

Ask HN: Windows WAF - relaxedricky

Hey,<p>I am currently looking into WAF&#x27;s to work with Windows servers (Win 2003 - Win 2008) running IIS (6-7) and I am interest in peoples recommendations.<p>I have been able to find a number of different options from Googleing however I am more interested in peoples personal experience pros&#x2F;cons ease of use etc.<p>Thanks for your time and any suggestions.<p>Regards.
======
kjs3
Well...that depends. What do you mean by "work with Windows"? If you mean
simply "must protect servers running IIS" and either an appliance or VM
deployment is in play then it's very tough to beat Imperva. I've done many
deploys, including some huge (Fortune 500) commerce sites, and have always
been pleased. F5 is an option, especially if you are already an F5 shop, but
I've rarely had a client pick F5 over Imperva unless they were. RADware
AppWall is effective, but quirky, and doesn't have a lot of installs
Stateside. I've got some clients who are wild about Riverbed, but I honestly
have no experience there. I was unimpressed with Barracuda and Sourcefire.

If you mean "run on the same server as the IIS server", then I've had good
success with 5nines. Alternatively, Modsecurity is now available for IIS,
which if you're proficient with maintaining it is effective. WebKnight looked
pretty good in the lab, but I've not rolled one into production. Whatever
they're calling MS IAS these days has some WAFish functionality, but isn't
really a full blown WAF. If you're really cheap, there's always URLScan, which
maybe is better than nothing.

There are also a bunch of folks with cloud-based WAF offerings (e.g. Qualys).
This is a good solution for folks that don't have the time/skill to ride herd
on a WAF, but usually trades off fine-grained application control.

