Benefits of placing WAF reverse proxy/transparent in front of web-based honeypots?
For my final year project, I wanted to do a comparative analysis of 2 WAF's ModSec/Shadow Daemon and web-based honeypot SNARE/TANNER.
I wanted to find out if there are any benefits of placing WAF inline of a web-based honeypot. Does it defeat the purpose of a honeypot by placing WAF inline? Can WAF add value in terms of deception capabilities or aid in the development of future mitigation techniques? For instance, determine what attacks bypass WAF, if so what attacks be caught by the honeypot? I know this boils down to the honeypots limitations as it's low-interaction and applies vulnerability type emulation rather than actual vulnerabilites.
Would an inline WAF make the honeypot appear more attractive by making it more difficult to attack?
Can consolidating WAF and honeypot attack vector logs though SIEM aid in adding context to the data generated?
The first approach requires a live deployment which I currently don't have time for to test this. The second approach would be ideal because I could use WAF testing frameworks such as WA3F, Web Goat, Imperva ect which would can be tested in a virtual environment.
This research topic has not been done before, I don't know why. I just want to confirm whether it's a waste of time or I’m going about it the wrong way.
