[WEB SECURITY] thoughts on WAF deployment options?

Ivan Ristic ivan.ristic at gmail.com
Tue Apr 22 17:29:57 EDT 2008

On Tue, Apr 22, 2008 at 5:56 PM, Joe White <joe at cyberlocksmith.com> wrote:
> Hey guys, I am hoping this thread does not spiral out of control over
>  the contention that a WAF is not really a "firewall".  =)
> ...
>  re:  in-line (Layer 2) bridge deployment
>  I am told from WAF vendors that this is the most common deployment
>  scenario when a dedicated WAF appliance is used.  As I investigate
>  this further, it seems to be the most robust option given the
>  redundancy and load balancing options for deployment and since the
>  bridge can be configured to fail open.

One thing to remember here is to ask the vendor to clarify how exactly
is their bridge mode implemented. Are they modifying the HTTP packets
or not? Some implementations will pass non-HTTP traffic through, but
terminate HTTP traffic and route it through a reverse proxy. This is
how we've implemented the ModSecurity appliance.

>  re:  ModSecurity (multiple deployment options)
>  We have lots of Apache expertise and philosophically, I am prone to
>  support the open source model but at what point does ModSecurity
>  become impractical?  How many Apache servers in the web farm does it
>  take for ModSecurity to become too much of an administrative burden?

That's not really a ModSecurity issue. Anyone with more than a few
Apache servers needs to have a way to centrally manage the
configuration anyway. If you have that sorted, then there is very
little overhead added by ModSecurity arising from the number of
instances you have. (Of course, you still have to manage the policies
but that effort is not related to the number of sensors.)

Ivan Ristic

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list