choffee

For some time there have been offering from many suppliers and opensource groups for WAFs. These are OSI Layer 7 firewalls essentially. They seem to fall into two categories. The first of which is a generic set of rules that block bad request in may formats and has as starndard pattern. The second type is one where you define exactly what you app is expecting and the firewall blocks everything else.

The Generic rule set based ones do offer some benefit for some web apps but unless your application is trivial you will find them blocking and having to add many exceptions and fix a whole new raft of bugs caused by blocked request. They are worth a try and you can run most of these in reporting mode which might give you a scope for how much work it's going to be to fix up the rules. They do provide some quite good protection for things like odd characters and weird paths that might break your app.

The second type where you specify the types of request you are expecting in your application and the WAF limits all incoming communication to those requests seem to be of little benifit. If you have written your application with a decent framework and followed best practice with security for that framework then it should already be filling that role. All it means is that you now have to copy your changes from one application into the WAF as part of your deployment. I think your time would be much better spent on a review of the security of your application and the change involved. If you can be sure of the requirements of you application to define a WAF rule then the same should be definable in the application itself.