I am wondering if it is worth the extra protection of using a WAF or is it ok to rely on our application code to protect against XSS, SQL injection etc. type of attacks? This is for a new cloud application that we are launching. I am leaning towards using a WAF since this is a enterprise/business application. Also, are there any specific products you would recommend? I have been reviewing how to configure the rules in HAProxy/mod_security but am wondering if it is just safer to rely on commercial product. Any suggestions or experiences?
I've always viewed security as a layered approach. The more layers you add, the better protected you are. I subscribe to the thought that nothing is 100% secure, so I would recommend to put as many layers as possible. In my opinion, the issue you should be concerned about is the effectiveness of whatever solutions (layers) you implement. I think it is being accepted by the industry that detection and prevention methodologies based on predefined data (signatures, rules, etc) are only as strong as said predefined data. In layman's terms, it will probably protect you from most unsophisticated attackers, but that's it. Today's most sophisticated attacks are one-off (0day) and/or custom, so they probably won't be defined. In this regard, some of the newer generation security solutions are developing / using smarter detection and protection methodologies (real time adaptive models vice defined positive and / or negative models). I don't mean to paint a negative picture, but I am trying to illustrate the importance of multiple layers. ModSecurity seems to be the preferred open source solution with a more active community than the rest. But Intel and Oracle also have some interesting solutions in this space.
I've used Mod_Security previously and I must tell you it is quite efficient against basic types of attacks. Being a penetration tester, I would suggest that you implement mod_security preliminary and test your product for vulnerabilities.
I don't think WAFs are worth the maintenance headache. I help manage a pentesting firm. Once in a blue moon, we'll get a target with a WAF installed that can't be disabled for the test, and it's never more than a speed-bump. Generally: I wouldn't bother.<p>If you're going to do something WAF-y, my recommendation would be modsecurity.
A WAF is like insurance, most of the time you wont need it, but its good to have when the s*it hits the fan.<p>While you can rely on your app to have its own security, it never hurts to have extra (unless latency is a concern).<p>I'd start with an open source version and move up to a commercial product if its necessary.
I use mod_security for personal sites and Cisco NetScaler as a WAF, load-balancer and SSL offloader at work. If I was given the choice, I would use HAProxy and mod_security as I'm not too impressed with NetScaler.