Hi, 
Guest
Pic
Sign In

wasc-wafec@lists.webappsec.org

WASC Web Application Firewall Evaluation Criteria Project Mailing List

View all threads

Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5

AH
Achim Hoffmann
Sun, Oct 21, 2012 4:31 PM

Am 21.10.2012 14:01, schrieb Matthieu Estrade:
...

... I think they are too close to the
business of the WAF vendor.

Please don't get me wrong: my objections are not according WAF vendors, but according
Load Balancer and such.
It's not about keeping vendor biases off from the discussion, they are valuable please
give us your opinions, but it's about focusing on WAFs.

Achim

Am 21.10.2012 14:01, schrieb Matthieu Estrade: ... > ... I think they are too close to the > business of the WAF vendor. Please don't get me wrong: my objections are not according WAF vendors, but according Load Balancer and such. It's not about keeping vendor biases off from the discussion, they are valuable please give us your opinions, but it's about focusing on WAFs. Achim
KW
Kit Wetzler
Sun, Oct 21, 2012 4:42 PM

I agree with this as well.  I'd rather not complicate the situation.  It's hard enough to select and differentiate a WAF, let alone to go into the ecosystem a WAF lives in.  (and this is coming from a load balancing vendor!)

The best thing we can do for WAFEC, imho, is to keep it as simple as possible, to describe the various capabilities of WAFs (security and visibility) and let the customer decide which deployment mode to use.  (That said, I'm happy to describe theoretical deployment modes - integrated to load balancer, inline, proxy, span port, integrated to server, etc, since they DO differentiate.)

--
Kit Wetzler
Citrix Systems, Inc
Networking and Cloud Product Group (NetScaler, Branch Repeater and Access Gateway)

-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Achim Hoffmann
Sent: Sunday, October 21, 2012 9:32 AM
To: Matthieu Estrade
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5

Am 21.10.2012 14:01, schrieb Matthieu Estrade:
...

... I think they are too close to the
business of the WAF vendor.

Please don't get me wrong: my objections are not according WAF vendors, but according Load Balancer and such.
It's not about keeping vendor biases off from the discussion, they are valuable please give us your opinions, but it's about focusing on WAFs.

Achim

wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

I agree with this as well. I'd rather not complicate the situation. It's hard enough to select and differentiate a WAF, let alone to go into the ecosystem a WAF lives in. (and this is coming from a load balancing vendor!) The best thing we can do for WAFEC, imho, is to keep it as simple as possible, to describe the various capabilities of WAFs (security and visibility) and let the customer decide which deployment mode to use. (That said, I'm happy to describe theoretical deployment modes - integrated to load balancer, inline, proxy, span port, integrated to server, etc, since they DO differentiate.) -- Kit Wetzler Citrix Systems, Inc Networking and Cloud Product Group (NetScaler, Branch Repeater and Access Gateway) -----Original Message----- From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Achim Hoffmann Sent: Sunday, October 21, 2012 9:32 AM To: Matthieu Estrade Cc: wasc-wafec@lists.webappsec.org Subject: Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5 Am 21.10.2012 14:01, schrieb Matthieu Estrade: ... > ... I think they are too close to the > business of the WAF vendor. Please don't get me wrong: my objections are not according WAF vendors, but according Load Balancer and such. It's not about keeping vendor biases off from the discussion, they are valuable please give us your opinions, but it's about focusing on WAFs. Achim _______________________________________________ wasc-wafec mailing list wasc-wafec@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
IB
Ido Breger
Mon, Oct 22, 2012 11:07 AM

I am a bit confused Kit, (and others)
There seem to be an agreement that selecting a WAF by itself is a tough task. There seem to an agreement that when a customer is selecting a product, he always thinks about how well it will fit into his existing environment, (how it integrates with other products in his datacenter or how well all products work in concert). You also agree that these two tasks are complicated.
Now - do you think that WAF buyers/evaluators  will not appreciate a document that will help them with both of these tasks when it comes to selecting a WAF?

The suggestion is to include the non-pure security features of the WAF in an appendix to WAFEC, so in the cases where a customer doesn't want to know what kind of benefits or limitations the WAF he is going to choose has with other devices in his network , he could simply not read the appendix.

I agree with you that having a perfect appendix like that can be complicated to achieve, but like any living document, it will become better and better over time.

-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Kit Wetzler
Sent: Sunday, October 21, 2012 6:43 PM
To: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5

I agree with this as well.  I'd rather not complicate the situation.  It's hard enough to select and differentiate a WAF, let alone to go into the ecosystem a WAF lives in.  (and this is coming from a load balancing vendor!)

The best thing we can do for WAFEC, imho, is to keep it as simple as possible, to describe the various capabilities of WAFs (security and visibility) and let the customer decide which deployment mode to use.  (That said, I'm happy to describe theoretical deployment modes - integrated to load balancer, inline, proxy, span port, integrated to server, etc, since they DO differentiate.)

--
Kit Wetzler
Citrix Systems, Inc
Networking and Cloud Product Group (NetScaler, Branch Repeater and Access Gateway)

-----Original Message-----
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Achim Hoffmann
Sent: Sunday, October 21, 2012 9:32 AM
To: Matthieu Estrade
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5

Am 21.10.2012 14:01, schrieb Matthieu Estrade:
...

... I think they are too close to the
business of the WAF vendor.

Please don't get me wrong: my objections are not according WAF vendors, but according Load Balancer and such.
It's not about keeping vendor biases off from the discussion, they are valuable please give us your opinions, but it's about focusing on WAFs.

Achim

wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org

I am a bit confused Kit, (and others) There seem to be an agreement that selecting a WAF by itself is a tough task. There seem to an agreement that when a customer is selecting a product, he always thinks about how well it will fit into his existing environment, (how it integrates with other products in his datacenter or how well all products work in concert). You also agree that these two tasks are complicated. Now - do you think that WAF buyers/evaluators will not appreciate a document that will help them with both of these tasks when it comes to selecting a WAF? The suggestion is to include the non-pure security features of the WAF in an appendix to WAFEC, so in the cases where a customer doesn't want to know what kind of benefits or limitations the WAF he is going to choose has with other devices in his network , he could simply not read the appendix. I agree with you that having a perfect appendix like that can be complicated to achieve, but like any living document, it will become better and better over time. -----Original Message----- From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Kit Wetzler Sent: Sunday, October 21, 2012 6:43 PM To: wasc-wafec@lists.webappsec.org Subject: Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5 I agree with this as well. I'd rather not complicate the situation. It's hard enough to select and differentiate a WAF, let alone to go into the ecosystem a WAF lives in. (and this is coming from a load balancing vendor!) The best thing we can do for WAFEC, imho, is to keep it as simple as possible, to describe the various capabilities of WAFs (security and visibility) and let the customer decide which deployment mode to use. (That said, I'm happy to describe theoretical deployment modes - integrated to load balancer, inline, proxy, span port, integrated to server, etc, since they DO differentiate.) -- Kit Wetzler Citrix Systems, Inc Networking and Cloud Product Group (NetScaler, Branch Repeater and Access Gateway) -----Original Message----- From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Achim Hoffmann Sent: Sunday, October 21, 2012 9:32 AM To: Matthieu Estrade Cc: wasc-wafec@lists.webappsec.org Subject: Re: [WASC-WAFEC] Annexure or Supplement Proposed by F5 Am 21.10.2012 14:01, schrieb Matthieu Estrade: ... > ... I think they are too close to the > business of the WAF vendor. Please don't get me wrong: my objections are not according WAF vendors, but according Load Balancer and such. It's not about keeping vendor biases off from the discussion, they are valuable please give us your opinions, but it's about focusing on WAFs. Achim _______________________________________________ wasc-wafec mailing list wasc-wafec@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org _______________________________________________ wasc-wafec mailing list wasc-wafec@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Empathy v1.0   2024 ©Harmonylists.com