We had trouble with out website because of DoS attacks and we are thinking about installing a Web Application Firewall. One of our technical people advices Netscaler. He says it is the best of all. The problem is the price. It=92s really expensive! Who knows alternatives for other prices then $45,000?
Ashley - What kind of web server are you talking about? Apache? IIS? others?
We have the IIS and Apache running
Most firewall appliances handle DOS attacks, most all of them are under $5000.
Am Sun, 05 Jul 2009 09:06:27 -0400 schrieb Leythos:
DOS != DOS, depends on the kind of attack, mot of the tcp based syn flood attacks can be handled via firewall or if the OS kernel supports it you probably can handle it on the sytem itself as well.
cheers
Ask the technical person "How exactly is a WAF that works on the application layer going to do anything about network denial of service issues on the TCP/IP layer?"
The difficulty with WAF's is that they generally are far from plug and play. They need to be customized to the applications they're protecting to do the best job, and their focus is more on attempting to neuter threat vectors that for whatever reason you're unwilling to or unable to fix on the vulnerable web application code. If you can, it's usually more effective and cheaper to cure the patient rather than apply a bandaid.
A quality network IPS device run in-line would do much more for network DoS issues than a WAF ever will. Depending on the bandwidth you need, they aren't that painful, and they're FAR more plug and play than a WAF would be. Naturally, tuning thresholds and rulesets is strongly recommended based on your environment, and you need to reach comfort level with the absence of false positives before you switch from monitor to in-line mode, but still, much easier than WAF configuration.
Best regards,
Well, we bought not so long time ago BigIP, but the price was $40,000, it was expensive comparing the research we did afterward. Same features like the lower price, the BigIP is great but actually the features we use do exist in other less expensive options.
Regards, Paul
That is not much cheaper!
We were looking for a good product and the guys from F5
Paul
You have two types of Web Application Firewalls: One is hardware based and the other is only software based. Profense from Armologic is software based and cost about $8,000. Another good one is Applicure with the price of $4,000. For hardware based WAF is Barracuda WAF from Barracuda for a price from $7,300.
While the F5 is a great box, I'm not sure a BigIP is the most cost effective solution to DoS concerns though.
There's a lot that's not been told to us about the environment, however that makes a very specific recommendation impossible at this point in the thread, unfortunately.
Whew, those are expensive!
The Barracuda product is a good WAF; if you're going the hardware route you probably couldn't do better from a price-for-value standpoint. But there's an alternative to a web app firewall: the XyberShield web app security service. Software-as-a-Service, and its got a low monthly price. A free trial is here:
Few things to be aware of regarding XyberShield:
Because XyberShield is software-as-a-service, it's very unobtrusive. No hardware, obviously, but no real "agent" in the traditional sense
-- all you have to add a single line of code to each web page. Similar to adding Google Analytics to a website. Install the code and go. In contrast, setting up a hardware WAF requires you to use someone with technical expertise to redesign your network architecture.
Ongoing maintenance is just as easy. You never have to worry about installing patches or updates. Improvements we make to the defense modules, called XyberFrames, are delivered instantly to all users.
The XyberShield user interface runs in your browser, and is actually pretty fun. Guy who built it is a big James Bond fan, so the dashboard looks like something an ambitious genius would use to rule the world, but an average movie fan would understand most of its functions.
The "behavior-based" aspect of the service is different than anything else you'll see for some time in the web app protection market. This allows XyberShield to protect against types of attacks that a WAF most likely wouldn=92t even see -- business logic attacks, navigational abuse attacks, session fixation, and format string attacks.
Best,
Ben
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.