Thanks for the reply sandeep, I have some query regarding the same....
1) To decrypt an https traffic the WAF should be having both public and private keys and that are only maintained by Application web server and the client, then how come this WAF has both the keys.. 2) If WAF has the keys to do decrypt and encrypt, then their can be a performance issue and also load on WAF.? 3) And last is WAF is effective and required? On Mon, Jul 12, 2010 at 11:55 PM, Sandeep Thakur <[email protected]>wrote: > Good question Phani, > > WAF (protection mechanism for defence in depth) usually is placed at web > server. This solution comes as hardware or software implementation. A sample > WAF placement diagram for your reference: > > User <--> Firewall <--> ISP <--> *Internet *<--> Firewall <--> (WAF) > WebServer <--> Database > > 1) Early versions of WAF were blocking the https traffic if its not > expected or not required scenarios. > > 2) But now, the softwares are capable to decrypt the encrypted traffic > ofcourse with whatever key is required once the trust has been established > between webserver and WAF software. Refer the below software for an eg: > > http://www.breach.com/products/webdefend.html > > To know possibility on how to decrypt https, please refer the another post: > > http://groups.google.com/group/nforceit/browse_thread/thread/53a9af19a9725ada?hl=en-GB_IN > > 3) Further, as you see the reference diagram above, WAF can also be part of > web server itself. There exists multi-layered approach to WAF, which > provides even more advanced protection. Every request or response will be > monitored at every layer. Refer the below tool link: > > http://www.eeye.com/Products/SecureIIS-Web-Server-Security.aspx > > Team, you know more than this can add more to this. Thanks! > > > Regards > Sandeep Thakur > > > > On Mon, Jul 12, 2010 at 9:48 AM, Phani <[email protected]> wrote: > > How a WAF works if the traffic is HTTPS. > > > > > > > > On Mon, Jul 12, 2010 at 9:22 PM, Amar Deep <[email protected]> > wrote: > >> > >> Hi, > >> > >> A WAF is an operational security control which monitors HTTP traffic in > >> order to protect web applications from attacks. > >> > >> The key elements in this definition are: > >> > >> 1)Operational control - a WAF protects applications in real time, rather > >> than hardening them or fixing them in advance. > >> > >> 2)HTTP traffic - a WAF analyzes the traffic between the untrusted client > >> and the web server. > >> > >> 3)Protect web applications - WAFs protect web applications. Mostly > custom > >> written and very dynamic, web applications are in many cases vulnerable > and > >> not well protected by other solutions. > >> > >> Differentiation > >> > >> Only by defining the method used to protect applications, a WAF can be > >> differentiated from other security solutions that inspect traffic, most > >> notably IDS and IPS. To be a WAF, a system should: > >> > >> Have intimate understanding of HTTP - while not of importance by itself, > >> only by fully parsing and analyzing HTTP, breaking it to its elements > >> including headers, parameters and payload, a WAF can effectively perform > the > >> following requirements and avoid evasion. > >> > >> Provide a positive security model - a positive security policy allows > only > >> things know to be valid to go through. This protection mechanism, > sometimes > >> called "white listing" provides an external input validation shield over > the > >> application. Too many web attacks cannot be reliably detected using > >> signatures making a signature only solution not strong enough to protect > web > >> applications. > >> > >> Application layer rules - due to high maintenance cost, a positive > >> security model by itself is not effective enough to protect web > applications > >> and should be augmented by a signature based system. But since web > >> applications are custom, traditional signatures targeting known > >> vulnerabilities are not effective. WAF rules should be generic and > detect > >> any variant of an attack such as SQL injection. > >> > >> Session based protection - one of the biggest downsides of HTTP is the > >> lack of a built in reliable session mechanism. A WAF must complement the > >> application session management and protect it from session based and > over > >> time attacks. > >> Allow fine grained policy management - most notably, exceptions should > be > >> applied to only minimal parts of the application. If a system does not > allow > >> minimal exceptions, false positives force opening wide security gaps. > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "nforceit" group. > >> To post to this group, send an email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]<nforceit%[email protected]> > . > >> For more options, visit this group at > >> http://groups.google.com/group/nforceit?hl=en-GB. > > > > > > > > -- > > Phani > > > > -- > > > You received this message because you are subscribed to the Google Groups > > "nforceit" group. > > To post to this group, send an email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<nforceit%[email protected]> > . > > For more options, visit this group at > > http://groups.google.com/group/nforceit?hl=en-GB. > > > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- Phani -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
