Easiest way to Web Application Firewall security

Looking for the security of a Web Application Firewall, with the least amount of work.

I have been told I needed a Web Application Firewall (WAF) and wonder if it's smarter to use a Web Cloud based WAF? It's for a .NET MVC App. running on IIS.

It sounds like it's a smart way to get security, without first needing to become an expert in it. And to know they are always on the lookout, making their system more secure, would let me rest easier.

Any good names you can recommend?

Also, how difficult is it to "build our own?" What kinds of customization capabilities would we lose, if we went with a Cloud based version?

How long might it take to deploy a cloud version of the WAF?

If I wanted to use AWS, for example, must I also host my website with AWS?

Thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
If you have Internet facing web app or website then cloud WAF can be considered and in fact, you can consider  antiddos cloud solution as they also come with WAF. example include cloudflare, akamai, incapsula, dosarrest.

In fact AWS has its cloud WAF as well.
Additional protection against web attacks using conditions that you specify. You can define conditions by using characteristics of web requests such as the following:


IP addresses that requests originate from.
Country that requests originate from.
Values in request headers.
Strings that appear in requests, either specific strings or string that match regular expression (regex) patterns.
Length of requests.
Presence of SQL code that is likely to be malicious (known as SQL injection).
Presence of a script that is likely to be malicious (known as cross-site scripting).

Rules that can allow, block, or count web requests that meet the specified conditions. Alternatively, rules can block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.

Rules that you can reuse for multiple web applications.
https://aws.amazon.com/documentation/waf/
https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
https://docs.aws.amazon.comwaf/latest/developerguide/waf-chapter.html
0
newbiewebSr. Software EngineerAuthor Commented:
I want to get a WAF, but what if we hosted locally? How does that work? I see AlertLogix has a solution for any requirement.

If we wanted to continue hosting locally, would we just:

1) point our URL's to the servers belonging to AlertLogix
2) host our website on a non-published domain, that we provide to AlertLogix
3) configure AlertLogix with our list of query string params, including expected data types and data ranges
4) after going live, they route all safe traffic to our private domains
5) they create reports to us on the traffic which they rejected

Is this how a cloud hosted system can enable us to maintain private hosting?

Thanks.
0
btanExec ConsultantCommented:
on premise WAF is still possible. Some cloud provider may provide such hybrid combination which they still have the cloud to filter upfront, then send over the traffic towards the origin web server that has another on premise WAF to inspect. Note the SSL need to be decrypted to inspect by the WAF. Example of one is Radware's Hybrid Cloud DDoS Protection service integrates with Radware's on-premise DDoS protection device.
https://www.radware.com/products/cloud-ddos-services/

In fact, you should be checking if your firewall has such WAF capability too then you do not need to have another on premise WAF. To note, WAF handle application DoS and actually some handle the network DoS.  
 
Just to share for Cloud based WAF/CDN, you just need to change the DNS record to CNAME to the provider
  1. Log into your DNS provider account for the domains you’re onboarding to Akamai.
  2. Find the page to update/edit your domain's DNS records. This might be called something like, DNS Management or Name Server Management.
  3. Locate the entry for your domain. If there is an A record currently, change the record type to a CNAME record. If there is currently a CNAME record, change the target to the Akamai provided value.
like for www.example.com CNAME www.example.com.edgesuite.net. No change to the user. The rule of the WAF will be set in the Cloud WAF config.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.