Re: Application Security

[Neil Matatall <nmatatal () UCI EDU>]

Stephen,

We have had great success with both ModSecurity (software) and Imperva's
SecureSphere (network appliance).

WebKnight is pretty weak at best, specifically its SQL Injection
detection was awful and the false positive rate was too high for our
taste.  I recommend you take a look at the presentation I gave
<http://www.educause.edu/E09+Hybrid/EDUCAUSE2009FacetoFaceConferen/SecuringCampusWebApplicationsw/176086>
at the last Educause conference and take a look at the Higher Education
Information Security Council's Effective Practices group.  These two
resources should help make up your mind.  The WAFEC was crucial in our
decision, but so is the input of others.

I cannot speak for URLScan, but I can say that Breach's product lacked
many key features and was more expensive than Imperva at the time we
evaluated the products (we also considered F5's product since it
integrated with our load balancers).  I will be glad to discuss this
with you, it is one of my passions.

OWASP is also a decent resource for information on WAFs, although they
still endorse WebKnight which I disagree with.
http://www.owasp.org/index.php/Web_Application_Firewall

http://www.educause.edu/E09+Hybrid/EDUCAUSE2009FacetoFaceConferen/SecuringCampusWebApplicationsw/176086

Neil Matatall
IT Security Engineer
Office of Information Technology
UC Irvine
(949) 824-4359
http://www.oit.uci.edu
http://security.uci.edu/

* Under no circumstances should ANY password or account information be sent via email.  UC Irvine will never ask you to 
supply such information.



Adam Carlson wrote:
> Stephen,
>         This might be interesting to you in your evaluations:
>
> http://projects.webappsec.org/Web-Application-Firewall-Evaluation-Criteria
>
> Also you might want to look at the vendors who participated near that
> bottom of that page if you wanted to broaden your search.  As for
> software based application layer firewalls, you might check out:
>
> ModSecurity : [http://www.modsecurity.org]
> IIS UrlScan   :
> [http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en]
> WebKnight   : [http://www.aqtronix.com/?PageID=99]
>
> from:
>
> http://isc.sans.org/diary.html?storyid=5674
>
> We are not currently using a WAF but will hopefully start evaluating
> some of these products soon to determine if they are worthwhile in
> our environment.
>
> Hope this helps,
>
> -Adam
>
> Stephen G. Lotho wrote:
>
> > Hi,
> >
> > We are currently in the market for Application firewall.  I wanted to
> > check here if anyone has any recommendation.  We are looking for an
> > appliance and software solution.
> >
> > Vendors I'm looking at are Top Layer, Fortinet, Breach and Barracuda.
> >
> > I don't know any software application firewall - could you suggest one?
> >
> > Thank you,
> >
> > Stephen G. Lotho
> > Director, Network Services
> > Roosevelt University
> > 430 South Michigan Avenue
> > Chicago, Illinois 60605
> > Tel: 312.341.6996
> > email: Stephen.Lotho () Roosevelt edu