[sclug] Web Application Firewall?

[Dickon Hood]

On Wed, Sep 28, 2011 at 18:17:54 +0100, Sapan Ganguly wrote:
: Hello all,

: It has been a while since I made a post, what has prompted me to do so today
: is that I've been told that I need to provide a web application firewall by
: the end of tomorrow.  There is a Windows IIS web server that needs some kind
: of extra protection.  Does anyone know of a ready made free web application
: firewall that is provided as a virtual appliance?

: I know it is a long shot but I've been given very little time to do this,
: I've had a look at things like ModSecurity which I can go ahead and set up
: and configure if I can't find something ready made.  OpenWAF (
: http://openwaf.org) looks promising, has anyone used it?

To my mind it's counterproductive and solving the wrong problem: it's
increasing the attack surface of the overall system stack -- you now have
another firewall in the way which is processing queries, with all the
attendant bugs that comes with -- without actually making the application
itself secure.  The real danger with things like this is that it gives you
a false sense of security, and it doesn't promote good code: 'oh, it's OK,
the firewall will protect it' was a very common refrain back in the early
noughties, and things like this will doubtless be this decade's failure.

I have actually written one, for an internal application for
$employer[-$n] which was to be stuck on the end of a DSL line -- don't ask
-- but in that case I had a well-defined set of valid queries, a
well-defined set of ranges for all the inbound variables, and absolutely
no confidence in the code they'd written and no time to redo it properly.
Horrible job, horrible solution.

Good luck, though.


Dickon Hood
-- 
Due to unending piles of junk mail, my .sig is temporarily unavailable.
Normal service will be resumed as soon as possible.  We apologise for the
inconvenience in the meantime.

This email was sent from a colocated server, and needs no excuses.