WAF over SSL VPN?

Question: When is it a good idea to add a Web Application Firewall (WAF) to an existing VPN/SSL connection ? Is it even necessary at all
Approximately 100 End-Users
Medium Security (No Cash Transactions)
Web Server IIS based
scalability


Answer:
The answer depends on your security requirements.

If you have a assessed requirement (e.g. PCI) to secure your applications with a front-end like a web application firewall (WAF), then you should have a web application firewall in front of your web applications.

In general SSL VPN adds the following features to the shops that require layer 7 web application firewalls (when configured properly):
1 - All users accessing your web applications using SSL VPN are authenticated when it is enforced. If authenticated users are considered trusted, then you do not need an extra WAF protection.
2- SSL VPN systems can bring pre-authentication posture checks like malicious software scans. If you consider scanned clean systems trusted then you do not need a web application firewall
3- Some SSL systems come with integrated security features like content security, layer 7 security, protocol checks, firewalls etc. If the security level offered by the SSL VPN vendor is good enough for your web application security requirements you do not need an additional layer for WAF.

Let me know if you have any specific questions,
Regards,
- yinal ozkan