Some random thoughts on the WAF suggestions. Breach's Web Defend is very cool, you can also load XML Schema for web services which is nice. If you are looking for in line deployment be aware that the product does not have reverse proxy functionality so something else you may need to throw up depending on what you are doing. Imperva is another popular product out there, my understanding is that it can do reverse proxing as well, but doesn't do XML Schema and some other functionality. I haven't personally used that product so I can't comment much. Both have some additional regex type functionality to look at information leakage if you have specific content you want to look for.
Then there is always modsecurity which is open source and has some tie's to the Breach folks. Akamai is introducing it into their stuff. Anyone played with the OWASP ESAPI stuff? > > Message: 1 > Date: Thu, 11 Feb 2010 07:59:03 -0600 > From: "Tidball, Christopher" <[email protected]> > Subject: Re: [Pauldotcom] Suggestions on a Web App firewall? > To: "'PaulDotCom Security Weekly Mailing List'" > <[email protected]> > Message-ID: > < > 885d3344e1410b46ba40174a3fdb18873c7884f...@qtomaexmbm25.ad.qintra.com> > > Content-Type: text/plain; charset="us-ascii" > > Check out Breach's Web Defend WAF ( > http://www.breach.com/products/webdefend.html). This is an enterprise > solution with appliances that can scale depending on traffic volume. It has > a very nice management interface and can be deployed in-line or out-of-line. > It does not require other hardware to be in place like f5. You may also want > to check out Apache mod_security. Not appliance based, but has some good > capabilities. > Chris > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Raffi Jamgotchian > Sent: Wednesday, February 10, 2010 6:21 PM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Suggestions on a Web App firewall? > > Mick, > > check out Fortinet's Fortiweb; > http://www.fortinet.com/products/fortiweb/1000B.html > > They also have a separate product for Database security: > http://www.fortinet.com/products/fortidb/ > > I think they would be considered enterprise-y > > On Feb 10, 2010, at 4:50 PM, Michael Douglas wrote: > > > It's been over three years since I've been hands on any firewalls that > > have web app capabilities... so I'm going to open this up to folks > > like you. Yes you. You seem very nice and trust-able. > > > > Do you have any suggestions on web application firewalls? > > Specifically, I'm looking for something appliance based and (sorry to > > use this term) enterprise-y (specifically, as in nice centralized > > management for multiple nodes, etc). > > > > What are some products I should review? If you provide a name, please > > let me know what you like about it. Are there ones I should avoid? > > > > > > > > Thanks for your help! > > - Mick > > > > PS: please don't mention host based software options like mod_security > > (for apache) or eEye's whatchamacallit for IIS. We have host based > > solutions already. We want/need inline network devices in this > > instance... I don't care what GDead (Bruce from Shmoo Group) said... > > I still think security-in-depth is a worthy goal. ;-) > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > This communication is the property of Qwest and may contain confidential or > privileged information. Unauthorized use of this communication is strictly > prohibited and may be unlawful. If you have received this communication > in error, please immediately notify the sender by reply e-mail and destroy > all copies of the communication and any attachments. > > > -
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
