Good question Phani, WAF (protection mechanism for defence in depth) usually is placed at web server. This solution comes as hardware or software implementation. A sample WAF placement diagram for your reference:
User <--> Firewall <--> ISP <--> *Internet *<--> Firewall <--> (WAF) WebServer <--> Database 1) Early versions of WAF were blocking the https traffic if its not expected or not required scenarios. 2) But now, the softwares are capable to decrypt the encrypted traffic ofcourse with whatever key is required once the trust has been established between webserver and WAF software. Refer the below software for an eg: http://www.breach.com/products/webdefend.html To know possibility on how to decrypt https, please refer the another post: http://groups.google.com/group/nforceit/browse_thread/thread/53a9af19a9725ada?hl=en-GB_IN 3) Further, as you see the reference diagram above, WAF can also be part of web server itself. There exists multi-layered approach to WAF, which provides even more advanced protection. Every request or response will be monitored at every layer. Refer the below tool link: http://www.eeye.com/Products/SecureIIS-Web-Server-Security.aspx Team, you know more than this can add more to this. Thanks! Regards Sandeep Thakur On Mon, Jul 12, 2010 at 9:48 AM, Phani <[email protected]> wrote: > How a WAF works if the traffic is HTTPS. > > > > On Mon, Jul 12, 2010 at 9:22 PM, Amar Deep <[email protected]> wrote: >> >> Hi, >> >> A WAF is an operational security control which monitors HTTP traffic in >> order to protect web applications from attacks. >> >> The key elements in this definition are: >> >> 1)Operational control - a WAF protects applications in real time, rather >> than hardening them or fixing them in advance. >> >> 2)HTTP traffic - a WAF analyzes the traffic between the untrusted client >> and the web server. >> >> 3)Protect web applications - WAFs protect web applications. Mostly custom >> written and very dynamic, web applications are in many cases vulnerable and >> not well protected by other solutions. >> >> Differentiation >> >> Only by defining the method used to protect applications, a WAF can be >> differentiated from other security solutions that inspect traffic, most >> notably IDS and IPS. To be a WAF, a system should: >> >> Have intimate understanding of HTTP - while not of importance by itself, >> only by fully parsing and analyzing HTTP, breaking it to its elements >> including headers, parameters and payload, a WAF can effectively perform the >> following requirements and avoid evasion. >> >> Provide a positive security model - a positive security policy allows only >> things know to be valid to go through. This protection mechanism, sometimes >> called "white listing" provides an external input validation shield over the >> application. Too many web attacks cannot be reliably detected using >> signatures making a signature only solution not strong enough to protect web >> applications. >> >> Application layer rules - due to high maintenance cost, a positive >> security model by itself is not effective enough to protect web applications >> and should be augmented by a signature based system. But since web >> applications are custom, traditional signatures targeting known >> vulnerabilities are not effective. WAF rules should be generic and detect >> any variant of an attack such as SQL injection. >> >> Session based protection - one of the biggest downsides of HTTP is the >> lack of a built in reliable session mechanism. A WAF must complement the >> application session management and protect it from session based and over >> time attacks. >> Allow fine grained policy management - most notably, exceptions should be >> applied to only minimal parts of the application. If a system does not allow >> minimal exceptions, false positives force opening wide security gaps. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "nforceit" group. >> To post to this group, send an email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<nforceit%[email protected]> . >> For more options, visit this group at >> http://groups.google.com/group/nforceit?hl=en-GB. > > > > -- > Phani > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
