Hosted WAF Solutions Specific to Drupal

Events happening in the community are now at Drupal community events on www.drupal.org.
johnjones4's picture
Posted by johnjones4 on December 20, 2013 at 4:05pm

Are there any hosted WAF (Web Application Firewall) solutions available that work best with Drupal? The site we have in mind for use in this scenario is a simple content-driven site.

Categories: , , , ,

Comments

not that I know of but if

Posted by likewhoa on December 20, 2013 at 4:37pm
likewhoa's picture

not that I know of but if you're looking for top notch managed hosting that is optimized for drupal give me a buzz. I offer network monitoring services. see my site http://missionaccomplish.com/it-security-services

What you can also do if you wish to save some money is learn iptables. There are a bunch of frontend for it that you can use but if you're looking for more detailed network monitoring and automated ip blocking you need a service provider to handle all that ;)

see "shorewall" as one example tool to manage your iptables.

bending technology to fit businesses.

Perhaps Incapsula? Or mod_security?

Posted by doub1ejack on February 20, 2014 at 8:17pm
doub1ejack's picture

CloudFlare markets itself as a Web Application Firewall. After hearing some bright people mention it recently I took a look to see if it was something we should consider for our Drupal sites. Ultimately, it wasn't impressive.

The best summary I found was this summary of a report from Zero Science Lab:
http://tonyonsecurity.com/2013/03/09/protect-your-website-vulnerabilitie...

This points to two good options: 1) using Incapsula's WAF service, or 2) using ModSecurity's addon's for Apache, IIS or Nginx. The second option has a bit of a learning curve, but came out ahead in Zero's studies (assuming of course, that you configure things correctly).

I know at least some sites

Posted by greggles on July 5, 2014 at 9:40pm
greggles's picture

I know at least some sites are using a WAF like modsecurity in front of Drupal...but as far as I know, nobody is publishing any customizations they make in the ruleset that are specific to Drupal.

It seems like it would be a great thing to have on drupal.org - we have tons of modules, why not modsecurity rules?

Anyone with more experience than I have care to provide thoughts on this idea?

Thanks!

knaddison blog | Morris Animal Foundation

WAF Blocks Drupal query more than 500 parameters

Posted by haghazy on October 27, 2014 at 4:30pm
haghazy's picture

Hi All,

My WAF firewall by default blocks Drupal queries that are more than 500 parameters, which i see from a security point of view as a correct behavior because it is preventing against DoS attacks.

I can increase the 500 threshold to more and not face this issue anymore, however, how can we decrease the parameters in Drupal so that it can send less than 500?

Thanks in advance

Hussein

Consulting and Business

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: