ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Choosing a WAF

    IT Discussion
    3
    12
    177
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IRJ
      IRJ last edited by

      I am looking at adding either AWS WAF or modsecurity to an all AWS environment.

      
      Mod Security
      
      Pros: FOSS
            CSP Agnostic
            Community and paid support
            Wazuh integration already there
      
      
      Cons: Additional resource consumption on EC2 instances (potentially causing autoscaling and additional costs)
      
      AWS WAF
      
      Pros: No additional resource consumption
            Autoscaling handled by AWS
            Better DDOS protection
            Wazuh integration in latest version of wazuh agent
      
      
      Cons: Unknown costs (many moving pieces like lambda calls, data streams, and log storage)
            Complexity (lots of terraform scripting)
            AWS only
      
      1 Reply Last reply Reply Quote 1
      • stacksofplates
        stacksofplates last edited by

        I'd prob lean towards the AWS one. DDOS and autoscaling are huge pluses. You'll have to write the Terraform configs for it, but you'd have to create new AMIs or use config management to set up all of the EC2 instances the other way so I don't see that as a minus. Plus moving to a new provider isn't that hard since you're already using Terraform.

        1 Reply Last reply Reply Quote 0
        • stacksofplates
          stacksofplates last edited by

          Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

          IRJ 1 Reply Last reply Reply Quote 2
          • IRJ
            IRJ @stacksofplates last edited by

            @stacksofplates said in Choosing a WAF:

            Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

            I hadn't thought about that. It would be interesting to compare cost with AWS.

            stacksofplates dbeato 2 Replies Last reply Reply Quote 0
            • stacksofplates
              stacksofplates @IRJ last edited by

              @IRJ said in Choosing a WAF:

              @stacksofplates said in Choosing a WAF:

              Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

              I hadn't thought about that. It would be interesting to compare cost with AWS.

              Yeah and it would probably be easier to use if you switched providers. The Terraform provider stays the same so no config changes.

              The other downside to modsecurity is you would probably have to get another ATO right?

              IRJ 1 Reply Last reply Reply Quote 0
              • IRJ
                IRJ @stacksofplates last edited by

                @stacksofplates said in Choosing a WAF:

                @IRJ said in Choosing a WAF:

                @stacksofplates said in Choosing a WAF:

                Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

                I hadn't thought about that. It would be interesting to compare cost with AWS.

                Yeah and it would probably be easier to use if you switched providers. The Terraform provider stays the same so no config changes.

                The other downside to modsecurity is you would probably have to get another ATO right?

                Cloudflare doesnt have an ATO so that's not an option...

                I dont think modsecurity would be considered a big enough change to trigger the process, but I could be wrong. Since we are already using NGINX in our application, it would just be recompiling it from source that would be needed. Even if it is considered a major change, we would just implement it when doing our yearly audit and kill two birds with one stone.

                stacksofplates 1 Reply Last reply Reply Quote 0
                • stacksofplates
                  stacksofplates @IRJ last edited by

                  @IRJ said in Choosing a WAF:

                  @stacksofplates said in Choosing a WAF:

                  @IRJ said in Choosing a WAF:

                  @stacksofplates said in Choosing a WAF:

                  Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

                  I hadn't thought about that. It would be interesting to compare cost with AWS.

                  Yeah and it would probably be easier to use if you switched providers. The Terraform provider stays the same so no config changes.

                  The other downside to modsecurity is you would probably have to get another ATO right?

                  Cloudflare doesnt have an ATO so that's not an option...

                  I dont think modsecurity would be considered a big enough change to trigger the process, but I could be wrong. Since we are already using NGINX in our application, it would just be recompiling it from source that would be needed. Even if it is considered a major change, we would just implement it when doing our yearly audit and kill two birds with one stone.

                  Ah ok. I never looked into whether Cloudflare was a possibility for that or not. It seems ridiculous that they aren't but oh well.

                  Ah, man compiling that from source will be annoying for your patching cycles.

                  IRJ 1 Reply Last reply Reply Quote 0
                  • IRJ
                    IRJ @stacksofplates last edited by

                    @stacksofplates said in Choosing a WAF:

                    Ah, man compiling that from source will be annoying for your patching cycles.

                    That is definitely an initial CON I need to add to my list.

                    1 Reply Last reply Reply Quote 0
                    • dbeato
                      dbeato @IRJ last edited by

                      @IRJ said in Choosing a WAF:

                      @stacksofplates said in Choosing a WAF:

                      Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

                      I hadn't thought about that. It would be interesting to compare cost with AWS.

                      Well AWS Shield can be expensive in a “sense” about 3K or so a month.

                      1 Reply Last reply Reply Quote 0
                      • dbeato
                        dbeato last edited by

                        I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

                        IRJ 1 Reply Last reply Reply Quote 1
                        • IRJ
                          IRJ @dbeato last edited by

                          @dbeato said in Choosing a WAF:

                          I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

                          @dbeato said in Choosing a WAF:

                          I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

                          Are you using owasp top 10 rules?

                          dbeato 1 Reply Last reply Reply Quote 0
                          • dbeato
                            dbeato @IRJ last edited by

                            @IRJ said in Choosing a WAF:

                            @dbeato said in Choosing a WAF:

                            I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

                            @dbeato said in Choosing a WAF:

                            I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

                            Are you using owasp top 10 rules?

                            Yes

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post