Educause Security Discussion mailing list archives
Re: Application Security
From: Neil Matatall <nmatatal () UCI EDU>
Date: Fri, 13 Nov 2009 15:42:56 -0800
Stephen, We have had great success with both ModSecurity (software) and Imperva's SecureSphere (network appliance). WebKnight is pretty weak at best, specifically its SQL Injection detection was awful and the false positive rate was too high for our taste. I recommend you take a look at the presentation I gave <http://www.educause.edu/E09+Hybrid/EDUCAUSE2009FacetoFaceConferen/SecuringCampusWebApplicationsw/176086> at the last Educause conference and take a look at the Higher Education Information Security Council's Effective Practices group. These two resources should help make up your mind. The WAFEC was crucial in our decision, but so is the input of others. I cannot speak for URLScan, but I can say that Breach's product lacked many key features and was more expensive than Imperva at the time we evaluated the products (we also considered F5's product since it integrated with our load balancers). I will be glad to discuss this with you, it is one of my passions. OWASP is also a decent resource for information on WAFs, although they still endorse WebKnight which I disagree with. http://www.owasp.org/index.php/Web_Application_Firewall http://www.educause.edu/E09+Hybrid/EDUCAUSE2009FacetoFaceConferen/SecuringCampusWebApplicationsw/176086 Neil Matatall IT Security Engineer Office of Information Technology UC Irvine (949) 824-4359 http://www.oit.uci.edu http://security.uci.edu/ * Under no circumstances should ANY password or account information be sent via email. UC Irvine will never ask you to supply such information. Adam Carlson wrote:
Stephen, This might be interesting to you in your evaluations: http://projects.webappsec.org/Web-Application-Firewall-Evaluation-Criteria Also you might want to look at the vendors who participated near that bottom of that page if you wanted to broaden your search. As for software based application layer firewalls, you might check out: ModSecurity : [http://www.modsecurity.org] IIS UrlScan : [http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en] WebKnight : [http://www.aqtronix.com/?PageID=99] from: http://isc.sans.org/diary.html?storyid=5674 We are not currently using a WAF but will hopefully start evaluating some of these products soon to determine if they are worthwhile in our environment. Hope this helps, -Adam Stephen G. Lotho wrote:Hi, We are currently in the market for Application firewall. I wanted to check here if anyone has any recommendation. We are looking for an appliance and software solution. Vendors I'm looking at are Top Layer, Fortinet, Breach and Barracuda. I don't know any software application firewall - could you suggest one? Thank you, Stephen G. Lotho Director, Network Services Roosevelt University 430 South Michigan Avenue Chicago, Illinois 60605 Tel: 312.341.6996 email: Stephen.Lotho () Roosevelt edu
Current thread:
- Application Security Stephen G. Lotho (Nov 13)
- <Possible follow-ups>
- Re: Application Security Adam Carlson (Nov 13)
- Re: Application Security Neil Matatall (Nov 13)
- Re: Application Security Neil Matatall (Nov 14)