http://coldfusion.com logo
#cfml-general
Title
# cfml-general
d

Daniel Mejia

02/07/2022, 4:51 PM
@foundeo Hi Pete, do you know the pros and cons of running fuseguard on a cfml application vs a cloud based solution like aws waf or azure waf that is front of the application(not on the same application host)?
f

foundeo

02/07/2022, 5:28 PM
Certainly… In general there isn’t any harm in running more than one level of waf… defense in depth, so it is a perfectly valid approach to have two layers.
Since I am a terrible at sales I’ll start with Pro’s of the cloud based WAF: The primary benefit to them is that they cover the entire web server (including any static assets, etc), where as FuseGuard is only protecting your CFML application. If you have other technologies like PHP on the server then FuseGuard isn’t going to do anything to protect it.
One of the advantages of FuseGuard is that it runs at your application layer, so this means it is very easy to test locally (even if you have 1 server license, you can still run it on unlimited non-production, dev servers), so if you are adding a feature that will require some configuration on the WAF side, then you’ll find out right away during development, rather than when you push the code and it breaks in production. This is also a good thing in terms of encoding / decoding, when FuseGuard inspects the variable
#form.whatever#
it is running inside the CFML engine context, so FuseGuard doesn’t need to worry about all the different ways attackers encode variables to escape detection, FuseGuard is seeing the variable the same way your Application code will see it.
👍🏾 1
d

Daniel Mejia

02/07/2022, 5:32 PM
Thanks for replying Pete. I think I have to apply both, monitor the bad requests coming in, perhaps, only run 1 at a time for a few months, and maybe after a year determine if only 1 is needed or if both. azure waf and fuseguard would cost about the same per month.
f

foundeo

02/07/2022, 5:32 PM
Another advantage of FuseGuard vs a Cloud WAF is that you’ll have the full source code of FG, and you can extend any of the filters (they are just CFC’s), so if you want to change how it works, you can do that
Yeah, with FuseGuard you can run it in Log Only Mode which will not block anything, but will log stuff it may have blocked
In terms of protecting against threats there will be things that only Azure WAF would block but FuseGuard wouldn’t, and then there will be things that FuseGuard would block but Azure WAF wouldn’t. No WAF (or any security product) will get you 100% protection, so having the multiple layers can be a good strategy to increase the odds of a threat being blocked.
👍🏾 1
d

Daniel Mejia

02/07/2022, 5:52 PM
@foundeo do you do any testing?
f

foundeo

02/07/2022, 5:54 PM
FG has tons of unit tests that have to pass before each release, or did you mean do I do penetration testing?
d

Daniel Mejia

02/07/2022, 6:00 PM
yes, penetration testing
f

foundeo

02/07/2022, 6:32 PM
Yes, I do some penetration testing, usually in combination with a code review to try to target the risky areas of the app.
1
w

wil-shiftinsert

02/07/2022, 9:41 PM
Hi, Pete didn’t pay me for this comment (although he should 🍻 🤣). We just implemented fuseguard for some customer for a VERY VERY old cf application on cf9, which they don’t want to update anymore. But we love it for this app.It gives a lot more insight on the application and I am sure you will discover things which you’ll never see with Azure WAF. And once you know what can happen to your app, you can improve it, and maybe change to Azure in a later stage if you can’t afford both. Please feel free to ping me for details, but it is really easy to implement. You could just consider the evaluation version to see if it is worth it’s money. Easy to install, but you have to RTFM and the readme!
🍻 1
👍🏾 1
d

Daniel Mejia

02/07/2022, 10:50 PM
Hey sounds promising.
d

David Buck

02/08/2022, 5:47 PM
I have a love/hate relationship with fuseguard. It's often a sledgehammer when I want a scalpel, and yet, there's no denying its miraculous ability to make 20 year old mudballs pass pen tests. We have vintage apps that simply couldn't be kept online without it. But if I was starting something from scratch, I think I'd prefer to put it in log-only mode, and decide for myself where and how client variables should be dealt with.
👍🏾 1
3 Views