[sclug] Web Application Firewall

Mark Robson markxr at gmail.com
Fri Sep 30 09:38:38 UTC 2011


Hi,

Such a "web application firewall" sounds ill-advised at best.

Your CMS developers have an application which they've (hopefully) tested
during development, and by their QA department; they've field-tested it with
other customers, none of whom used your "web application firewall".

Additionally, you're proposing using a reverse-proxy (or similar) running on
a separate machine. Presumably (as this is SCLUG) it's a Linux machine,
however, it can still suffer a hardware failure.

So what you're suggesting is:

* Introduce an untested and unsupported configuration into a commercial web
application
* Add an additional single point of failure to your infrastructure (unless
you are going to further complicate it by making it HA).

And this is all assuming, that it actually provides any additional security.
In my experience, using something like mod_security creates functional
problems, but does not necessarily stop exploits. For example, it can't
protect against most types of logical bug (say in the CMS, there are missing
or incorrect authorisation checks).

In my opinion, your best bet would be to configure some kind of "DMZ" and
set up some sort of network, authentication and security partition (if
possible) to protect the rest of your infrastructure from any possible
compromise of the "Crayola department" CMS server.

If the PHB will accept that the server can not share authentication /
authorisation system as your more critical systems, you can partition those,
so that people aren't handing their credentials (i.e. passwords) to anyone
who has compromised the CMS.

Mark



More information about the Sclug mailing list