[AusNOG] web App firewalls.

Pinkerton, Eric Eric.Pinkerton at team.telstra.com
Thu May 27 16:35:16 EST 2010


>Don't put stateful firewall appliances in front of your Web servers, as you'll make them vastly more vulnerable to DDoS attacks:

I think that's quite a subjective argument, A statefull f/w in front of your webserver may make you more vulnerable to DDOS, but the alternative increase your vulnerability to a plethora of other risks, Just as a salesman selling you DDOS mitigation devices will assert that your biggest risks are DDOS based, a firewall vendor will tell you otherwise.

The right answer for you depends entirely upon the environment you are tying to protect, for instance if all you care about is uptime for static/self contained web servers, then there may be value in building a network that is all about speed and avaliability.  But if you are undergoing PCI DSS, then it implies you are handling CC payment information, and keeping that data private may carry a higher priority than five nines avaliablity.  If so you may want to bring to bear some of the smarts built in to application proxies like XSS and SQL Injection detection etc etc..

IMHO The attached Presentation (and I realise that this isn't your work) represents at best a blinkered view of security appropriate to a particular environment.  


Just sayin!


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dobbins, Roland
Sent: Thursday, 27 May 2010 3:49 PM
To: ausnog at ausnog.net
Subject: Re: [AusNOG] web App firewalls.


On May 27, 2010, at 12:42 PM, Jacques Kosky wrote:

> Any recommendations of disrecommendations?

Use mod_security on the servers themselves - it counts as a 'Web application firewall' for PCI DSS compliance purposes.  Don't put stateful firewall appliances in front of your Web servers, as you'll make them vastly more vulnerable to DDoS attacks:

<http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken



_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list