Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Web Application Firewall (WAF) with IntraWeb
#1
Hi. In order to pass certain web application security tests without remarks, some (e.g. those that check compliance against the Payment Card Industry Data Security Standard) require a Web Application Firewall (WAF) to be present between the clients and the web application server. I have no experience with this, so here are some questions:

1. Is this a reasonable requirement, or does IntraWeb have built-in security that protects against the same things as an external WAF? 
2. Does anyone have experience with using a WAF in front of one or more IntraWeb web applications? Any issues you can run into?
3. My understanding is that there are hardware, software and cloud based solutions for WAF. Any recommendations on which type to choose? Any particular product/service that you can recommend?

Feedback on this would be much appreciated!

Best regards

Magnus Oskarsson
Reply
#2
IntraWeb does not replace a WAF and I'm not aware of any self-contained web server that can do that (including Apache, IIS, etc). In general these are dedicated, specialized software which inspects the communication, so it is not something trivial that can be implemented by a limited set of user defined rules.

I have never used myself but do know that some customers have already used it. As long as the WAF application don't block the responses or change them to a point that make them invalid (I've seen such cases) it should just work transparently.
Reply
#3
Thanks Alexandre for your feedback! So this is to other users who have tried a WAF with IntraWeb, please share your experience here!

Best regards

Magnus Oskarsson
Reply
#4
If you have a database SQL server, it will probably answer remote requests on port 3051 or a similar. So give it a good login name and password. Closing the port would speed it up. I am not sure if linux has ports closed as a default value. Remember not to close all ports, namely 1)for your app, 2)remote desktop, if you use it, and 3)for console access like putty. Some people say that it is not a big issue if you do not close ports on linux.
Reply
#5
(11-29-2019, 06:24 PM)MrSpock Wrote: If you have a database SQL server, it will probably answer remote requests on port 3051 or a similar. So give it a good login name and password. Closing the port would speed it up. I am not sure if linux has ports closed as a default value. Remember not to close all ports, namely 1)for your app, 2)remote desktop, if you use it,  and 3)for console access like putty. Some people say that it is not a big issue if you do not close ports on linux.
Hi, I am not really sure what you are answering here??? Of course, we do have a regular (hardware) firewall that protects the server. Basically, only port 443 is open for external access. But a WAF is not about opening and closing ports.

(11-29-2019, 06:24 PM)MrSpock Wrote: If you have a database SQL server, it will probably answer remote requests on port 3051 or a similar. So give it a good login name and password. Closing the port would speed it up. I am not sure if linux has ports closed as a default value. Remember not to close all ports, namely 1)for your app, 2)remote desktop, if you use it,  and 3)for console access like putty. Some people say that it is not a big issue if you do not close ports on linux.
Hi, I am not really sure what you are answering here??? Of course, we do have a regular (hardware) firewall that protects the server. Basically, only port 443 is open for external access. But a WAF is not about opening and closing ports.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)