[WEB SECURITY] thoughts on WAF deployment options?

Arian J. Evans arian.evans at anachronic.com
Tue Apr 22 20:42:29 EDT 2008

On Tue, Apr 22, 2008 at 2:14 PM, Ryan Barnett <rcbarnett at gmail.com> wrote:
> A few other comments (inline below) -

> > OoB is the most common deployment I've seen in the real
> > world.  I have had experience, and confirmed, over and over,
> > that all of the WAFs tend to crash & burn on production systems.
> Can you describe what you mean by "crash and burn?"

Absolutely. I didn't state that well at all, did I.

How about: Most WAF engines I know will still hang,
crash, crash and hang, or crash and restart from time
to time. Some more than others. All of them, some of
the time. None of them, none of the time.

Some WAFs have strong attack-vector detection.

Some have strong policy enforcement.

Some WAFs augment weak attack-vector detection
with granular policy enforcement.

And vice-versa.

I have not seen any WAF products that are enterprise
mature, meaning central management consoles,
polling policy management, etc., but that's to be
expected since the market hasn't taken off yet.
  Is this from a security

> these issues are serious, the OoB deployment addresses the later as it will
> not impact the normal flow of the traffic.

Maybe, as long as you can't verifiable DoS the
thing, and then hammer home a simple ' DROP TABLE networkControlsThread

In pragmatic business land though: I'd take WAF
failure along with app uptime over WAF failure
blocks  legit app traffic any day, along w/my job.

> I will second your sentiment here with regards to the "unique" web
> applications out there.

I'm sure you know better than I the challenges of parsing
on the fly for "protection" interpretation.

Which is why the simplicity of "virtual patching" makes
so much sense. But I'll shutup until if/when I release my
paper on this, or lest someone accuse me of being a drone.

(I was writing about this idea 4 or 5 years ago, fully
documented. Dinnis Cruz and I were debating the
merits of it three years ago, so it's not new)

> > n+ 1 is a burden, IMO, for something this complicated.
> > I know of hardly anyone running mod in production,
> > minus a few government sites that rarely get it configured
> > properly w/out weeks (or months) of consulting time.
> See my comment above.  I can confirm that there are many large commercial
> organizations running Mod.  It is kind of interesting that both the smaller
> orgs (or those with little $$$ - education) are big Mod users and then if go
> all the way to the end of the spectrum and look at some of the largest,
> global deployments, they too tend to move back towards Mod.  This may be a
> byproduct of these shops using Apache and they have every details finely
> tuned and they would rather add the ModSecurity module then to add another
> piece of hardware (as scale can become an issue).

Fascinating data regarding usage in your response, thank you!

I wish all the vendors would release the info they can/could regarding

Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.

ps - Remember to block Finger.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list