Re: web appliaction security products (AKA application firewalls)

I have only looked at them all in brief. When my management found out we were gonna stick a box between us and our customers that may stop a legitimate customer coming in it got dropped like a lead ballon.

I have heard some horror stories of new applications coming online that aren't classically written that get blocked. One has problems with anything where you make changes in any way client-side (read if you have Javascript or vbscript avoid like the plague).

The proxy based ones are in my opinion the worst idea. The throughput of them is pretty bad, they cant deal with load balancing well (cisco director ). They thruput issue is the big one. They are usually based on a single Linux box and so just don't scale. If you wanna see SSL they also have to decrypt ssl and so are effectively a choked router.

If I were you and money is no object look at one of the new hardware based IDS's that do anomoly detection. When it sits on the network and knows the normalized packet characteristics, they pretty easily spot wierd behaviour.

On Wed, 20 Nov 2002 00:21:21 -0800 Shimon Silberschlag <shimons@bll.co.il> wrote:
>What is the group experience with these type of devices? Any good,

Get your free encrypted email at https://www.hushmail.com Received on Sun Nov 24 16:43:44 2002