[WEB SECURITY] thoughts on WAF deployment options?
Rafal @ IsHackingYou
rafal at ishackingyou.com
Tue Apr 22 18:10:25 EDT 2008
Imperva isn't OoB, IIRC... They have 2 modes, in-line, or reverse proxy.
Rafal (Ralph) M. Los
IT Security - Response | Mitigation | Strategy
E-mail: rafal at ishackingyou.com
Direct: +1 (404) 606-6056
- gPGP: 0xFFC63B33
- Blog: http://preachsecurity.blogspot.com
- Web: http://www.ishackingyou.com
- LinkedIn:http://www.linkedin.com/in/rmlos
--------------------------------------------------
From: "Arian J. Evans" <arian.evans at anachronic.com>
Sent: Tuesday, April 22, 2008 3:58 PM
To: "Ryan Barnett" <rcbarnett at gmail.com>; "WASC Forum"
<websecurity at webappsec.org>
Cc: <joe at cyberlocksmith.com>
Subject: Re: [WEB SECURITY] thoughts on WAF deployment options?
>> One correction - Breach's WebDefend is out of line (you had it in the
>> inline transparent bridge group).
>
> Thanks.
>
> To clarify my post (correct me again if wrong): Mod runs inline proxy
> only, and WedDefend OoB. (I knew there was another OoB product
> I'd seen besides Imperva, but couldn't remember it)
>
> To be clear -- I am not working with Breach WebDefend products.
> The *only* WAF I've worked wtih recently is F5, though I've worked
> with most of them on the market over the last 7 years.
>
> I *have* heard multiple positive things about WebDefend's technology
> from both technical peers at VARs, and several customers I work with.
>
> While second-hand info, they are opinions from smart folks, hence
> my recommendation to put that on the investigation list.
>
> btw// I hear a lot of *talk* about Modsecurity, but I don't know anyone
> who actually runs it (another topic of discussion).
>
> Thanks for catching me. Cheers
>
> -ae
>
>
>
>>
>> On 4/22/08, Arian J. Evans <arian.evans at anachronic.com> wrote:
>> > <inline> I wrote a paper on this about 5 years ago, that
>> > continues to evolve and maybe it's finally time to release it.
>> > I've held off because I didn't want to alienate any WAF vendors.
>> >
>> > Disclaimer at bottom
>> >
>> > On Tue, Apr 22, 2008 at 9:56 AM, Joe White <joe at cyberlocksmith.com>
>> wrote:
>> > > Hey guys, I am hoping this thread does not spiral out of control
>> over
>> > > the contention that a WAF is not really a "firewall". =)
>> >
>> > No worries. I beat that dead horse previously because of all the
>> > recent uninformed garbage about Layer 3 "firewalls" and webappsec.
>> > On to the meat:
>> >
>> > > Seriously, I am currently evaluating WAFs for a large SaaS
>> deployment
>> > > and am curious to get your thoughts on benefits of various
>> deployment
>> > > options. Here are my thoughts to get the ball rolling.
>> >
>> > FWIW -- you are not alone. I've been talking too/work with a lot of
>> > folks in your shoes.
>> >
>> > > re: out-of-band deployment
>> > > This seems attractive on the surface and potentially offers the
>> least
>> > > obtrusive to the existing architecture but upon closer examination,
>> I
>> > > am not convinced it makes sense because
>> > > 1) relying on TCP Resets (RST) to block attacks is problematic at
>> best
>> > > 2) requires extra expense/installation of a network tap.
>> Otherwise
>> > > you have one more device asking for a span/mirror port that is
>> prone
>> > > to 'clipping' of data once the ports it is mirroring get spikes in
>> > traffic, etc.
>> >
>> > OoB is the most common deployment I've seen in the real
>> > world. I have had experience, and confirmed, over and over,
>> > that all of the WAFs tend to crash & burn on production systems.
>> >
>> > With no exceptions. The only thing I've seen vary is the frequency
>> > with which they fail. It's a tough problem though. People do CRAZY
>> > things with their webapp syntax, and those things have to parse it.
>> >
>> >
>> > > re: in-line (Layer 2) bridge deployment
>> > > I am told from WAF vendors that this is the most common deployment
>> > > scenario when a dedicated WAF appliance is used. As I investigate
>> > > this further, it seems to be the most robust option given the
>> > > redundancy and load balancing options for deployment and since the
>> > > bridge can be configured to fail open.
>> >
>> > No one has stats on "common deployment scenarios". My
>> > observations are split 50% roughly between OoB (Imperva)
>> > and inline proxy (F5, Mod, Breach, and Citrix).
>> >
>> >
>> > > re: reverse proxy deployment
>> > > I am conflicted on this because I fear that it may add more
>> complexity
>> > > to the network architecture than any of the other options but I am
>> > > also intrigued by the possibility of session protection that the
>> proxy
>> > > option offers in terms of digitally signing cookies, etc.
>> >
>> > I do not know of anyone who has gone this route, that
>> > has meaningful web app traffic (short of a few small
>> > companies) that has succeeded. I know a lot of folks
>> > that have failed. A very large bank recently told me
>> > they did this and loved it , but then they told me that
>> > they just started rolling it out 2 weeks ago. Knowing
>> > how poor performance and uptime is for the WAF they
>> > are rolling out, I seriously doubt they find success.
>> >
>> > So you could still keep checksum/state of cookies OoB or
>> > L2 mode, vendors argue. But they can't and don't. Too
>> > expensive performance-wise.
>> >
>> > There are some really smart things that can and
>> > must be done inline, but the only vendor I've heard
>> > tell me a smart inline story regarding uptime and
>> > failover is F5. (note disclaimer below)
>> >
>> > I've heard nothing bad about F5 inline re: outages,
>> > but I have many horror stories from the others.
>> >
>> >
>> > > re: ModSecurity (multiple deployment options)
>> > > We have lots of Apache expertise and philosophically, I am prone to
>> > > support the open source model but at what point does ModSecurity
>> > > become impractical? How many Apache servers in the web farm does
>> it
>> > > take for ModSecurity to become too much of an administrative
>> burden?
>> >
>> > n+ 1 is a burden, IMO, for something this complicated.
>> > I know of hardly anyone running mod in production,
>> > minus a few government sites that rarely get it configured
>> > properly w/out weeks (or months) of consulting time.
>> >
>> > > any thoughts?
>> >
>> > Yes, and they are:
>> >
>> > 1) YMWV (your milage will vary)
>> >
>> > Pick a few scenarios, and make sure you test in your environment.
>> > This is the only way to achieve success.
>> >
>> > 2) Imperva & F5 seem to have the most clients.
>> >
>> > 3) I get nothing but excellent feedback about Breach's webdefend
>> solution.
>> >
>> > 4) Another important facet is how you want to deploy,
>> > e.g. "Magic Elf" mode or "Virtual Patch" mode.
>> >
>> > Many vendors like Imperva and Citrix cling to this
>> > "magic elf mode" where they magically secure and
>> > block everything. Imperva has some notion of policies
>> > that some clients have told me don't work. I'm not
>> > sure what the Citrix solution looks like today, but
>> > the marketing 1.5 years ago was fairly insane.
>> >
>> > There's a big difference between point-fixing issues
>> > you know about, and full on magic-elf inside the
>> > box configuring it mode.
>> >
>> > Disclaimer: I work for a company that is partnered
>> > with F5, and Breach, and could be partnered with
>> > other WAF vendors in the future.
>> >
>> > Anyone who knows me professionally knows that
>> > this will not change my candor and honesty about
>> > the strengths and weaknesses of said products.
>> >
>> > Good subject. I'd like to see more case studies
>> > and bakeoffs by competent folks. (none of the
>> > online securty/infoworld mag type reviews I've
>> > seen have any useful webappsec facts).
>> >
>> > There's some folks on this list that have performed
>> > bakeoffs of WAFs recently, and hopefully they
>> > can publish info, but I believe the vendors have
>> > tied the hands of everyone I've talked to (so they can't)
>> >
>> > What a shame. I think the database industry
>> > does this same thing though too. Probably
>> > most software companies avoid bakeoffs that
>> > are out of their configuration control, for
>> > legitimate reasons.
>> >
>> >
>> > --> Contact me offline if you want to have a
>> > more candid discussion including specifics
>> > about what vendor deployments I am aware
>> > of that have succeeded and failed.
>> >
>> > Cheers,
>> >
>> > --
>> > --
>> > Arian J. Evans.
>> >
>> > I spend most of my money on motorcycles, mistresses, and martinis. The
>> > rest of it I squander.
>> >
>> > ps - Remember to block Finger.
>> >
>>
>>
>> > ----------------------------------------------------------------------------
>> > Join us on IRC: irc.freenode.net #webappsec
>> >
>> > Have a question? Search The Web Security Mailing List Archives:
>> > http://www.webappsec.org/lists/websecurity/
>> >
>> > Subscribe via RSS:
>> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>> >
>> >
>>
>>
>> --
>> Ryan C. Barnett
>> ModSecurity Community Manager
>> Breach Security: Director of Application Security Training
>> Web Application Security Consortium (WASC) Member
>> CIS Apache Benchmark Project Lead
>> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
>> Author: Preventing Web Attacks with Apache
>>
>
>
>
> --
> --
> Arian J. Evans.
>
> I spend most of my money on motorcycles, mistresses, and martinis. The
> rest of it I squander.
>
> ps - Remember to block Finger.
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list