Re: web appliaction security products (AKA application firewalls)

[securityarchitect () hush com]

I have only looked at them all in brief. When my management found out we were gonna stick a box between us and our 
customers that may stop a legitimate customer coming in it got dropped like a lead ballon.

I have heard some horror stories of new applications coming online that aren't classically written that get blocked. 
One has problems with anything where you make changes in any way client-side (read if you have Javascript or vbscript 
avoid like the plague). 

The proxy based ones are in my opinion the worst idea. The throughput of them is pretty bad, they cant deal with load 
balancing well (cisco director ).  They thruput issue is the big one. They are usually based on a single Linux box and 
so just don't scale. If you wanna see SSL they also have to decrypt ssl and so are effectively a choked router. 

If I were you and money is no object look at one of the new hardware based IDS's that do anomoly detection. When it 
sits on the network and knows the normalized packet characteristics, they pretty easily spot wierd behaviour.  


On Wed, 20 Nov 2002 00:21:21 -0800 Shimon Silberschlag <shimons () bll co il> wrote:
> What is the group experience with these type of devices? Any good,
> bad
> or horror stories about using/maintaining them? Any specific
> recommendations?
>
> I know the charter doesn't really cater for discussion of commercial
> tools so please keep answers
> generic and objective
>
> Shimon Silberschlag
>
> +972-3-9352785
> +972-51-207130



Get your free encrypted email at https://www.hushmail.com