We used F5 Big-IP Viprions for 4 years. It was a colossal waste of money.
The bugs in these supposed "best in class" devices were ridiculous.
Here's a taste:
There was a bug where it would crash on a TCP FIN packet not associated with an existing connection. When a patch was released, installing it on the standby device reset its config and caused it to takeover as master, wiping the old master in the process.
I'm not putting anything business critical behind an F5.
WAFs seem to be pretty universally regarded as garbage by the security professionals I know.
- there’s a (closed source for F5) black box that’s gonna mess with some of your requests
- it might block legitimate requests that “look” like SQL injection attempts (false positives)
- a WAF adds a bunch more latency to your request/response cycle
- malicious requests will still get through the WAF (false negatives), so it’s not like you can just forget about application security after you set one up
I think a big problem is the advertised idea that a WAF can be "turn-key" and effective with defaults, which just doesn't work, + quality issues with at least some offerings. Making a WAF truly effective means to understand what actual traffic for the application looks like, and building a profile around that. Which is a lot more effort, and might mean the effort is better invested into other hardening measures.
I wonder if not having all the bot traffic hitting the application would create savings in resource requirements that would match or exceed the cost of the WAF. I.e. would it pay for its self if you had a lot of bot traffic.
We used F5 Big-IP Viprions for 4 years. It was a colossal waste of money.
The bugs in these supposed "best in class" devices were ridiculous.
Here's a taste:
There was a bug where it would crash on a TCP FIN packet not associated with an existing connection. When a patch was released, installing it on the standby device reset its config and caused it to takeover as master, wiping the old master in the process.
I'm not putting anything business critical behind an F5.
Hopefully they don't screw up NGINX.
WAFs seem to be pretty universally regarded as garbage by the security professionals I know.
- there’s a (closed source for F5) black box that’s gonna mess with some of your requests
- it might block legitimate requests that “look” like SQL injection attempts (false positives)
- a WAF adds a bunch more latency to your request/response cycle
- malicious requests will still get through the WAF (false negatives), so it’s not like you can just forget about application security after you set one up
I think a big problem is the advertised idea that a WAF can be "turn-key" and effective with defaults, which just doesn't work, + quality issues with at least some offerings. Making a WAF truly effective means to understand what actual traffic for the application looks like, and building a profile around that. Which is a lot more effort, and might mean the effort is better invested into other hardening measures.
Security is built on layers. A WAF is just another layer.
Just like obscurity. Security is not done only through obscurity, but obscurity van increase security.
I wonder if not having all the bot traffic hitting the application would create savings in resource requirements that would match or exceed the cost of the WAF. I.e. would it pay for its self if you had a lot of bot traffic.
Just an F5 advertisement really.