Choosing a WAF

IRJ

I am looking at adding either AWS WAF or modsecurity to an all AWS environment.

Mod Security

Pros: FOSS
      CSP Agnostic
      Community and paid support
      Wazuh integration already there


Cons: Additional resource consumption on EC2 instances (potentially causing autoscaling and additional costs)

AWS WAF

Pros: No additional resource consumption
      Autoscaling handled by AWS
      Better DDOS protection
      Wazuh integration in latest version of wazuh agent


Cons: Unknown costs (many moving pieces like lambda calls, data streams, and log storage)
      Complexity (lots of terraform scripting)
      AWS only

stacksofplates

I'd prob lean towards the AWS one. DDOS and autoscaling are huge pluses. You'll have to write the Terraform configs for it, but you'd have to create new AMIs or use config management to set up all of the EC2 instances the other way so I don't see that as a minus. Plus moving to a new provider isn't that hard since you're already using Terraform.

stacksofplates

Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

IRJ

@stacksofplates said in Choosing a WAF:

Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

I hadn't thought about that. It would be interesting to compare cost with AWS.

stacksofplates

@IRJ said in Choosing a WAF:

@stacksofplates said in Choosing a WAF:

Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

I hadn't thought about that. It would be interesting to compare cost with AWS.

Yeah and it would probably be easier to use if you switched providers. The Terraform provider stays the same so no config changes.

The other downside to modsecurity is you would probably have to get another ATO right?

IRJ

@stacksofplates said in Choosing a WAF:

@IRJ said in Choosing a WAF:

@stacksofplates said in Choosing a WAF:

Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

I hadn't thought about that. It would be interesting to compare cost with AWS.

Yeah and it would probably be easier to use if you switched providers. The Terraform provider stays the same so no config changes.

The other downside to modsecurity is you would probably have to get another ATO right?

Cloudflare doesnt have an ATO so that's not an option...

I dont think modsecurity would be considered a big enough change to trigger the process, but I could be wrong. Since we are already using NGINX in our application, it would just be recompiling it from source that would be needed. Even if it is considered a major change, we would just implement it when doing our yearly audit and kill two birds with one stone.

stacksofplates

@IRJ said in Choosing a WAF:

@stacksofplates said in Choosing a WAF:

@IRJ said in Choosing a WAF:

@stacksofplates said in Choosing a WAF:

Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

I hadn't thought about that. It would be interesting to compare cost with AWS.

Yeah and it would probably be easier to use if you switched providers. The Terraform provider stays the same so no config changes.

The other downside to modsecurity is you would probably have to get another ATO right?

Cloudflare doesnt have an ATO so that's not an option...

I dont think modsecurity would be considered a big enough change to trigger the process, but I could be wrong. Since we are already using NGINX in our application, it would just be recompiling it from source that would be needed. Even if it is considered a major change, we would just implement it when doing our yearly audit and kill two birds with one stone.

Ah ok. I never looked into whether Cloudflare was a possibility for that or not. It seems ridiculous that they aren't but oh well.

Ah, man compiling that from source will be annoying for your patching cycles.

IRJ

@stacksofplates said in Choosing a WAF:

Ah, man compiling that from source will be annoying for your patching cycles.

That is definitely an initial CON I need to add to my list.

dbeato

@IRJ said in Choosing a WAF:

@stacksofplates said in Choosing a WAF:

Another option is to use Cloudflare. You can use Terraform to define your WAF rules with them also.

I hadn't thought about that. It would be interesting to compare cost with AWS.

Well AWS Shield can be expensive in a “sense” about 3K or so a month.

dbeato

I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

IRJ

@dbeato said in Choosing a WAF:

I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

@dbeato said in Choosing a WAF:

I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

Are you using owasp top 10 rules?

dbeato

@IRJ said in Choosing a WAF:

@dbeato said in Choosing a WAF:

I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

@dbeato said in Choosing a WAF:

I use AWS WAF with Cloudfront, Terraform, Cognito and any functions for the applications so it is very powerful.

Are you using owasp top 10 rules?

Yes