[WEB SECURITY] thoughts on WAF deployment options?

Rafal @ IsHackingYou rafal at ishackingyou.com
Tue Apr 22 18:02:43 EDT 2008

Joe - if I may chime in...

- re:  out-of-band deployment
    -- Out-of-band deployment can be done, and done well.  Breach Security 
does a pretty good job at this, last time I checked (it's been >12mo since I 
last evaluated them)... but in the grand scheme of things you're absolutely 
right, out-of-band is pretty silly in a high-traffic web environment

- re:  in-line (Layer 2) bridge deployment
    -- This is the way I last deployed a WAF device, and it worked 
astonishingly well.  There are considerations here, you will have to decide 
whether to fail-open or fail-closed.  In a realistic scenario for security 
you'll fail-closed, but in reality I suspect you'll need to fail-open (make 
sure you read those PCI standards if they apply to you, regarding this). 
There are also architectural challenges here, as scaling becomes an issue. 
Also keep in mind you will be dropping in an in-line device into your 
existing, production network... so your business stakeholders may not be so 
keen on this - it took me a lifetime (>12 mo) to get the right approvals, 
level of testing, and change windows to do this...

- re:  reverse proxy deployment
    -- Reverse proxy is a viable alternative - but you're absolutely right, 
complexity becomes an issue.  Who needs yet another transient network 
between your devices?  Although... on the flipside of that coin... this may 
be a good idea if you can implement it right (such as a "router on a stick" 
configuration, where no additional nets are necessary?)

- re:  ModSecurity (multiple deployment options)
    -- Ivan's ModSecurity was my first foray into WAF-like installations... 
and he personally spent much time tuning it to the application I was working 
with - which brought me to a good point, and ultimately why I chose a 
commercial route - we didn't have the in-house expertise nor the support to 
handle this on our own.  We had/have <200 sites... but at anything over a 
dozen or so - the maintenance becomes a non-starter.

I hope this helped... just throwing you some experience from the past 3 
years; and no, I do not work for a WAF vendor...

Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal at ishackingyou.com
Direct:  +1 (404) 606-6056
 - gPGP:    0xFFC63B33
 - Blog:    http://preachsecurity.blogspot.com
 - Web:     http://www.ishackingyou.com
 - LinkedIn:http://www.linkedin.com/in/rmlos

From: "Joe White" <joe at cyberlocksmith.com>
Sent: Tuesday, April 22, 2008 11:56 AM
To: "WASC Forum" <websecurity at webappsec.org>
Subject: [WEB SECURITY] thoughts on WAF deployment options?

> Hey guys, I am hoping this thread does not spiral out of control over
> the contention that a WAF is not really a "firewall".  =)
> Seriously, I am currently evaluating WAFs for a large SaaS deployment
> and am curious to get your thoughts on benefits of various deployment
> options.  Here are my thoughts to get the ball rolling.
> re:  out-of-band deployment
> This seems attractive on the surface and potentially offers the least
> obtrusive to the existing architecture but upon closer examination, I
> am not convinced it makes sense because
>  1)  relying on TCP Resets (RST) to block attacks is problematic at best
>  2)  requires extra expense/installation of a network tap.  Otherwise
> you have one more device asking for a span/mirror port that is prone
> to 'clipping' of data once the ports it is mirroring get spikes in
> traffic, etc.
> re:  in-line (Layer 2) bridge deployment
> I am told from WAF vendors that this is the most common deployment
> scenario when a dedicated WAF appliance is used.  As I investigate
> this further, it seems to be the most robust option given the
> redundancy and load balancing options for deployment and since the
> bridge can be configured to fail open.
> re:  reverse proxy deployment
> I am conflicted on this because I fear that it may add more complexity
> to the network architecture than any of the other options but I am
> also intrigued by the possibility of session protection that the proxy
> option offers in terms of digitally signing cookies, etc.
> re:  ModSecurity (multiple deployment options)
> We have lots of Apache expertise and philosophically, I am prone to
> support the open source model but at what point does ModSecurity
> become impractical?  How many Apache servers in the web farm does it
> take for ModSecurity to become too much of an administrative burden?
> any thoughts?
> thanks,
> joe
> <<<>>>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list