from Hacker News

Ask HN: Windows WAF

by relaxedricky on 3/12/14, 3:34 PM with 1 comments

Hey,

I am currently looking into WAF's to work with Windows servers (Win 2003 - Win 2008) running IIS (6-7) and I am interest in peoples recommendations.

I have been able to find a number of different options from Googleing however I am more interested in peoples personal experience pros/cons ease of use etc.

Thanks for your time and any suggestions.

Regards.

  • by kjs3 on 3/12/14, 6:20 PM

    Well...that depends. What do you mean by "work with Windows"? If you mean simply "must protect servers running IIS" and either an appliance or VM deployment is in play then it's very tough to beat Imperva. I've done many deploys, including some huge (Fortune 500) commerce sites, and have always been pleased. F5 is an option, especially if you are already an F5 shop, but I've rarely had a client pick F5 over Imperva unless they were. RADware AppWall is effective, but quirky, and doesn't have a lot of installs Stateside. I've got some clients who are wild about Riverbed, but I honestly have no experience there. I was unimpressed with Barracuda and Sourcefire.

    If you mean "run on the same server as the IIS server", then I've had good success with 5nines. Alternatively, Modsecurity is now available for IIS, which if you're proficient with maintaining it is effective. WebKnight looked pretty good in the lab, but I've not rolled one into production. Whatever they're calling MS IAS these days has some WAFish functionality, but isn't really a full blown WAF. If you're really cheap, there's always URLScan, which maybe is better than nothing.

    There are also a bunch of folks with cloud-based WAF offerings (e.g. Qualys). This is a good solution for folks that don't have the time/skill to ride herd on a WAF, but usually trades off fine-grained application control.