Empathy List Archives

wasc-wafec@lists.webappsec.org

WASC Web Application Firewall Evaluation Criteria Project Mailing List

Few more comments on Section 2

Mark Kraynak

Thu, Feb 14, 2013 10:02 PM

In the Attack Mitigation section (2.2.2), I would recommend a broader definition of mitigation than block/pass. Redirection and other things are often the right mitigation, it depends on the threat/exploit, I think.
I would echo some of the other comments I've seen on the treatment of NGFW and IDS/IPS, but perhaps go even further. Many of the terms you list don't IMO, refer to WAFs. For example: "Application Level Firewall" was mainly used by perimeter firewalls that used proxies for deployment vs. stateful inspection in order to meet perimeter defense use cases. I think an even more in depth discussion in the difference between the use cases and how both touch something called an "application" but in different ways would be useful here. The example I give is that a network firewall/NGFW is concerned about which applications are in use across some boundary. For example, I see HTTP traffic that is really bittorrent (or SharePoint), should I let it pass into/out of my organization? That's a perimeter use case. With WAFs which application is in use is almost never in question. You know because the WAF has been configured specifically to protect it. What WAFs ask is whether this traffic to this application is doing something bad within that application.

1) In the Attack Mitigation section (2.2.2), I would recommend a broader definition of mitigation than block/pass. Redirection and other things are often the right mitigation, it depends on the threat/exploit, I think. 2) I would echo some of the other comments I've seen on the treatment of NGFW and IDS/IPS, but perhaps go even further. Many of the terms you list don't IMO, refer to WAFs. For example: "Application Level Firewall" was mainly used by perimeter firewalls that used proxies for deployment vs. stateful inspection in order to meet perimeter defense use cases. I think an even more in depth discussion in the difference between the use cases and how both touch something called an "application" but in different ways would be useful here. The example I give is that a network firewall/NGFW is concerned about which applications are in use across some boundary. For example, I see HTTP traffic that is really bittorrent (or SharePoint), should I let it pass into/out of my organization? That's a perimeter use case. With WAFs which application is in use is almost never in question. You know because the WAF has been configured specifically to protect it. What WAFs ask is whether this traffic to this application is doing something bad within that application.

Achim Hoffmann

Thu, Feb 21, 2013 7:31 AM

Am 14.02.2013 23:02, schrieb Mark Kraynak:

In the Attack Mitigation section (2.2.2), I would recommend a broader definition of mitigation than block/pass. Redirection and other things are often the right mitigation, it depends on the threat/exploit, I think.

Hi Mark,

"block" and "pass" are very broad definitions if we loock on the application layer.
I totally agree that "block" on TCP/IP layer is something different than on application
layer. A WAF usually does not "block" by dropping or resetting the connection, but
sends some kind of redirect or error page, which is a full response on that layer.

How exactly that works, and on which conditions trigger what action, is a detail to
be described by the WAF, and hence out of scope in this section.

However, if you can give me some examples what you mean, I'll try to make that part
"broader". And finally link to the proper section in the document.

Resonable?
Achim

Am 14.02.2013 23:02, schrieb Mark Kraynak: > 1) In the Attack Mitigation section (2.2.2), I would recommend a broader definition of mitigation than block/pass. Redirection and other things are often the right mitigation, it depends on the threat/exploit, I think. Hi Mark, "block" and "pass" are very broad definitions if we loock on the application layer. I totally agree that "block" on TCP/IP layer is something different than on application layer. A WAF usually does not "block" by dropping or resetting the connection, but sends some kind of redirect or error page, which is a full response on that layer. How exactly that works, and on which conditions trigger what action, is a detail to be described by the WAF, and hence out of scope in this section. However, if you can give me some examples what you mean, I'll try to make that part "broader". And finally link to the proper section in the document. Resonable? Achim