WAF pro/con - which one to choose

[Lostyx]

Hey there,

I was studying some WAF, and I would like to have your opinion on the question.

So it's a bit of a debate but a constructive one please

First, I m conscious that WAF aren't "the solution" but a solution since it occurs on the level 7 of the osi model.
But still, I think that this is a nice solution for some website, In my opinion WAF are a good complementary solution but developer must continue to be careful about how they write their line of code ! :p

So far, I studied modsecurity, naxsi and ironbee !
By studied I mean put in place on a website and look at the log !
And well, I was quite surprising satisfied how good of a work they did
I will admit the principe of white list of naxsi is appealing and easy to put in place.
modsecurity is quite heavy :O
And Ironbee, where the lead developer is the founder of modsecurity itself , well Ironbee is more difficult to assimilate, but it work pretty well.

And now I was thinking, yes those WAF are cool, but society will most likely use some commercial WAF (like imperva, sonicwall, barracuda , and citrix for example ) I like the last one.

And it seems they offer a router on which operate the WAF manually configurable. (expansive for sonicwall and barracuda by the way )

And so I was looking for review, return of experience about those commercial tools (and the open source too of course).

(And sorry for my english, be tolerant I m a nice guy :p)

PS: grammar nazi can correct me if they want, it's a way to progress

[madf0x]

I dunno man, sounds a lot like you've answered your own question.

You've tested a few free ones, I'd say get your hands on some commercial ones and test them too. Either pirate them or grab a demo version. Hook up a lab and run one of the many web hacking testing shit and play around with it. Then throw up the WAF and see if you can get around it.

Also you are correct that WAFs are not a silver bullet solution but defense in depth is always a good strategy. If someone is gunna pwn your shit, at least make them earn it

[Nortcele]

I would agree saying you have answered your own question

[n01xxv]

Yep you have answered to some point of your question.
But as you ask : I give you my point of view :

When I work for a IT security product integrator some years ago, barracuda was not a good product many bugs/problems (and vulns but not on the WAF product), but it's true that is easy to configure. Seriously I don't like this product (but it is my point of view).

Nowadays, I don't work anymore for an integrator, I heard about F5 ASM. Like you say, they offer other tools than a "simple WAF". Clients seems to be happy of it but seriously I can't tell anymore.

One thing that I don't recommend: WAF activate functions on a UTM firewall. In "some" cases you will have a great CPU overload 

Concerning mod_security : it is a cool tool, but like you say it is very heavy. In fact you don't find it on many company because that cost to many time to configure it well !

For whitelist WAF : yes in fact it is the better configuration but I never see it in a production environment, or with a large whitelist rules that is the worst thing that you can do.

And I think you can easily find many docs/analyse papers on this kind of products.

Sorry for my english too.

[Nortcele]

What did come first the bug or the exploit...

[Lostyx]

I know I answer some of my question since I m not the type to just ask a question without looking for an answer first or study it a bit :p

The main point was your point of view, and your return about WAF you could have used in the past or still use nowadays !

And if you have interesting complementary information .

You never have too much opinion on a subject

Thanks for the answer !

[2d8]

WAF is great solution on application level. Actually some problems is much easier to protect on WAF (add CSRF tokens or enable Cookies http-only,secure flags) than ask developers to implement it on application itself. However, usually it is not very difficult to cause DoS on WAF, force it to shut down, enable HA-bypass-mode and access application directly.

Concerning mod_security : it is a cool tool, but like you say it is very heavy.

No, it isn't itself. Mod_security uses regex as attack signatures and regex operations consume lot of computing resources. All you need - to find balance between signatures quantity and used hardware resources. By the way, most of "simple WAF" in routers, UCMs, etc. have mod_security core with custom signatures. Actually default set of signatures prevents wide range of attack vectors and there are not many ways to bypass it.

In fact you don't find it on many company because that cost to many time to configure it well !

Mod_security is not widely used on enterprise because:
 - it has no nifty dashboard
 - it is not scalable
 - it requires very skilled specialist in regex (it's pretty much hard to figure out why particular signature leads to false-positives and correctly rewrite it)
 - and yes, it takes huge amount of time to tune it for custom application

For whitelist WAF : yes in fact it is the better configuration but I never see it in a production environment, or with a large whitelist rules that is the worst thing that you can do.

It is good in theory. In real life most applications are constantly in developing phase. Even if you've created white-list model it might be useless on next big fix that changes some application structure. Some WAFs provide self-learning mechanism, that is supposed to build white-list model of application (e.g. imperva adds regexs that describe what characters are allowed in particular fields). And it works fine in production with large set of white-list rules.