[AusNOG] web App firewalls.

Dobbins, Roland rdobbins at arbor.net
Fri May 28 14:11:45 EST 2010


On May 28, 2010, at 10:40 AM, David Hughes wrote:

> If you fill the connection table on an LB or FW device the boxes behind it go off the air.  Sounds like a great way to DOS yourself :)


Precisely!

If one insists on jamming these stateful chokepoints into one's network, one must ensure that they *and everything behind them* must be protected against DDoS.  S/RTBH doesn't cost anything; reverse proxy-caches for Web farms are also very useful in this regard.

And as far as PCI DSS is concerned, mod_security on the Web servers themselves fulfills the requirement admirably, without detracting from one's security posture in the manner of a stateful 'web application firewall'.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken






More information about the AusNOG mailing list