@Dashrender said in Virtual WAF:

@DustinB3403 said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

It is. For sure. I get what you are saying. 100%. But that is the situation we are in, disrespectful or not. Until 2022 I will not have budget to put something perhaps more solid in place, so I need to put something in place for now until then. Discussing the situation wont help, I am at the stage of seeing what is possible to get us somewhere better than nothing.
If that makes sense?

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.

Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

I am not here to discuss the particulars of where this should sit or not. I am asking for any thoughts on what WAF options are available, ideally at no direct cost.

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

@Obsolesce said in Virtual WAF:

@Jimmy9008 test or demo environments should never be any less secure than production.

Yes, I agree. Hence wanting to put something in place.

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

@DustinB3403 said in Virtual WAF:

@Jimmy9008 I've not used this before but it appears in multiple search engines near the top.

https://modsecurity.org/

Appears to have both free and paid options, and is open source.

That did pop up from an initial search online. Seems like a good point to start with. Thank you

@Obsolesce said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

We will soon have a few webservers/applications

Running on which webserver(s)?
What kind of web apps, what language?

As I understand the handling of web traffic is handled directly in the application using HTTP.sys and the application is written in ASP.NET

Hi folks,

Would anybody be able to recommend some virtual Web Application Firewalls? I have not looked at this before and want to see what options are available from you pro's before doing more online research.

We will soon have a few webservers/applications sitting behind HAProxy, which sits behind our ASA. Ideally we would be able to stick a WAF between HAProxy and the ASA. No budget for a physical box.

Probably no budget for a paid for virtual solution either. I hope to see something like HAProxy where it is free to use with a paid option.

Cheers

We use Dell SecureWorks MDR. Has been good so far. We get quarterly meetings and whenever anything questionable is seen in logs/scans/user usage, we are contacted.

Yes, my firewall guys have said we have the license available but do not use the feature.