In the Attack Mitigation section (2.2.2), I would recommend a broader definition of mitigation than block/pass. Redirection and other things are often the right mitigation, it depends on the threat/exploit, I think.
I would echo some of the other comments I've seen on the treatment of NGFW and IDS/IPS, but perhaps go even further. Many of the terms you list don't IMO, refer to WAFs. For example: "Application Level Firewall" was mainly used by perimeter firewalls that used proxies for deployment vs. stateful inspection in order to meet perimeter defense use cases. I think an even more in depth discussion in the difference between the use cases and how both touch something called an "application" but in different ways would be useful here. The example I give is that a network firewall/NGFW is concerned about which applications are in use across some boundary. For example, I see HTTP traffic that is really bittorrent (or SharePoint), should I let it pass into/out of my organization? That's a perimeter use case. With WAFs which application is in use is almost never in question. You know because the WAF has been configured specifically to protect it. What WAFs ask is whether this traffic to this application is doing something bad within that application.
Am 14.02.2013 23:02, schrieb Mark Kraynak:
"block" and "pass" are very broad definitions if we loock on the application layer.
I totally agree that "block" on TCP/IP layer is something different than on application
layer. A WAF usually does not "block" by dropping or resetting the connection, but
sends some kind of redirect or error page, which is a full response on that layer.
How exactly that works, and on which conditions trigger what action, is a detail to
be described by the WAF, and hence out of scope in this section.
However, if you can give me some examples what you mean, I'll try to make that part
"broader". And finally link to the proper section in the document.