wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsFeedback on What is a WAF
Section 2.1 Definitions
I also once tried to find a good definition for a WAF and could not and I
don’t see how these definitions help anyone understand what a WAF is.
The first talks about how the technology is delivered instead of what it
does and in any case it is out of date
The second is really to general to use
The third is a combination of a not bad high level description with too
many details
I think we can come up with a simple and easy to understand definition.
If you ask me, the definition has to convey what the WAF does which is a)
mitigate any attempt to harm the application, its users or the business
through the web b) prevent detection and neutralize any vulnerability or
weakness in the application
Section 2.2.1 Attack Detection
Isn’t this section a good place to talk about the different detection
techniques? Positive, negative, reputation, statistical, …?
“…harm any traffic.” can be made more clear
Section 2.2.2 Attack Mitigation
IMO this section should list some of the popular mitigation strategies.
Blocking is definitely one but also obfuscation, masking, challenges…
The main point is that different threats / attacks should be mitigated
differently and a key evaluation criteria should be the available
mitigation capabilities
Section 2.3 How does a WAF work
IMO there should be much more details on how the deferent technologies work
(reverse proxy, sniffer, ..)
I think that understanding how WAFs works requires at least a high level
list of the mechanisms involved: decoding, normalization, signatures…
Should this section or another section on this page list the different
placement of WAFs? DMZ, cloud, hosted,…
Eldad Chai
Director of Product Management
+1 (650) 488 4779
Chapter 2 is an introductory section. Specifically the information you are
looking for in 2.2.1, 2.2.2 and 2.3 is available in other sections. How much
should be repeated (or rather presented in advance) here is to a large
extent a matter of document editing and style.
As to the definition you suggest, it covers code fixing as well..
~ Ofer
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf
Of Eldad Chai
Sent: Tuesday, February 19, 2013 9:13 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Feedback on What is a WAF
Section 2.1 Definitions
I also once tried to find a good definition for a WAF and could not and I
don't see how these definitions help anyone understand what a WAF is.
The first talks about how the technology is delivered instead of what it
does and in any case it is out of date
The second is really to general to use
The third is a combination of a not bad high level description with too many
details
I think we can come up with a simple and easy to understand definition.
If you ask me, the definition has to convey what the WAF does which is a)
mitigate any attempt to harm the application, its users or the business
through the web b) prevent detection and neutralize any vulnerability or
weakness in the application
Section 2.2.1 Attack Detection
Isn't this section a good place to talk about the different detection
techniques? Positive, negative, reputation, statistical, .?
".harm any traffic." can be made more clear
Section 2.2.2 Attack Mitigation
IMO this section should list some of the popular mitigation strategies.
Blocking is definitely one but also obfuscation, masking, challenges.
The main point is that different threats / attacks should be mitigated
differently and a key evaluation criteria should be the available mitigation
capabilities
Section 2.3 How does a WAF work
IMO there should be much more details on how the deferent technologies work
(reverse proxy, sniffer, ..)
I think that understanding how WAFs works requires at least a high level
list of the mechanisms involved: decoding, normalization, signatures.
Should this section or another section on this page list the different
placement of WAFs? DMZ, cloud, hosted,.
Eldad Chai
Director of Product Management
eldad@incapsula.com mailto:eldad@incapsula.com
+1 (650) 488 4779
Chapter 2 is an introductory section. Specifically the information you
are looking for in 2.2.1, 2.2.2 and 2.3 is available in other sections. How
much should be repeated (or rather presented in advance) here is to a large
extent a matter of document editing and style.
I actually think of this page as a somewhat standalone page with a lot of
links into other sections. What is a WAF? Here you go…
I don’t know how the “What is a WAF?” question can be answered without at
least mentioning these key elements – by editing, styling or whatever means
As to the definition you suggest, it covers code fixing as well….
Maybe it is true and the definition can be more accurate but my main point
is that what a WAF does seems important in its definition, especially for
readers who are not security professional
Eldad
From: Ofer Shezaf [mailto:oshezaf@gmail.com] *On Behalf Of *Ofer Shezaf
Sent: Tuesday, February 19, 2013 2:18 PM
To: 'Eldad Chai'; wasc-wafec@lists.webappsec.org
Subject: RE: [WASC-WAFEC] Feedback on What is a WAF
Chapter 2 is an introductory section. Specifically the information you are
looking for in 2.2.1, 2.2.2 and 2.3 is available in other sections. How
much should be repeated (or rather presented in advance) here is to a large
extent a matter of document editing and style.
As to the definition you suggest, it covers code fixing as well….
~ Ofer
From: wasc-wafec
[mailto:wasc-wafec-bounces@lists.webappsec.orgwasc-wafec-bounces@lists.webappsec.org]
*On Behalf Of *Eldad Chai
Sent: Tuesday, February 19, 2013 9:13 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Feedback on What is a WAF
Section 2.1 Definitions
I also once tried to find a good definition for a WAF and could not and I
don’t see how these definitions help anyone understand what a WAF is.
The first talks about how the technology is delivered instead of what it
does and in any case it is out of date
The second is really to general to use
The third is a combination of a not bad high level description with too
many details
I think we can come up with a simple and easy to understand definition.
If you ask me, the definition has to convey what the WAF does which is a)
mitigate any attempt to harm the application, its users or the business
through the web b) prevent detection and neutralize any vulnerability or
weakness in the application
Section 2.2.1 Attack Detection
Isn’t this section a good place to talk about the different detection
techniques? Positive, negative, reputation, statistical, …?
“…harm any traffic.” can be made more clear
Section 2.2.2 Attack Mitigation
IMO this section should list some of the popular mitigation strategies.
Blocking is definitely one but also obfuscation, masking, challenges…
The main point is that different threats / attacks should be mitigated
differently and a key evaluation criteria should be the available
mitigation capabilities
Section 2.3 How does a WAF work
IMO there should be much more details on how the deferent technologies work
(reverse proxy, sniffer, ..)
I think that understanding how WAFs works requires at least a high level
list of the mechanisms involved: decoding, normalization, signatures…
Should this section or another section on this page list the different
placement of WAFs? DMZ, cloud, hosted,…
Eldad Chai
Director of Product Management
+1 (650) 488 4779
Hi,
after my first description Ofer reminded me to describe "what a WAF is" by
describing "what it does". This is exactly what you ask for, Eldad, is it?
The current description mainly does that, see last paragraph in 2.1 which
referes to 2.2. Use Cases. So I don't get what you are missing. I don't claim
that the current description is perfect, so can you please give me an example
what you're missing.
Also, the descriptions in "What is a WAF" should be general and broad, while
the details are in the other sections (as Ofer mentioned).
Some details:
... b) prevent detection and neutralize any vulnerability or weakness in the application ...
This is a good description. Thanks. How about adding following right in
2 What is a WAF
...
A WAF detects malicious traffic and prevents that a weakness in a system
and/or application can be exploited. It therefore can reduce the risk
of impacts caused by threats against known or unknown vulnerability.
(still to to be improved, somehow ...)
I'd say that this can serve as a "management summary description" ;-)
... to talk about the different detection
The broad description is already there. I also suggested right there -- see
2.2.1 and 2.2.2 -- that references to the proper sections need to be added, IMHO.
... "...harm any traffic.” can be made more clear
Ok, in this context -- detection -- we can replace "harm" by "does not change".
Does this sound better?
Regards,
Achim
Am 19.02.2013 13:56, schrieb Eldad Chai:
Chapter 2 is an introductory section. Specifically the information you
are looking for in 2.2.1, 2.2.2 and 2.3 is available in other sections. How
much should be repeated (or rather presented in advance) here is to a large
extent a matter of document editing and style.
I actually think of this page as a somewhat standalone page with a lot of
links into other sections. What is a WAF? Here you go…
I don’t know how the “What is a WAF?” question can be answered without at
least mentioning these key elements – by editing, styling or whatever means
As to the definition you suggest, it covers code fixing as well….
Maybe it is true and the definition can be more accurate but my main point
is that what a WAF does seems important in its definition, especially for
readers who are not security professional
Eldad
From: Ofer Shezaf [mailto:oshezaf@gmail.com] *On Behalf Of *Ofer Shezaf
Sent: Tuesday, February 19, 2013 2:18 PM
To: 'Eldad Chai'; wasc-wafec@lists.webappsec.org
Subject: RE: [WASC-WAFEC] Feedback on What is a WAF
Chapter 2 is an introductory section. Specifically the information you are
looking for in 2.2.1, 2.2.2 and 2.3 is available in other sections. How
much should be repeated (or rather presented in advance) here is to a large
extent a matter of document editing and style.
As to the definition you suggest, it covers code fixing as well….
~ Ofer
From: wasc-wafec
[mailto:wasc-wafec-bounces@lists.webappsec.orgwasc-wafec-bounces@lists.webappsec.org]
*On Behalf Of *Eldad Chai
Sent: Tuesday, February 19, 2013 9:13 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Feedback on What is a WAF
Section 2.1 Definitions
I also once tried to find a good definition for a WAF and could not and I
don’t see how these definitions help anyone understand what a WAF is.
The first talks about how the technology is delivered instead of what it
does and in any case it is out of date
The second is really to general to use
The third is a combination of a not bad high level description with too
many details
I think we can come up with a simple and easy to understand definition.
If you ask me, the definition has to convey what the WAF does which is a)
mitigate any attempt to harm the application, its users or the business
through the web b) prevent detection and neutralize any vulnerability or
weakness in the application
Section 2.2.1 Attack Detection
Isn’t this section a good place to talk about the different detection
techniques? Positive, negative, reputation, statistical, …?
“…harm any traffic.” can be made more clear
Section 2.2.2 Attack Mitigation
IMO this section should list some of the popular mitigation strategies.
Blocking is definitely one but also obfuscation, masking, challenges…
The main point is that different threats / attacks should be mitigated
differently and a key evaluation criteria should be the available
mitigation capabilities
Section 2.3 How does a WAF work
IMO there should be much more details on how the deferent technologies work
(reverse proxy, sniffer, ..)
I think that understanding how WAFs works requires at least a high level
list of the mechanisms involved: decoding, normalization, signatures…
Should this section or another section on this page list the different
placement of WAFs? DMZ, cloud, hosted,…
Eldad Chai
Director of Product Management
+1 (650) 488 4779
Inline
-----Original Message-----
From: Achim Hoffmann [mailto:websec10@sic-sec.org]
Sent: Thursday, February 21, 2013 10:56 AM
To: Eldad Chai
Cc: wasc-wafec@lists.webappsec.org; Ofer Shezaf
Subject: Re: [WASC-WAFEC] Feedback on What is a WAF
Hi,
after my first description Ofer reminded me to describe "what a WAF is" by
describing "what it does". This is exactly what you ask for, Eldad, is it?
Yes it is
The current description mainly does that, see last paragraph in 2.1 which
referes to 2.2. Use Cases. So I don't get what you are missing. I don't
claim that the current description is perfect, so can you please give me an
example what you're missing.
I am talking from my perspective only. Today anyone can name his offering
a WAF and this section in my opinion does not help in saying whether a
piece of technology is or isn’t a WAF.
I am fine with presenting the use cases but I do not think they can
replace a definition.
Also, the descriptions in "What is a WAF" should be general and broad, while
the details are in the other sections (as Ofer mentioned).
Some details:
... b) prevent detection and neutralize any vulnerability or weakness in
the application ...
This is a good description. Thanks. How about adding following right in
2 What is a WAF
...
A WAF detects malicious traffic and prevents that a weakness in a system
and/or application can be exploited. It therefore can reduce the risk
of impacts caused by threats against known or unknown vulnerability.
(still to to be improved, somehow ...)
I'd say that this can serve as a "management summary description" ;-)
... to talk about the different detection
The broad description is already there. I also suggested right there -- see
2.2.1 and 2.2.2 -- that references to the proper sections need to be added,
IMHO.
Perhaps it is a matter of style. At least for 2.2.1 I was thinking of a
more structured description of how detection works (not for a specific
vulnerability).
But perhaps it is only me.
... "...harm any traffic.” can be made more clear
Ok, in this context -- detection -- we can replace "harm" by "does not
change".
Does this sound better?
Yes or "does not interfere with traffic"
Regards,
Achim
Am 19.02.2013 13:56, schrieb Eldad Chai:
Chapter 2 is an introductory section. Specifically the information
you
are looking for in 2.2.1, 2.2.2 and 2.3 is available in other
sections. How much should be repeated (or rather presented in advance)
here is to a large extent a matter of document editing and style.
I actually think of this page as a somewhat standalone page with a lot
of links into other sections. What is a WAF? Here you go…
I don’t know how the “What is a WAF?” question can be answered without
at least mentioning these key elements – by editing, styling or
whatever means
As to the definition you suggest, it covers code fixing as well….
Maybe it is true and the definition can be more accurate but my main
point is that what a WAF does seems important in its definition,
especially for readers who are not security professional
Eldad
From: Ofer Shezaf [mailto:oshezaf@gmail.com] *On Behalf Of *Ofer
Shezaf
Sent: Tuesday, February 19, 2013 2:18 PM
To: 'Eldad Chai'; wasc-wafec@lists.webappsec.org
Subject: RE: [WASC-WAFEC] Feedback on What is a WAF
Chapter 2 is an introductory section. Specifically the information you
are looking for in 2.2.1, 2.2.2 and 2.3 is available in other
sections. How much should be repeated (or rather presented in advance)
here is to a large extent a matter of document editing and style.
As to the definition you suggest, it covers code fixing as well….
~ Ofer
From: wasc-wafec
[mailto:wasc-wafec-bounces@lists.webappsec.org<wasc-wafec-bounces@list
s.webappsec.org>]
*On Behalf Of *Eldad Chai
Sent: Tuesday, February 19, 2013 9:13 AM
To: wasc-wafec@lists.webappsec.org
Subject: [WASC-WAFEC] Feedback on What is a WAF
Section 2.1 Definitions
I also once tried to find a good definition for a WAF and could not
and I don’t see how these definitions help anyone understand what a WAF
is.
The first talks about how the technology is delivered instead of what
it does and in any case it is out of date
The second is really to general to use
The third is a combination of a not bad high level description with
too many details
I think we can come up with a simple and easy to understand definition.
If you ask me, the definition has to convey what the WAF does which is
a) mitigate any attempt to harm the application, its users or the
business through the web b) prevent detection and neutralize any
vulnerability or weakness in the application
Section 2.2.1 Attack Detection
Isn’t this section a good place to talk about the different detection
techniques? Positive, negative, reputation, statistical, …?
“…harm any traffic.” can be made more clear
Section 2.2.2 Attack Mitigation
IMO this section should list some of the popular mitigation strategies.
Blocking is definitely one but also obfuscation, masking, challenges…
The main point is that different threats / attacks should be mitigated
differently and a key evaluation criteria should be the available
mitigation capabilities
Section 2.3 How does a WAF work
IMO there should be much more details on how the deferent technologies
work (reverse proxy, sniffer, ..)
I think that understanding how WAFs works requires at least a high
level list of the mechanisms involved: decoding, normalization,
signatures…
Should this section or another section on this page list the different
placement of WAFs? DMZ, cloud, hosted,…
Eldad Chai
Director of Product Management
+1 (650) 488 4779