[WASC-WAFEC] WAFEC 2.0 Comments chapters 1 and 2

Ofer Shezaf ofer at shezaf.com
Mon Jan 28 15:59:23 EST 2013

Hi Klaubert Herr and Achim,

I think that Klaubert Herr makes an important point in both the remark about
IPS and Next Gen FW. An important goal of WAFEC is to make the distinction
between WAFs and other security systems. IPS and NG-FW are certainly
different than WAFs in both goals (the important part) and methodology (less
important but still worth noting). 

Of special importance is the difference between WAFs and IPSs as too many of
the latter present themselves as WAFs for PCI purposes. Klaubert Herr
provides an interesting take on the difference, and while I mostly agree,
details are of importance. For example, is correlating inbound and outbound
(traffic? Events?) mandatory for a WAF?

To that end, I agree with Klaubert Herr  that those questions must be
answered in chapter 2. 

~ Ofer

-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] On Behalf
Of Klaubert Herr da Silveira
Sent: Tuesday, January 22, 2013 1:06 AM
To: wasc-wafec at lists.webappsec.org
Subject: [WASC-WAFEC] WAFEC 2.0 Comments chapters 1 and 2

Just a typo...

Different WAFs cam mitigate the same

Different WAFs _can_ mitigate the same

2.1.1  How does a WAF work (technical)
I miss the relationship/differentiation between WAF and IDS/IPS in the
While they are clearly distinct, they operate in a very similar way, but
with different focus/view/target of traffic. The IDS/IPS match
rules/behavior in packets or streams, watching the full protocol spectrum of
a network. WAF in their side, watch a web application (not only a packet),
interpreting HTTP protocols, validating/analyzing web services requests
(SOAP/RESTfull), doing this even in encrypted traffic with SSL, and it can
correlate the request and response.

2.1.2 Why the name WAF (historical)

In "Today there are more names, like...Next Generation Firewall"

I don't see the "Next Generation Firewall" associated to WAF in the
market/literature. Some NGF vendors indeed make a clear differentiation
between their products and WAF's. Considering they both are current terms, I
think that is better to WAFEC2 not correlate both.

I'll send other comments for the next topics later.

Best Regards,

Klaubert Herr

wasc-wafec mailing list
wasc-wafec at lists.webappsec.org

More information about the wasc-wafec mailing list