Hi, A WAF is an operational security control which monitors HTTP traffic in order to protect web applications from attacks.
The key elements in this definition are: 1)*Operational control* - a WAF protects applications in real time, rather than hardening them or fixing them in advance. 2)*HTTP traffic *- a WAF analyzes the traffic between the untrusted client and the web server. 3)*Protect web applications* - WAFs protect web applications. Mostly custom written and very dynamic, web applications are in many cases vulnerable and not well protected by other solutions. *Differentiation* Only by defining the method used to protect applications, a WAF can be differentiated from other security solutions that inspect traffic, most notably IDS and IPS. To be a WAF, a system should: *Have intimate understanding of HTTP* - while not of importance by itself, only by fully parsing and analyzing HTTP, breaking it to its elements including headers, parameters and payload, a WAF can effectively perform the following requirements and avoid evasion. *Provide a positive security model* - a positive security policy allows only things know to be valid to go through. This protection mechanism, sometimes called "white listing" provides an external input validation shield over the application. Too many web attacks cannot be reliably detected using signatures making a signature only solution not strong enough to protect web applications. *Application layer rules *- due to high maintenance cost, a positive security model by itself is not effective enough to protect web applications and should be augmented by a signature based system. But since web applications are custom, traditional signatures targeting known vulnerabilities are not effective. WAF rules should be generic and detect any variant of an attack such as SQL injection. *Session based protection* - one of the biggest downsides of HTTP is the lack of a built in reliable session mechanism. A WAF must complement the application session management and protect it from session based and over time attacks. Allow fine grained policy management - most notably, exceptions should be applied to only minimal parts of the application. If a system does not allow minimal exceptions, false positives force opening wide security gaps. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
