Virtual WAF

DustinB3403

@Dashrender said in Virtual WAF:

Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

On what grounds does paying money mean that you have improved security?

DustinB3403

@Jimmy9008 said in Virtual WAF:

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

Dashrender

@Jimmy9008 said in Virtual WAF:

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.

Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

Wow - in that case then, I would say - well you don't care about it, so other than my firewall, I don't care about it either.... and if I do need to care about it - then I need budget to care more than just my firewall about it.

That's a fundamental change to the company - again, that's fine, as long as they put the resources they expect to need in place... they were clearly doing that well enough in the past.. and now what - they just puke on it? what gives that department the right/ability to shift responsibility and cost vector to you?

Dashrender

@DustinB3403 said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

DustinB3403

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.

Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

Wow - in that case then, I would say - well you don't care about it, so other than my firewall, I don't care about it either.... and if I do need to care about it - then I need budget to care more than just my firewall about it.

Again not how the world works, budgets change, profits grow and shrink and resources and processes need to be adjusted to account for that.

That's a fundamental change to the company - again, that's fine, as long as they put the resources they expect to need in place... they were clearly doing that well enough in the past.. and now what - they just puke on it? what gives that department the right/ability to shift responsibility and cost vector to you?

The hell?

Dashrender

@DustinB3403 said in Virtual WAF:

@Dashrender said in Virtual WAF:

Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

On what grounds does paying money mean that you have improved security?

It's not that they spent money - it's that they cared enough to at least look like they cared by spending the money...

Now they simply say - well, we're poor now, so it's someone else's problem. I consider that a problem. The manager of IT should be going to the CIO and saying - WTF? Joe over here in application ABC who had a budget last year of $X is now dumping his security issues on IT. Two things - why is this suddenly my problem? and where is my budget to provide that support?

Jimmy9008

@Dashrender said in Virtual WAF:

@DustinB3403 said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

It is. For sure. I get what you are saying. 100%. But that is the situation we are in, disrespectful or not. Until 2022 I will not have budget to put something perhaps more solid in place, so I need to put something in place for now until then. Discussing the situation wont help, I am at the stage of seeing what is possible to get us somewhere better than nothing.
If that makes sense?

Obsolesce

@Jimmy9008 said in Virtual WAF:

@Dashrender said in Virtual WAF:

@DustinB3403 said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

It is. For sure. I get what you are saying. 100%. But that is the situation we are in, disrespectful or not. Until 2022 I will not have budget to put something perhaps more solid in place, so I need to put something in place for now until then. Discussing the situation wont help, I am at the stage of seeing what is possible to get us somewhere better than nothing.
If that makes sense?

True, every minute counts on a sinking ship. If free duct tape buys you time, why the hell not!

1337

If a web application firewall is going to be of some use, it needs a heavy set of rules.
The time spent will be much more expensive than the cost of the WAF.
Unless the purpose is to fill out some kind of compliance checkbox.

dbeato

@Jimmy9008 what type of webserver/applications? Is it WordPress or any other CMS or is it customized?

dbeato

That said @Jimmy9008 what you have though with HAProxy and most likely Ngnix is what other WAF have already implemented on them as below some opensource versions

https://www.vultureproject.org/

https://github.com/nbs-system/naxsi

scottalanmiller

@Jimmy9008 said in Virtual WAF:

Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

No, whoever is managing it is IT. IT is defined by role, not department name. If you called janitorial services "IT" on company memos and the infrastructure "janitorial", it doesn't change who IT is, just what you call them. (We have a customer that literally does this with Development and IT... they flip the names because their users are confused.)

So no matter what, IT does and has been managing this because IT is defined by who does IT. What you are now learning is that you have what is called "shadow IT" departments.

scottalanmiller

@Dashrender said in Virtual WAF:

@DustinB3403 said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

Right, I would personally step back and look at the organization. You have competing IT groups that don't answer to the same people. Don't voluntarily take on projects that don't belong to your IT team - this will create ongoing issues in the company. They don't trust your team to be in charge of this, don't voluntarily take on responsibility. Hold the other IT team accountable.

It's great that you want to fix their mistakes. But I feel like that won't do anyone any good in the long run.

scottalanmiller

One of the reasons that you don't see many good options for this is because the place where the industry has decided that this should go, when hosting like you want, is on the app itself because of the performance and latency aspects of it. So tools tend to be like this one...

https://shieldon.io/en

And they tend to be platform specific to do a good job. This is something your developers would be doing, not IT, generally. Sure IT can buy third party hosted solutions or hardware, but software is going to be rare because it's an additional reverse proxy that hurts app performance.

So any app big enough to need this is generally happy to pay for Amazon or CloudFlare because the cost is nominal (less than having your own IT research and set it up.) And those that want to host themselves do so closer to the app.