No announcement yet.

Do IIS server need any Application Firewall?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Do IIS server need any Application Firewall?

    Do IIS server need any Application Firewall?
    Please Help.

  • #2
    I have tried several top of the line WAFs. Some come built-in with load balancers (think F5, Zeus). Others are dedicated, stand-alone WAFs. Tested numerous ones by actually running AppScan against known vulnerable web code. The top performer for me was Imperva's SecureSphere WAF. You're going to pay through the nose for it, but in terms of raw security, logging, and customizability, it's currently the best. You can get it virtual or physical appliance, each with their advantages. They have very strict licensing, and are pricey, but their logging capabilities and their signature updates are hard to beat.

    We also code test the applications themselves using AppScan and WebInspect both. As has been mentioned, doing WAF + code review is best because you can't get 100% with either method alone. This is very different than IDS/IPS systems which is looking mostly at layer3 traffic, not at layer7 where most attacks are successful nowadays. There are also cloud-based WAF protections (security as a service) which offer the same protection but for much less investment.