.

Advice for WAF selection and implementation

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Thu May 31, 2012 7:39 am

Advice for WAF selection and implementation

So, if I were to get a WAF that also doubled as a load balancer, does anyone have any advice on a good option? I've been looking at F5, Netscaler, Fortiweb, Armorlogic, and Baracuda. I'd consider Imperva as well, but it doesn't have load balancing capabilities. Most of the reviews I've found are dated, so I'd love to hear some opinions!


Also, I have a question on implementation. Do you see problems with deploying a WAF/Load Balancer as a virtual machine on the same ESX server as the web servers? I prefer to have them as physically separate and have some concerns about putting them on the same box, but I'm not sure if I'm just over-thinking it.

Thanks guys!
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu May 31, 2012 9:15 am

Re: Advice for WAF selection and implementation

You've got quite a range of budget there. F5 and Barracuda in the same sentence! It's been awhile since I was in this space so take this fwiw.

I've used F5 products in the past as well as Barracuda. F5 makes a tremendous product with a lot of flexibility. The barracuda products are good for the price point and kind of just work out of the box. I've never used the Cuda WAF but if its anything like their other products, its going to be OK.

I agree with your assessment of the WAF as a VM on the same host as your web boxes. Physically separate would be ideal, even from simply a performance standpoint. However, I'm sure with enough resources you could stuff it all on one host. From a security perspective you're really talking about jumping out of a guest and into another guest, which in my opinion, is probably low risk if you're doing everything correctly. I suppose there could be a potential for VLAN hopping too. I would make sure F5 even offers the VM solution instead of the appliance.
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Thu May 31, 2012 1:02 pm

Re: Advice for WAF selection and implementation

Yeah, that budget range definitely is all over the place. Right now I don't think there is a defined budget, which is why the plan went from ModSecurity to F5, and may go back to ModSecurity! It's up in the air right now, but I'm assuming I have budget backing.

F5 is definitely what I'd like to go with and seems like a mature product. I'm glad you agree with me on the VM question. F5 does have a virtual solution, but I've heard some criticism on it. Security concerns aside, it just seems like a better option to keep the security boxes separate for the sake of simplicity and even performance as you said. It seems weird to me to have the load balancer on the same system that you're balancing the load for...

Anyway, thanks for your input, I wanted to make sure I wasn't way off in my thinking.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun Jun 03, 2012 3:35 am

Re: Advice for WAF selection and implementation

Keep in mind that configuring services in a secure way, and using an up to date stable application without any vulnerable add-ons, will eliminate most attacks. Of course the operating system should be hardened and the environment chrooted, in case it isn't already.  :)

That being said, I don't know the mentioned WAFs, but I do know that you can configure mod_security specifically for a web application, so if integer input is expected, only integer input should be allowed.

I don't really see any problems deploying a WAF / Load Balancer on the same box, even though they should be physically separate. What's more important is that they're securely configured in the virtual environment, so that e.g. direct access to the actual web server is not allowed / possible when the WAF / Load Balancer is not available.
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software