I ran an unsuccessful game service for a while, and due to the nature of our product (custom 3D characters) we suspected to receive and did receive an incredible number of hack attempts for a pretty much unknown web service. Expecting the issue, we got a US $20K SonicWall hardware firewall of the class used by banks. Best investment ever. On four separate occasions we had DoS attacks that the SonicWall shrugged off without a sweat. Typically, we'd see 100-300 actual hack attempts per day for this unknown service. To handle this, it takes is being serious, and listening and following your security experts guidance without cutting corners. They are aware security is expensive and have already mentally scaled their recommendations to a balance between what they think you can afford and security you'll need. Go with their recommendation - they are the expert.
Are you conflating DoS (something a firewall can deal with) with the kind of hacking that can penetrate a system? I'm not sure a firewall can do anything about (for example) SQL injection.
I think commenter is describing his company's operation, what attacks they were facing, and that listening to advice countered them. Commenter doesn't mention a SQL Injection or claim his case applies to anything else. Instead, merely points out that listening to professionals who understand risks of your technology and following their advise can prevent problems caused by those risks. That was my take.
...that a few, inexpensive practices stop almost all the common methods currently. There's also frameworks and stacks that immunize web applications against common ones for them with little to no effort by developers. These fit parent's claim where you just follow basic, security advice with available tools for each category to stop many attacks.
Now, that's not going to cover everything. A dedicated, professional attacker or team targeting your individual business might break past it all. Most breaches we see, though, are companies not doing the basics.
> Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything.
That's a lot more invasive ongoing work than "add piece of hardware", or "add this DNS record".
Add this whitelisting software with your main apps on the list. Install updates when available by clicking update. Done for 75% of it. Your admin using OpenBSD or Linux install instead of something else for backend is invisible to you. The developers writing apps withbone framework or library use a different one. I'm not seeing this invasive nature of easy stuff. Straightforward.
Seems more do given the number of companies with 1-5 IT people that do stuff like this. They just care, Google tech X plus security/hardening guide, and follow the advice. Apply patches, check logs on occasion. A little less apathy goes a long way.
I'm not familiar with Sonicwall specifically, but a packet-inspecting web app firewall can indeed do something about SQL injections, obvious ones anyway.
