Virtual WAF



  • Hi folks,

    Would anybody be able to recommend some virtual Web Application Firewalls? I have not looked at this before and want to see what options are available from you pro's before doing more online research.

    We will soon have a few webservers/applications sitting behind HAProxy, which sits behind our ASA. Ideally we would be able to stick a WAF between HAProxy and the ASA. No budget for a physical box.

    Probably no budget for a paid for virtual solution either. I hope to see something like HAProxy where it is free to use with a paid option.

    Cheers



  • @Jimmy9008 said in Virtual WAF:

    We will soon have a few webservers/applications

    Running on which webserver(s)?
    What kind of web apps, what language?



  • @Obsolesce said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    We will soon have a few webservers/applications

    Running on which webserver(s)?
    What kind of web apps, what language?

    As I understand the handling of web traffic is handled directly in the application using HTTP.sys and the application is written in ASP.NET





  • @VoIP_n00b said in Virtual WAF:

    https://aws.amazon.com/waf/

    What part of Probably no budget for a paid virtual solution either did you not comprehend?



  • This post is deleted!


  • Cloudflare Pro has a WAF but it's $20/month.



  • @Jimmy9008 Why not add "Free" to the title?



  • @VoIP_n00b said in Virtual WAF:

    @Jimmy9008 Why not add "Free" to the title?

    Why not read the entire topic?



  • @Jimmy9008 I've not used this before but it appears in multiple search engines near the top.

    https://modsecurity.org/

    Appears to have both free and paid options, and is open source.



  • @DustinB3403 said in Virtual WAF:

    @Jimmy9008 I've not used this before but it appears in multiple search engines near the top.

    https://modsecurity.org/

    Appears to have both free and paid options, and is open source.

    That did pop up from an initial search online. Seems like a good point to start with. Thank you



  • @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.



  • @Jimmy9008 said in Virtual WAF:

    @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.

    They can't afford $20/m to protect this? does whatever they are doing even make sense to do?



  • @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.

    They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

    Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

    The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

    Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

    Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.



  • @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.

    They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

    Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

    The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

    Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

    Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

    Well reducing costly systems makes sense. If this tool works for you and adds a nominal technical cost to setup and maintain it makes sense if you have the expertise to setup and run this internally.

    It's a soft cost rather than a hard cost (time and materials) vs some $ per month.

    Best of luck



  • @Jimmy9008 test or demo environments should never be any less secure than production.



  • @Obsolesce said in Virtual WAF:

    @Jimmy9008 test or demo environments should never be any less secure than production.

    Yes, I agree. Hence wanting to put something in place.



  • @Obsolesce said in Virtual WAF:

    @Jimmy9008 test or demo environments should never be any less secure than production.

    Exactly - if you're willing to throw up shoddy demo environments, it's very likely they'll skimp when it comes to production as well.



  • @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.

    They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

    Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

    The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

    Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

    Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

    So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

    Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

    Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.



  • @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.

    They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

    Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

    The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

    Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

    Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

    So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

    Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

    Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.

    Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

    I am not here to discuss the particulars of where this should sit or not. I am asking for any thoughts on what WAF options are available, ideally at no direct cost.

    If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.



  • @Dashrender said in Virtual WAF:

    Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

    On what grounds does paying money mean that you have improved security?



  • @Jimmy9008 said in Virtual WAF:

    If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

    This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.



  • @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.

    They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

    Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

    The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

    Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

    Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

    So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

    Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

    Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.

    Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

    Wow - in that case then, I would say - well you don't care about it, so other than my firewall, I don't care about it either.... and if I do need to care about it - then I need budget to care more than just my firewall about it.

    That's a fundamental change to the company - again, that's fine, as long as they put the resources they expect to need in place... they were clearly doing that well enough in the past.. and now what - they just puke on it? what gives that department the right/ability to shift responsibility and cost vector to you?



  • @DustinB3403 said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

    This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

    You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.



  • @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    @VoIP_n00b said in Virtual WAF:

    Cloudflare Pro has a WAF but it's $20/month.

    I don't think that would be a direction we would use. I like CF but it just wont happen here.

    They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

    Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

    The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

    Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

    Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

    So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

    Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

    Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.

    Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

    Wow - in that case then, I would say - well you don't care about it, so other than my firewall, I don't care about it either.... and if I do need to care about it - then I need budget to care more than just my firewall about it.

    Again not how the world works, budgets change, profits grow and shrink and resources and processes need to be adjusted to account for that.

    That's a fundamental change to the company - again, that's fine, as long as they put the resources they expect to need in place... they were clearly doing that well enough in the past.. and now what - they just puke on it? what gives that department the right/ability to shift responsibility and cost vector to you?

    The hell?



  • @DustinB3403 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

    On what grounds does paying money mean that you have improved security?

    It's not that they spent money - it's that they cared enough to at least look like they cared by spending the money...

    Now they simply say - well, we're poor now, so it's someone else's problem. I consider that a problem. The manager of IT should be going to the CIO and saying - WTF? Joe over here in application ABC who had a budget last year of $X is now dumping his security issues on IT. Two things - why is this suddenly my problem? and where is my budget to provide that support?



  • @Dashrender said in Virtual WAF:

    @DustinB3403 said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

    This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

    You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

    It is. For sure. I get what you are saying. 100%. But that is the situation we are in, disrespectful or not. Until 2022 I will not have budget to put something perhaps more solid in place, so I need to put something in place for now until then. Discussing the situation wont help, I am at the stage of seeing what is possible to get us somewhere better than nothing.
    If that makes sense?



  • @Jimmy9008 said in Virtual WAF:

    @Dashrender said in Virtual WAF:

    @DustinB3403 said in Virtual WAF:

    @Jimmy9008 said in Virtual WAF:

    If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

    This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

    You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

    It is. For sure. I get what you are saying. 100%. But that is the situation we are in, disrespectful or not. Until 2022 I will not have budget to put something perhaps more solid in place, so I need to put something in place for now until then. Discussing the situation wont help, I am at the stage of seeing what is possible to get us somewhere better than nothing.
    If that makes sense?

    True, every minute counts on a sinking ship. If free duct tape buys you time, why the hell not!



  • If a web application firewall is going to be of some use, it needs a heavy set of rules.
    The time spent will be much more expensive than the cost of the WAF.
    Unless the purpose is to fill out some kind of compliance checkbox.



  • @Jimmy9008 what type of webserver/applications? Is it WordPress or any other CMS or is it customized?


Log in to reply