I’ve been thinking about this for a long time, and I haven’t seen anyone else talk about it, so here goes. As anyone who’s read this site for any length of time knows, I’ve never had much of a soft spot in my heart for web application firewalls for various reasons: cost, false positives, false negatives, can fail to fix the problem completely, etc…. However, recently I’ve been asked to look at more and more people’s technology (as part of our consulting practice) and decide what I do and don’t like. I was talking to a new startup a week or two ago about their new WAF appliance that they are building and all the virtues, blah blah. Of course I had to start punching holes in it the second I heard the concept, “What about DOM based XSS?” The CEO replies, “No idea.” Hurray, I win! Or did I?
There’s one more advantage to this - if you can set the egress filter to deliver specific content to specific IP addresses, you can actually use the WAF filter to test the changes you are suggesting to your developers ahead of time. Often security guys know how to make the changes better than anyone, so if they can deploy the change in the WAF, test it themselves before it rolls out to anyone else, they’ve reduced the risk of a global deployment of code that failed the fix the problem, or worse yet, code that completely breaks the functionality of the site in some way.
There are other virtues, like if you see database strings that clearly shouldn’t ever appear, like ODBC errors, you could completely block the output, etc… Don’t get too excited, I’m still not on the WAF bandwagon, but I’m starting to see more interesting applications for it, above and beyond a simple short term inbound patching mechanism.