[AusNOG] web App firewalls.
Dobbins, Roland
rdobbins at arbor.net
Fri May 28 14:11:45 EST 2010
On May 28, 2010, at 10:40 AM, David Hughes wrote:
> If you fill the connection table on an LB or FW device the boxes behind it go off the air. Sounds like a great way to DOS yourself :)
Precisely!
If one insists on jamming these stateful chokepoints into one's network, one must ensure that they *and everything behind them* must be protected against DDoS. S/RTBH doesn't cost anything; reverse proxy-caches for Web farms are also very useful in this regard.
And as far as PCI DSS is concerned, mod_security on the Web servers themselves fulfills the requirement admirably, without detracting from one's security posture in the manner of a stateful 'web application firewall'.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the AusNOG
mailing list