[WASC-WAFEC] WAFEC 2.0 Comments chapters 1 and 2

Achim Hoffmann websec10 at sic-sec.org
Mon Jan 28 16:52:32 EST 2013

Hi Ofer, Klaubert,

currently I'm doing a rewrite of my first version. This will will include
all your suggestions. Hope to get it ready at end of week ...


Am 28.01.2013 21:59, schrieb Ofer Shezaf:
> Hi Klaubert Herr and Achim,
> I think that Klaubert Herr makes an important point in both the remark about
> IPS and Next Gen FW. An important goal of WAFEC is to make the distinction
> between WAFs and other security systems. IPS and NG-FW are certainly
> different than WAFs in both goals (the important part) and methodology (less
> important but still worth noting). 
> Of special importance is the difference between WAFs and IPSs as too many of
> the latter present themselves as WAFs for PCI purposes. Klaubert Herr
> provides an interesting take on the difference, and while I mostly agree,
> details are of importance. For example, is correlating inbound and outbound
> (traffic? Events?) mandatory for a WAF?
> To that end, I agree with Klaubert Herr  that those questions must be
> answered in chapter 2. 
> ~ Ofer
> -----Original Message-----
> From: wasc-wafec [mailto:wasc-wafec-bounces at lists.webappsec.org] On Behalf
> Of Klaubert Herr da Silveira
> Sent: Tuesday, January 22, 2013 1:06 AM
> To: wasc-wafec at lists.webappsec.org
> Subject: [WASC-WAFEC] WAFEC 2.0 Comments chapters 1 and 2
> 1.2.1
> Just a typo...
> Different WAFs cam mitigate the same
> To
> Different WAFs _can_ mitigate the same
> 2.1.1  How does a WAF work (technical)
> I miss the relationship/differentiation between WAF and IDS/IPS in the
> definition.
> While they are clearly distinct, they operate in a very similar way, but
> with different focus/view/target of traffic. The IDS/IPS match
> rules/behavior in packets or streams, watching the full protocol spectrum of
> a network. WAF in their side, watch a web application (not only a packet),
> interpreting HTTP protocols, validating/analyzing web services requests
> (SOAP/RESTfull), doing this even in encrypted traffic with SSL, and it can
> correlate the request and response.
> 2.1.2 Why the name WAF (historical)
> In "Today there are more names, like...Next Generation Firewall"
> I don't see the "Next Generation Firewall" associated to WAF in the
> market/literature. Some NGF vendors indeed make a clear differentiation
> between their products and WAF's. Considering they both are current terms, I
> think that is better to WAFEC2 not correlate both.
> I'll send other comments for the next topics later.
> Best Regards,
> Klaubert Herr

More information about the wasc-wafec mailing list