
Web Application Firewall - bookofjoe
https://aws.amazon.com/marketplace/solutions/infrastructure-software/web-application-firewall?linkId=63795649&sc_campaign=AWS_Marketplace&sc_category=AWS+Marketplace&sc_channel=sm&sc_content=Organic_UC_WAF_v1&sc_country=Marketplace&sc_geo=GLOBAL&sc_outcome=awareness&sc_publisher=TWITTER&trk=sm_a131L000005tww0QAA_TWITTER&trkCampaign=sm_a131L000005tww0QAA
======
runlevel1
We used F5 Big-IP Viprions for 4 years. It was a colossal waste of money.

The bugs in these supposed "best in class" devices were ridiculous.

Here's a taste:

There was a bug where it would crash on a TCP FIN packet not associated with
an existing connection. When a patch was released, installing it on the
standby device reset its config and caused it to takeover as master, wiping
the old master in the process.

I'm not putting anything business critical behind an F5.

Hopefully they don't screw up NGINX.

------
Neil44
I wonder if not having all the bot traffic hitting the application would
create savings in resource requirements that would match or exceed the cost of
the WAF. I.e. would it pay for its self if you had a lot of bot traffic.

------
jitl
WAFs seem to be pretty universally regarded as garbage by the security
professionals I know.

\- there’s a (closed source for F5) black box that’s gonna mess with some of
your requests

\- it might block legitimate requests that “look” like SQL injection attempts
(false positives)

\- a WAF adds a bunch more latency to your request/response cycle

\- malicious requests will still get through the WAF (false negatives), so
it’s not like you can just forget about application security after you set one
up

~~~
detaro
I think a big problem is the advertised idea that a WAF can be "turn-key" and
effective with defaults, which just doesn't work, + quality issues with at
least some offerings. Making a WAF truly effective means to understand what
actual traffic for the application looks like, and building a profile around
that. Which is a lot more effort, and might mean the effort is better invested
into other hardening measures.

------
whatupmd
Just an F5 advertisement really.

