Webserver protection vs Firewall nat rules

Not sure that I can help with your question, but I can strongly recommend that you put a WAF in front of every website published to the internet.  

If someone creates a bogus reply to your web site, sending 500 text characters instead of the five digits that you are expecting for a US postal zipcode:

• Will your application handle the attack?  
• Will your webserver do something crazy before your application even sees the attack?  
• Do you have any idea how to test for this type of attack?

The answer to all three are probably "I don't know and I don't want to find out by surprise."  

WAF is the defense that saves you from these types of attacks.

Test your WAF configuration to ensure it is locked down as tightly as possible without breaking something.  In case you have not seen this elsewhere my process is:

• Set defense mode to Monitor.
• Test with known-good traffic.
• Export the logs and review for problems.
• Fix the problems and retest until it comes out clean.
• One thing to look for when rigid filtering is enabled:  look for rule ID numbers in square braces [90210].   Add these to the strict filter rule exception list., because they represent false positives.
• When the test come back with no false positives, switch the firewall mode to block bad traffic 

Then I suggest that you declare success and move on to a different problem.

Excellent suggestions, Doug - thanks!

Your final point is excellent advice.  I've had two clients get bogged down in getting WAF going.  In both cases, it was because Marketing had higher priority than Security when it came to getting changes made by the web developer.  Using your approach at least would have gotten them some protection.  Some false-positives are harmless, but I think I'd get a list of some of the disabled rules to someone that could get the developer to change the code so that that protection could be enabled.

Cheers - Bob

I have configured at least 5 different waf sites, and had to use different protection settings for each one.   Some sites have been unable to use rigid filtering at all.  I dont think form signing or cookie signing have ever worked for me.   It has been a trial and error process each time.  During the sales cycle, I came to expect WAF to be fully automatic, but that has not been my experience, and support has always acted as if trial-and-error is normal.  Nothing was ever escalated to development.

To ensure trusted traffic, I configure WAF on an internal IP addtess, then edit my Hosts file to point a test pc at the waf site.   I can use live log (on a second PC) to capture the traffic as it occurs, or download the logs after the fact.

I have configured at least 5 different waf sites, and had to use different protection settings for each one.   Some sites have been unable to use rigid filtering at all.  I dont think form signing or cookie signing have ever worked for me.   It has been a trial and error process each time.  During the sales cycle, I came to expect WAF to be fully automatic, but that has not been my experience, and support has always acted as if trial-and-error is normal.  Nothing was ever escalated to development.

To ensure trusted traffic, I configure WAF on an internal IP addtess, then edit my Hosts file to point a test pc at the waf site.   I can use live log (on a second PC) to capture the traffic as it occurs, or download the logs after the fact.

Good information again, Doug.

When I said "developers," I was talking about the people coding the website behind WAF, not the Sophos devs.

Cheers - Bob