How a WAF works if the traffic is HTTPS.
On Mon, Jul 12, 2010 at 9:22 PM, Amar Deep <[email protected]> wrote: > Hi, > > A WAF is an operational security control which monitors HTTP traffic in > order to protect web applications from attacks. > > The key elements in this definition are: > > 1)*Operational control* - a WAF protects applications in real time, rather > than hardening them or fixing them in advance. > > 2)*HTTP traffic *- a WAF analyzes the traffic between the untrusted client > and the web server. > > 3)*Protect web applications* - WAFs protect web applications. Mostly > custom written and very dynamic, web applications are in many cases > vulnerable and not well protected by other solutions. > > *Differentiation* > > Only by defining the method used to protect applications, a WAF can be > differentiated from other security solutions that inspect traffic, most > notably IDS and IPS. To be a WAF, a system should: > > *Have intimate understanding of HTTP* - while not of importance by itself, > only by fully parsing and analyzing HTTP, breaking it to its elements > including headers, parameters and payload, a WAF can effectively perform the > following requirements and avoid evasion. > > *Provide a positive security model* - a positive security policy allows > only things know to be valid to go through. This protection mechanism, > sometimes called "white listing" provides an external input validation > shield over the application. Too many web attacks cannot be reliably > detected using signatures making a signature only solution not strong enough > to protect web applications. > > *Application layer rules *- due to high maintenance cost, a positive > security model by itself is not effective enough to protect web applications > and should be augmented by a signature based system. But since web > applications are custom, traditional signatures targeting known > vulnerabilities are not effective. WAF rules should be generic and detect > any variant of an attack such as SQL injection. > > *Session based protection* - one of the biggest downsides of HTTP is the > lack of a built in reliable session mechanism. A WAF must complement the > application session management and protect it from session based and over > time attacks. > Allow fine grained policy management - most notably, exceptions should be > applied to only minimal parts of the application. If a system does not allow > minimal exceptions, false positives force opening wide security gaps. > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- Phani -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
