
Ask HN: Do you use Web Application Firewall (WAF)? - dsingh
I am wondering if it is worth the extra protection of using a WAF or is it ok to rely on our application code to protect against XSS, SQL injection etc. type of attacks? This is for a new cloud application that we are launching. I am leaning towards using a WAF since this is a enterprise&#x2F;business application. Also, are there any specific products you would recommend? I have been reviewing how to configure the rules in HAProxy&#x2F;mod_security but am wondering if it is just safer to rely on commercial product. Any suggestions or experiences?
======
shawnreilly
I've always viewed security as a layered approach. The more layers you add,
the better protected you are. I subscribe to the thought that nothing is 100%
secure, so I would recommend to put as many layers as possible. In my opinion,
the issue you should be concerned about is the effectiveness of whatever
solutions (layers) you implement. I think it is being accepted by the industry
that detection and prevention methodologies based on predefined data
(signatures, rules, etc) are only as strong as said predefined data. In
layman's terms, it will probably protect you from most unsophisticated
attackers, but that's it. Today's most sophisticated attacks are one-off
(0day) and/or custom, so they probably won't be defined. In this regard, some
of the newer generation security solutions are developing / using smarter
detection and protection methodologies (real time adaptive models vice defined
positive and / or negative models). I don't mean to paint a negative picture,
but I am trying to illustrate the importance of multiple layers. ModSecurity
seems to be the preferred open source solution with a more active community
than the rest. But Intel and Oracle also have some interesting solutions in
this space.

~~~
professorTuring
As a security expert I wouldn't recommend this approach. The "as many layers
as possible" is a waste of time and money (an overkill).

A proper threat and risk analysis should be done so you can have a cost-
effective solution. Security is expensive and maybe the cost of a breach is
way cheaper than the security appliance or experts you hire.

Sometimes the best security solution is not to have anything, because it
doesn't really matter.

~~~
shawnreilly
To each their own I guess. I would call this the "what you don't know can't
hurt you" approach. What would this threat and risk analysis be based on?
Known threats? Unknown threats? How can you quantify "proper"?

In my opinion, if the threat could actually be defined, then there would be no
security industry. Everyone would know the answer, and everyone would be
secure. The reason this industry exists is because you cannot define the
threat, it is constantly evolving. Doing nothing because it does not matter
(really?), or justifying a lack of security by lowering the value of the
customer's data sounds like an unprofessional approach.

------
oswalpalash
I've used Mod_Security previously and I must tell you it is quite efficient
against basic types of attacks. Being a penetration tester, I would suggest
that you implement mod_security preliminary and test your product for
vulnerabilities.

------
tptacek
I don't think WAFs are worth the maintenance headache. I help manage a
pentesting firm. Once in a blue moon, we'll get a target with a WAF installed
that can't be disabled for the test, and it's never more than a speed-bump.
Generally: I wouldn't bother.

If you're going to do something WAF-y, my recommendation would be modsecurity.

~~~
dsingh
Since ours is a business SaaS application that will be utilized by other
companies, I believe there may also be commercial benefits of having a WAF.
Eventually, we may need to do a formal security audit and penetration testing
but it seems to me it would help to tell customers that we are using a WAF as
part of our infrastructure. Is that possible?

------
bio4m
A WAF is like insurance, most of the time you wont need it, but its good to
have when the s*it hits the fan.

While you can rely on your app to have its own security, it never hurts to
have extra (unless latency is a concern).

I'd start with an open source version and move up to a commercial product if
its necessary.

------
vscarpenter
I use mod_security for personal sites and Cisco NetScaler as a WAF, load-
balancer and SSL offloader at work. If I was given the choice, I would use
HAProxy and mod_security as I'm not too impressed with NetScaler.

