WebApp Sec mailing list archives
Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money?
From: "Ivan Ristic" <ivan.ristic () gmail com>
Date: Sun, 13 Jan 2008 09:54:23 +0000
On Jan 12, 2008 3:55 PM, B Snake <bsnak3 () gmail com> wrote:
It seems like 90+% of companies that implement WAFs deploy them in listening-only mode and don't do any blocking for fear of false positives cutting off legitimate user activity. I'm new to WAFs and this may be a stupid question, but what security value does a WAF add if it's not doing any blocking of malicious activity?
I have found that most people talk about blocking when they are discussing web application firewalls, in spite of this type of deployment being just one of the possible use cases. This is very peculiar because, at the network level, so many people are deploying intrusion detection systems (which do not block) yet the question of usefulness is not being asked all the time. This might be because intrusion detection is a mature technology and everyone is comfortable (understands) what their role is, whereas web application firewalls still have a way to go toward wide recognition. Whether to block or not is a matter of taste. I, for example, prefer to focus on detection. This is because I feel that, at the very basic level, the most important thing a web application firewall (or any other security device) can give me is the ability to detect problems, telling me when I am being attacked. In other words, I want visibility. I want to know what is going on. From there I can decide to block if that's what I want to do. Ask yourself this: if there is a vulnerability in your web application and it's being exploited and you do not have a web application firewall actively looking at the traffic to warn you about it, how are you going to detect you are being attacked? For how long is the attack going to continue until some external signs start giving you clues that something is not right?
-BSnake
-- Ivan Ristic ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- <Possible follow-ups>
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ivan Ristic (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 16)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Henry Troup (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ofer Shezaf (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 13)
- Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? Ryan Barnett (Jan 14)
- RE: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of Money? sankalpa h (Jan 20)