Are you using a Windows Application Firewall on IIS?

by JasonHelmick at 2012-08-28 18:34:14

So, I know many of you have a front end firewall solution, ranging from a Cisco ASA to Microsoft TMG, but are any of you using a Windows Application Firewall (WAF) on your IIS servers?
I’m curious… I just started using Port80Software’s Server Defender and I really like its integration and capabilities. So, let’s discuss this, what do you use to protect your web servers from script attacks and everything else that is hunting your websites?

Curious minds want to know…so, chime in!

by willsteele at 2012-09-03 08:28:35
We use Barracuda for our WAF’s. We are still tuning, but, they seem to be working pretty well. We roll out our enterprise application onto the WAF filtering here shortly.
by JasonHelmick at 2012-09-03 09:58:10
Hey Will! Barracuda is an excellent product…Where there specific reasons for the decision to use them? As a security guy was there something you liked the most over other products?
by willsteele at 2012-09-03 11:02:50
In our case it was a weird cookie filtering issue. After looking at a variety of products we had to be able to handle some OWASP top 10 factors and Barracuda was the only vendor who could give us a viable proof of concept. I am our security guy are the two on top of this and it has proven to be a VERY rich product. Much more powerful than we need in our application set. Our third party vendor is using our appliance for the rest of their products as well. We are pretty happy with it. I know the logs are pretty scary at times. Huge. Even logparser can choke on them at times. Several other products looked pretty good as well, but, in the end, their development team was able to help us specifically with an issue auditors would not let slide. I guess that as ultimately the deciding factor.
by JasonHelmick at 2012-09-04 09:01:39
Hey thanks for the feedback! It’s good to know that Barracuda worked with you to make sure the solution would work.