Virtual WAF
-
Hi folks,
Would anybody be able to recommend some virtual Web Application Firewalls? I have not looked at this before and want to see what options are available from you pro's before doing more online research.
We will soon have a few webservers/applications sitting behind HAProxy, which sits behind our ASA. Ideally we would be able to stick a WAF between HAProxy and the ASA. No budget for a physical box.
Probably no budget for a paid for virtual solution either. I hope to see something like HAProxy where it is free to use with a paid option.
Cheers
-
@Jimmy9008 said in Virtual WAF:
We will soon have a few webservers/applications
Running on which webserver(s)?
What kind of web apps, what language? -
@Obsolesce said in Virtual WAF:
@Jimmy9008 said in Virtual WAF:
We will soon have a few webservers/applications
Running on which webserver(s)?
What kind of web apps, what language?As I understand the handling of web traffic is handled directly in the application using HTTP.sys and the application is written in ASP.NET
-
-
@VoIP_n00b said in Virtual WAF:
What part of
Probably no budget for a paid virtual solution eitherdid you not comprehend? -
This post is deleted! -
Cloudflare Pro has a WAF but it's $20/month.
-
@Jimmy9008 Why not add "Free" to the title?
-
@VoIP_n00b said in Virtual WAF:
@Jimmy9008 Why not add "Free" to the title?
Why not read the entire topic?
-
@Jimmy9008 I've not used this before but it appears in multiple search engines near the top.
Appears to have both free and paid options, and is open source.
-
@DustinB3403 said in Virtual WAF:
@Jimmy9008 I've not used this before but it appears in multiple search engines near the top.
Appears to have both free and paid options, and is open source.
That did pop up from an initial search online. Seems like a good point to start with. Thank you
-
@VoIP_n00b said in Virtual WAF:
Cloudflare Pro has a WAF but it's $20/month.
I don't think that would be a direction we would use. I like CF but it just wont happen here.
-
@Jimmy9008 said in Virtual WAF:
@VoIP_n00b said in Virtual WAF:
Cloudflare Pro has a WAF but it's $20/month.
I don't think that would be a direction we would use. I like CF but it just wont happen here.
They can't afford $20/m to protect this? does whatever they are doing even make sense to do?
-
@Dashrender said in Virtual WAF:
@Jimmy9008 said in Virtual WAF:
@VoIP_n00b said in Virtual WAF:
Cloudflare Pro has a WAF but it's $20/month.
I don't think that would be a direction we would use. I like CF but it just wont happen here.
They can't afford $20/m to protect this? does whatever they are doing even make sense to do?
Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.
The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.
Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.
Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.
-
@Jimmy9008 said in Virtual WAF:
@Dashrender said in Virtual WAF:
@Jimmy9008 said in Virtual WAF:
@VoIP_n00b said in Virtual WAF:
Cloudflare Pro has a WAF but it's $20/month.
I don't think that would be a direction we would use. I like CF but it just wont happen here.
They can't afford $20/m to protect this? does whatever they are doing even make sense to do?
Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.
The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.
Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.
Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.
Well reducing costly systems makes sense. If this tool works for you and adds a nominal technical cost to setup and maintain it makes sense if you have the expertise to setup and run this internally.
It's a soft cost rather than a hard cost (time and materials) vs some $ per month.
Best of luck
-
@Jimmy9008 test or demo environments should never be any less secure than production.
-
@Obsolesce said in Virtual WAF:
@Jimmy9008 test or demo environments should never be any less secure than production.
Yes, I agree. Hence wanting to put something in place.
-
@Obsolesce said in Virtual WAF:
@Jimmy9008 test or demo environments should never be any less secure than production.
Exactly - if you're willing to throw up shoddy demo environments, it's very likely they'll skimp when it comes to production as well.
-
@Jimmy9008 said in Virtual WAF:
@Dashrender said in Virtual WAF:
@Jimmy9008 said in Virtual WAF:
@VoIP_n00b said in Virtual WAF:
Cloudflare Pro has a WAF but it's $20/month.
I don't think that would be a direction we would use. I like CF but it just wont happen here.
They can't afford $20/m to protect this? does whatever they are doing even make sense to do?
Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.
The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.
Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.
Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.
So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.
Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.
Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.
-
@Dashrender said in Virtual WAF:
@Jimmy9008 said in Virtual WAF:
@Dashrender said in Virtual WAF:
@Jimmy9008 said in Virtual WAF:
@VoIP_n00b said in Virtual WAF:
Cloudflare Pro has a WAF but it's $20/month.
I don't think that would be a direction we would use. I like CF but it just wont happen here.
They can't afford $20/m to protect this? does whatever they are doing even make sense to do?
Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.
The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.
Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.
Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.
So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.
Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.
Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.
Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.
I am not here to discuss the particulars of where this should sit or not. I am asking for any thoughts on what WAF options are available, ideally at no direct cost.
If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.
