematic at best
> > > 2) requires extra expense/installation of a network tap. Otherwise
> > > you have one more device asking for a span/mirror port that is prone
> > > to 'clipping' of data once the ports it is mirroring get spikes in
> > traffic, etc.
> > OoB is the most common deployment I've seen in the real
> > world. I have had experience, and confirmed, over and over,
> > that all of the WAFs tend to crash & burn on production systems.
> > With no exceptions. The only thing I've seen vary is the frequency
> > with which they fail. It's a tough problem though. People do CRAZY
> > things with their webapp syntax, and those things have to parse it.
> > > re: in-line (Layer 2) bridge deployment
> > > I am told from WAF vendors that this is the most common deployment
> > > scenario when a dedicated WAF appliance is used. As I investigate
> > > this further, it seems to be the most robust option given the
> > > redundancy and load balancing options for deployment and since the
> > > bridge can be configured to fail open.
> > No one has stats on "common deployment scenarios". My
> > observations are split 50% roughly between OoB (Imperva)
> > and inline proxy (F5, Mod, Breach, and Citrix).
> > > re: reverse proxy deployment
> > > I am conflicted on this because I fear that it may add more complexity
> > > to the network architecture than any of the other options but I am
> > > also intrigued by the possibility of session protection that the proxy
> > > option offers in terms of digitally signing cookies, etc.
> > I do not know of anyone who has gone this route, that
> > has meaningful web app traffic (short of a few small
> > companies) that has succeeded. I know a lot of folks
> > that have failed. A very large bank recently told me
> > they did this and loved it , but then they told me that
> > they just started rolling it out 2 weeks ago. Knowing
> > how poor performance and uptime is for the WAF they
> > are rolling out, I seriously doubt they find success.
> > So you could still keep checksum/state of cookies OoB or
> > L2 mode, vendors argue. But they can't and don't. Too
> > expensive performance-wise.
> > There are some really smart things that can and
> > must be done inline, but the only vendor I've heard
> > tell me a smart inline story regarding uptime and
> > failover is F5. (note disclaimer below)
> > I've heard nothing bad about F5 inline re: outages,
> > but I have many horror stories from the others.
> > > re: ModSecurity (multiple deployment options)
> > > We have lots of Apache expertise and philosophically, I am prone to
> > > support the open source model but at what point does ModSecurity
> > > become impractical? How many Apache servers in the web farm does it
> > > take for ModSecurity to become too much of an administrative burden?
> > n+ 1 is a burden, IMO, for something this complicated.
> > I know of hardly anyone running mod in production,
> > minus a few government sites that rarely get it configured
> > properly w/out weeks (or months) of consulting time.
> > > any thoughts?
> > Yes, and they are:
> > 1) YMWV (your milage will vary)
> > Pick a few scenarios, and make sure you test in your environment.
> > This is the only way to achieve success.
> > 2) Imperva & F5 seem to have the most clients.
> > 3) I get nothing but excellent feedback about Breach's webdefend solution.
> > 4) Another important facet is how you want to deploy,
> > e.g. "Magic Elf" mode or "Virtual Patch" mode.
> > Many vendors like Imperva and Citrix cling to this
> > "magic elf mode" where they magically secure and
> > block everything. Imperva has some notion of policies
> > that some clients have told me don't work. I'm not
> > sure what the Citrix solution looks like today, but
> > the marketing 1.5 years ago was fairly insane.
> > There's a big difference between point-fixing issues
> > you know about, and full on magic-elf inside the
> > box configuring it mode.
> > Disclaimer: I work for a company that is partnered
> > with F5, and Breach, and could be partnered with
> > other WAF vendors in the future.
> > Anyone who knows me professionally knows that
> > this will not change my candor and honesty about
> > the strengths and weaknesses of said products.
> > Good subject. I'd like to see more case studies
> > and bakeoffs by competent folks. (none of the
> > online securty/infoworld mag type reviews I've
> > seen have any useful webappsec facts).
> > There's some folks on this list that have performed
> > bakeoffs of WAFs recently, and hopefully they
> > can publish info, but I believe the vendors have
> > tied the hands of everyone I've talked to (so they can't)
> > What a shame. I think the database industry
> > does this same thing though too. Probably
> > most software companies avoid bakeoffs that
> > are out of their configuration control, for
> > legitimate reasons.
> > --> Contact me offline if you want to have a
> > more candid discussion including specifics
> > about what vendor deployments I am aware
> > of that have succeeded and failed.
> > Cheers,
> > --
> > --
> > Arian J. Evans.
> > I spend most of my money on motorcycles, mistresses, and martinis. The
> > rest of it I squander.
> > ps - Remember to block Finger.
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
Arian J. Evans.
I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.
ps - Remember to block Finger.
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity