What is the best Web Application Firewall for IIS? [closed]
That is an extremely open ended question. A firewall can be software or hardware, free or tens of thousands of dollars. It really depends on your needs and budget as far as "best".
Of course, in the end, when you say "best", I say: Cisco.
Note that the term "web application firewall" also means different things to different people. To Cisco, it seems to mean an xml-targeted system. You may actually need a more general purpose firewall like something from the ASA series. These issues of security are multifaceted, and I'm not a PCI-DSS expert, so I'm not completely sure of the nuances with your request. However, I can tell you that whatever you need, Cisco has it, and it probably rocks, if you'll forgive the superlative.
First of all, I'm not sure where you doubters have been for the last few years, but the requirement for a WAF in PCI is one part of requirement 6.6, and it's been the most talked about requirement of the last few years. (I would post a link, but since I'm new I can only post one link per message, and I'm saving it. Just google "6.6 PCI WAF" and you'll have a thousand results).
As for which is "best", best is a very relative term. Try to find the one that best fits your needs and budget. If you want a starting point, there's a brief writeup of the major players here: http://www.docstoc.com/docs/9687629/WAF
I have tested a number of different Web Application Firewalls from many the major hardware and software vendors. None of them have really had any noteable affect on my ability to manually expose the problems in vulnerable web applications.
They are getting pretty good at stopping the kind of attacks that worms, or unseasoned attackers may try, but a determined human attacker can always easily tweak his attack vector such that it no longer trips the IDS. They all essentially match requests against regular expressions, looking for common attack patterns. But they are so easy to get around.
Only consider a device like this as an additional layer to your security. Do not consider one to save your developers from writing vulnerability-free code, or save your admins from keeping systems and software regularly updated and patched. I can tell you for free that they won't stop people getting at your SQL injection or cross-site scripting vulnerabilities.
I'm with Cheekysoft, but I'd also regularly scan my Web applications for vulnerabilities with Nessus, Nikto, and (haven't tried yet but heard good things) with Google's recently released SkipFish. You may also be able to make your own informed decision from The Open Web Application Security Project (OWASP) guide to Web Application Firewalls: http://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls