Web Application Firewall for ColdFusion Launched

March 26, 2009
coldfusion

I'm excited to announce today the launch of Foundeo's latest product: the Foundeo Web Application Firewall for ColdFusion. The product can block or log malicious requests to your ColdFusion applications. Including things like:

  • Cross Site Scripting / XSS
  • SQL Injection
  • Session Hijacking
  • Cross Site Request Forgery
  • CRLF Injection
  • Path Traversal Attacks
  • Password Dictionary Attacks

I think it is also important to address what this product is not. It is not a magic filter that can catch every possible hack attempt on your web applications. All you need is one security hole for a hacker to be successful. I want to make it very clear that this product should not be a substitute for secure coding practices. Infact we actually giving away a copy of our CFML Security Checklist with each copy the firewall we sell.

Because this product is written in CFML, there are some unique advantages, such as:

  • You can use it on most Shared Hosting Accounts
  • You can write your own custom Filters in CFML
  • You can interact with the firewall directly from within your ColdFusion web applications.
  • Configuration is done with CFML, no need to learn a new configuration language.

Twitter Contest - Win a Free Copy

We are also holding a twitter contest. Follow @foundeo on twitter by 4/1/09 for a chance to win. The winner will be picked randomly from all @foundeo followers on 4/1/09.



Related Entries

5 people found this page useful, what do you think?

Comments

Has this been tested against any of the services that perform PCI testing? Does it rewrite and convert all "domain" cookies to "host" cookies? http://tinyurl.com/c8w82x How much overhead does it add? And finally, why does the enterprise version cost almost 4xs more than a Sonicwall Firewall appliance?
@James - Yes it has been tested with services that perform PCI scans. We don't have any results to publish, but I think it fairs pretty well. We don't have any It does not rewrite any cookies, it doesn't alter the request at all out of the box, but you could write filters that do that. And the pricing on our enterprise version is actually much less than other WAF's, which can cost 10's of thousands of dollars. Also I don't think the Sonicwall appliance is a Web Application Firewall, but rather a more traditional network firewall. Thank you for your interest.
(PCI) I'll test it out of the box and let you know the results. (no cookie rewrite) Good. Portcullis destroyed all domain level cookies and I had to quit protecting cookies as a result. (Pricing) I googled WAF and found "Woman Acceptance Factor" [grin]... but the first 2 results for "web application framework" were 2 open source solutions, OWASP and ModSecurity. I don't know too much about their offerings yet, but is there any additional information available concerning CWAF apart from the single page of information? I'd like to learn more, but don't want to have to think about which questions to ask or spend too much time contrasting and comparing it with other products. Thanks.
@James - Sorry, WAF stands for Web Application Firewall. What sets a WAF apart from other firewalls is that they can detect attacks against your web application code. Things like SQL Injection, Cross Site Scripting, etc. They understand the HTTP protocol, whereas a network firewall may not know HTTP, only TCP/IP, ICMP, etc. I will admit the product page is still a bit sparse, but if you request an evaluation you can learn more about our product from the documentation. Also feel free to contact foundeo: http://foundeo.com/contact/ with any questions you might have.
sorry to possibly intrude on your product, i ran across your blog searching for jvm tuning. Why buy your product when you can use a proxy front like apache or nginx, with proper mod_security and request filters? we use litespeed enterprise in front of cfm, and have about 500+ rules.
@David - I think there are some unique advantages to having this protection in the same layer as your application. You can interact with and invalidate the session, your application can communicate directly with the firewall, developers can write rules in the same language they use to write their applications, etc. There are certainly advantages to having a hardware front, or proxy front as well, I think this product has a niche. One of the big differences is that our Firewall can be added and configured to the application by the developer. Setting up a proxy mod_security would have to be done by the systems and network administrator, who probably has much less knowledge of how the application actually works. In my opinion a WAF is best configured when it is done with a deep understanding of the web application it is protecting. Also in many cases (most notably on shared hosts) you may not be able to external software or hardware. If you can run CFML you can use our firewall. One final use case is blocking password dictionary attacks. Most WAF's can do this by seeing lots of password requests come in, but only the web application knows if it is an invalid username, or an invalid password. If someone is trying lots of invalid usernames you could provide a more aggressive blocking strategy. Sending this message from your CFML application to an external WAF can be difficult, sending a message to our WAF from your application is very easy. All that being said this product is not a golden hammer, you need to pick the best tool for your needs.
Hmm, any performance degradation? as always with the security vs performance issue... Might be worth looking at if resource consumption isn't too bad, more security never hurts :)
@David - Resource consumption depends on how it is configured, and server hardware. I would recommend downloading the evaluation, and giving it a spin in your environment. In general I think the resource consumption is low enough for there to be no noticeable difference, but it's best to just see for yourself.
sir ! can you send me a evaluation version of FuseGuard 2.0?
@Jack - You can download the evaluation copy here: https://foundeo.com/security/eval/

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?