wasc-wafec@lists.webappsec.org
WASC Web Application Firewall Evaluation Criteria Project Mailing List
View all threadsreview of "Integrated Related Features"
Hi Erwin,
My feedback below
Cookie protection: Another way to secure cookies from manipulation is to sign them, the advantage of signing cookies is to allow client side code to read the cookie data (Some apps need this capability to operate), encrypting the cookies is a good way to secure sensitive data which also sometimes being stored in a cookie, however if you encrypt the cookie and the app need to read the content of the cookie the application will break.
SSL management: Can the WAF check client side certs? Can the WAF check revocation lists? If yes, How? Which SSL ciphers are supported?
Single Sign on: Can the WAF integrate with web access management suites, if yes, with which ?
IP reputation: This feature isn't just a network firewall feature, the benefit of using a WAF with this feature is that a WAF can use this feature even behind proxies (leveraging the true client Source IP).
Support: Does the support organization hold an ISO 9001:2008 certification?
Ido Breger| Sr. Product Manager, Security
24B Habarzel St. Tel Aviv, Israel
M +972544891177
M2 +1.206.272.8264
[cid:1978DF4F-4FF6-4F12-AFC5-1CE6B4FFAFDD]http://www.f5.com/
[Security_Access_icon]
Secure the Future, Todayhttp://www.f5.com/it-management/topics/security/.
Visit F5 booth # 1354
RSA Conference, Feb. 25- Mar. 1
Hi Ido e All,
About Support, I think that is better to check if a 24x7 support or a
platinum support plan is available, than hold a ISO 9001 certification?
Best regards,
Klaubert Herr
On Wed, Jan 30, 2013 at 8:03 AM, Ido Breger I.Breger@f5.com wrote:
Hi Erwin,****
My feedback below****
*Cookie protection: *Another way to secure cookies from manipulation is
to sign them, the advantage of signing cookies is to allow client side code
to read the cookie data (Some apps need this capability to operate),
encrypting the cookies is a good way to secure sensitive data which also
sometimes being stored in a cookie, however if you encrypt the cookie and
the app need to read the content of the cookie the application will break.
SSL management: * Can the WAF check client side certs? Can the WAF check
revocation lists? If yes, How? Which SSL ciphers are supported?***
Single Sign on: * Can the WAF integrate with web access management
suites, if yes, with which ?***
IP reputation: This feature isn’t just a network firewall feature, the
benefit of using a WAF with this feature is that a WAF can use this feature
even behind proxies (leveraging the true client Source IP).**
*Support: *Does the support organization hold an ISO 9001:2008
certification? ****
Ido Breger| Sr. Product Manager, Security****
24B Habarzel St. Tel Aviv, Israel****
M +972544891177****
M2 +1.206.272.8264****
[image: cid:1978DF4F-4FF6-4F12-AFC5-1CE6B4FFAFDD] http://www.f5.com/[image:
cid:90A58AB9-7894-4C5A-BF6C-9F2C36E8684F]****
[image: Security_Access_icon]****
Secure the Future, Todayhttp://www.f5.com/it-management/topics/security/
.****
Visit F5 booth # 1354****
RSA Conference, Feb. 25- Mar. 1****
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Thanks, I think both are important.
From: Klaubert Herr da Silveira [mailto:klaubert@gmail.com]
Sent: Tuesday, February 05, 2013 12:18 AM
To: Ido Breger
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] review of "Integrated Related Features"
Hi Ido e All,
About Support, I think that is better to check if a 24x7 support or a platinum support plan is available, than hold a ISO 9001 certification?
Best regards,
Klaubert Herr
On Wed, Jan 30, 2013 at 8:03 AM, Ido Breger <I.Breger@f5.commailto:I.Breger@f5.com> wrote:
Hi Erwin,
My feedback below
Cookie protection: Another way to secure cookies from manipulation is to sign them, the advantage of signing cookies is to allow client side code to read the cookie data (Some apps need this capability to operate), encrypting the cookies is a good way to secure sensitive data which also sometimes being stored in a cookie, however if you encrypt the cookie and the app need to read the content of the cookie the application will break.
SSL management: Can the WAF check client side certs? Can the WAF check revocation lists? If yes, How? Which SSL ciphers are supported?
Single Sign on: Can the WAF integrate with web access management suites, if yes, with which ?
IP reputation: This feature isn't just a network firewall feature, the benefit of using a WAF with this feature is that a WAF can use this feature even behind proxies (leveraging the true client Source IP).
Support: Does the support organization hold an ISO 9001:2008 certification?
Ido Breger| Sr. Product Manager, Security
24B Habarzel St. Tel Aviv, Israel
M +972544891177tel:%2B972544891177
M2 +1.206.272.8264tel:%2B1.206.272.8264
Secure the Future, Today.http://www.f5.com/
Visit F5 booth # 1354http://www.f5.com/
RSA Conference, Feb. 25- Mar. 1http://www.f5.com/
http://www.f5.com/
http://www.f5.com/
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.orghttp://www.f5.com/
http://www.f5.com/
Hi Ido
Thank you for your valuable feedback.
Cookie protection and SSL management: I agree with your arguments - and have added the point to the draft.
IP reputation:
When I have a look at the discussion in http://lnkd.in/GKcGsC - Marc Shinbrood says:
" A WaF just works at Layer 7 not at layer 3..."
This is the reason why ths isn't a core WAF feature. We can discuss whether IP checks (reputation or others) are a meaningful completion of WAF. In my eyes there is no WAF installed without a network firewall in front of it. IP reputation filtering would be done in the firewall. There is no need of allowing the traffic to pass that hurdle if we already know it's coming from bad sources. The argumentation "a WAF behind a proxy" could inspect IP addresses (in X-Frowarded-For Headers) is more complex. There are three layouts: organizational proxy, public proxy, reverse proxy. A reverse proxy in front if a WAF would probably have also a network firewall in front. A public proxy would probably already be in a class of "bad reputation". It breaks certificate checks, allows MitM, ... An organizational proxy (for a company) "is" the reputated client. Its IP has the reputation of the organization.
Are there other voices that advise to include the IP reputation?
Support:
I agree, that a ISO 9001:2008 Certification for the support organization is something that might be of interest. But why do you focus in the support organization? Isn't it evident that also the product development or the knowledge of teh developers/supporters is certified? hats why I added the point "Does the company hold any certification?"
Maybe there is a TüV certification or a vendor certification (e.g. from Microsoft) that has even a higer importance in the concrete use case.
I think I included your input - but opened it to not only focus on support and on ISO 9001.
best regards
erwin
----- Original Message -----
From: "Ido Breger" I.Breger@F5.com
To: wasc-wafec@lists.webappsec.org
Sent: Wednesday, January 30, 2013 11:03:18 AM
Subject: [WASC-WAFEC] review of "Integrated Related Features"
Hi Erwin,
My feedback below
Cookie protection: Another way to secure cookies from manipulation is to sign them, the advantage of signing cookies is to allow client side code to read the cookie data (Some apps need this capability to operate), encrypting the cookies is a good way to secure sensitive data which also sometimes being stored in a cookie, however if you encrypt the cookie and the app need to read the content of the cookie the application will break.
SSL management: Can the WAF check client side certs? Can the WAF check revocation lists? If yes, How? Which SSL ciphers are supported?
Single Sign on: Can the WAF integrate with web access management suites, if yes, with which ?
IP reputation: This feature isn’t just a network firewall feature, the benefit of using a WAF with this feature is that a WAF can use this feature even behind proxies (leveraging the true client Source IP).
Support: Does the support organization hold an ISO 9001:2008 certification?
Ido Breger | Sr. Product Manager, Security
24B Habarzel St. Tel Aviv, Israel
M +972544891177
M2 +1.206.272.8264
cid:1978DF4F-4FF6-4F12-AFC5-1CE6B4FFAFDDcid:90A58AB9-7894-4C5A-BF6C-9F2C36E8684F
Security_Access_icon
Secure the Future, Today .
Visit F5 booth # 1354
RSA Conference, Feb. 25- Mar. 1
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Hi Erwin,
I think that looking at a WAF and decide what it should only through the “OSI layer glasses” is a mistake.
We should be looking at what a WAF can / should / required to do from the customer eyes and the value a certain feature can bring to these customers.
IP reputation is becoming extremely useful to reduce the sources of attacks, to get better visibility to an incident , to have a better understanding of a risk that request which violated the WAF policy may have. So while a network FW can have that feature as well it doesn’t mean in my opinion that this feature is exclusive to network firewalls, there is definitely value for WAF customers.
The use case where IP reputation really shines is for WAFs which are deployed behind a CDN (think Akamai), in that scenario, the WAF can accurately extract the true client IP and act based on it , firewalls are simply not useful because all they see is the source IP of the CDN proxies in front of them.
BTW – geolocation information is very similar to IP reputation, again , Network FW can have this feature but there is a lot of value to have that feature on the WAF as well.
To add to the above, the WAF admins don’t always have access to the FW logs, or even the SIEM, so seeing this info on the WAF is very useful.
Agree that ISO certification should be extended to the dev org as well.
Cheers,
Ido
From: Erwin Huber [mailto:erwin.huber@ergon.ch]
Sent: Wednesday, February 06, 2013 7:17 PM
To: Ido Breger
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] review of "Integrated Related Features"
Hi Ido
Thank you for your valuable feedback.
Cookie protection and SSL management: I agree with your arguments - and have added the point to the draft.
IP reputation:
When I have a look at the discussion in http://lnkd.in/GKcGsC - Marc Shinbrood says:
"A WaF just works at Layer 7 not at layer 3..."
This is the reason why ths isn't a core WAF feature. We can discuss whether IP checks (reputation or others) are a meaningful completion of WAF. In my eyes there is no WAF installed without a network firewall in front of it. IP reputation filtering would be done in the firewall. There is no need of allowing the traffic to pass that hurdle if we already know it's coming from bad sources. The argumentation "a WAF behind a proxy" could inspect IP addresses (in X-Frowarded-For Headers) is more complex. There are three layouts: organizational proxy, public proxy, reverse proxy. A reverse proxy in front if a WAF would probably have also a network firewall in front. A public proxy would probably already be in a class of "bad reputation". It breaks certificate checks, allows MitM, ... An organizational proxy (for a company) "is" the reputated client. Its IP has the reputation of the organization.
Are there other voices that advise to include the IP reputation?
Support:
I agree, that a ISO 9001:2008 Certification for the support organization is something that might be of interest. But why do you focus in the support organization? Isn't it evident that also the product development or the knowledge of teh developers/supporters is certified? hats why I added the point "Does the company hold any certification?"
Maybe there is a TüV certification or a vendor certification (e.g. from Microsoft) that has even a higer importance in the concrete use case.
I think I included your input - but opened it to not only focus on support and on ISO 9001.
best regards
erwin
From: "Ido Breger" <I.Breger@F5.commailto:I.Breger@F5.com>
To: wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
Sent: Wednesday, January 30, 2013 11:03:18 AM
Subject: [WASC-WAFEC] review of "Integrated Related Features"
Hi Erwin,
My feedback below
Cookie protection: Another way to secure cookies from manipulation is to sign them, the advantage of signing cookies is to allow client side code to read the cookie data (Some apps need this capability to operate), encrypting the cookies is a good way to secure sensitive data which also sometimes being stored in a cookie, however if you encrypt the cookie and the app need to read the content of the cookie the application will break.
SSL management: Can the WAF check client side certs? Can the WAF check revocation lists? If yes, How? Which SSL ciphers are supported?
Single Sign on: Can the WAF integrate with web access management suites, if yes, with which ?
IP reputation: This feature isn’t just a network firewall feature, the benefit of using a WAF with this feature is that a WAF can use this feature even behind proxies (leveraging the true client Source IP).
Support: Does the support organization hold an ISO 9001:2008 certification?
Ido Breger| Sr. Product Manager, Security
24B Habarzel St. Tel Aviv, Israel
M +972544891177
M2 +1.206.272.8264
[cid:1978DF4F-4FF6-4F12-AFC5-1CE6B4FFAFDD]http://www.f5.com/
[Security_Access_icon]
Secure the Future, Todayhttp://www.f5.com/it-management/topics/security/.
Visit F5 booth # 1354
RSA Conference, Feb. 25- Mar. 1
wasc-wafec mailing list
wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
I agree with Ido. There are several reasons why reputation security is an important feature of a Web application firewall:
-
Reputation feeds can focus on Web-based threats. Some firewalls and UTM devices offer reputations services, but their reputation lists often contain email servers sending spam messages or devices performing network attacks. WAF solutions can identify users that have recently executed Web attacks or are using anonymizing services like an anonymous proxy or Tor server. WAF vendors can cater their reputation services to address Web application attacks and hacking methods, not other types of attacks and intrusions. -
Reputation information can provide additional context into a Web request, improving security accuracy. For example, an organization could combine reputation information with other suspicious Web activity—such as multiple Web requests in a short period of time—to determine whether to block a user. If the reputation service is not integrated into the WAF, WAF administrators cannot leverage this information to build granular application security policies.
Best regards,
Kasey
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Erwin Huber
Sent: Wednesday, February 06, 2013 9:17 AM
To: Ido Breger
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] review of "Integrated Related Features"
Hi Ido
Thank you for your valuable feedback.
Cookie protection and SSL management: I agree with your arguments - and have added the point to the draft.
IP reputation:
When I have a look at the discussion in http://lnkd.in/GKcGsC - Marc Shinbrood says:
"A WaF just works at Layer 7 not at layer 3..."
This is the reason why ths isn't a core WAF feature. We can discuss whether IP checks (reputation or others) are a meaningful completion of WAF. In my eyes there is no WAF installed without a network firewall in front of it. IP reputation filtering would be done in the firewall. There is no need of allowing the traffic to pass that hurdle if we already know it's coming from bad sources. The argumentation "a WAF behind a proxy" could inspect IP addresses (in X-Frowarded-For Headers) is more complex. There are three layouts: organizational proxy, public proxy, reverse proxy. A reverse proxy in front if a WAF would probably have also a network firewall in front. A public proxy would probably already be in a class of "bad reputation". It breaks certificate checks, allows MitM, ... An organizational proxy (for a company) "is" the reputated client. Its IP has the reputation of the organization.
Are there other voices that advise to include the IP reputation?
Support:
I agree, that a ISO 9001:2008 Certification for the support organization is something that might be of interest. But why do you focus in the support organization? Isn't it evident that also the product development or the knowledge of teh developers/supporters is certified? hats why I added the point "Does the company hold any certification?"
Maybe there is a TüV certification or a vendor certification (e.g. from Microsoft) that has even a higer importance in the concrete use case.
I think I included your input - but opened it to not only focus on support and on ISO 9001.
best regards
erwin
From: "Ido Breger" <I.Breger@F5.commailto:I.Breger@F5.com>
To: wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
Sent: Wednesday, January 30, 2013 11:03:18 AM
Subject: [WASC-WAFEC] review of "Integrated Related Features"
Hi Erwin,
My feedback below
Cookie protection: Another way to secure cookies from manipulation is to sign them, the advantage of signing cookies is to allow client side code to read the cookie data (Some apps need this capability to operate), encrypting the cookies is a good way to secure sensitive data which also sometimes being stored in a cookie, however if you encrypt the cookie and the app need to read the content of the cookie the application will break.
SSL management: Can the WAF check client side certs? Can the WAF check revocation lists? If yes, How? Which SSL ciphers are supported?
Single Sign on: Can the WAF integrate with web access management suites, if yes, with which ?
IP reputation: This feature isn’t just a network firewall feature, the benefit of using a WAF with this feature is that a WAF can use this feature even behind proxies (leveraging the true client Source IP).
Support: Does the support organization hold an ISO 9001:2008 certification?
Ido Breger| Sr. Product Manager, Security
24B Habarzel St. Tel Aviv, Israel
M +972544891177
M2 +1.206.272.8264
[cid:1978DF4F-4FF6-4F12-AFC5-1CE6B4FFAFDD]http://www.f5.com/
[Security_Access_icon]
Secure the Future, Todayhttp://www.f5.com/it-management/topics/security/.
Visit F5 booth # 1354
RSA Conference, Feb. 25- Mar. 1
wasc-wafec mailing list
wasc-wafec@lists.webappsec.orgmailto:wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Good evening,
On Wed, Feb 06, 2013 at 05:52:35PM +0000, Ido Breger wrote:
BTW – geolocation information is very similar to IP reputation, again , Network FW can have this feature but
there is a lot of value to have that feature on the WAF as well.
I second Ido's position here. IP reputation is not always black and
white. At times it is merely an additional indicator that something
might be amiss. You might accept certain behaviour from a known
IP address, but you think it is fishy, when it comes from the other
end of the world. To limit the WAF to layer 7 is too strict and
to expect the network firewall to make the distinction all alone
is too much asked for. I see the WAF as the first device in the
chain, that is able to combine all the information.
Just my 2 cents.
Christian Folini
--
The best generic advice anyone can give in life is: think for yourself.
--- Mark Burgess, Principles of System and Network Administration
Hi Ido
Ok, I agree. Geolocation is very similiar to IP reputation. I have removed my comment about IP reputation in the draft. Let's have IP reputation in.
erwin
----- Original Message -----
From: "Ido Breger" I.Breger@F5.com
To: "Erwin Huber" erwin.huber@ergon.ch
Cc: wasc-wafec@lists.webappsec.org
Sent: Wednesday, February 6, 2013 6:52:35 PM
Subject: RE: [WASC-WAFEC] review of "Integrated Related Features"
Hi Erwin,
I think that looking at a WAF and decide what it should only through the “OSI layer glasses” is a mistake.
We should be looking at what a WAF can / should / required to do from the customer eyes and the value a certain feature can bring to these customers.
IP reputation is becoming extremely useful to reduce the sources of attacks, to get better visibility to an incident , to have a better understanding of a risk that request which violated the WAF policy may have. So while a network FW can have that feature as well it doesn’t mean in my opinion that this feature is exclusive to network firewalls, there is definitely value for WAF customers.
The use case where IP reputation really shines is for WAFs which are deployed behind a CDN (think Akamai), in that scenario, the WAF can accurately extract the true client IP and act based on it , firewalls are simply not useful because all they see is the source IP of the CDN proxies in front of them.
BTW – geolocation information is very similar to IP reputation, again , Network FW can have this feature but there is a lot of value to have that feature on the WAF as well.
To add to the above, the WAF admins don’t always have access to the FW logs, or even the SIEM, so seeing this info on the WAF is very useful.
Agree that ISO certification should be extended to the dev org as well.
Cheers,
Ido
From: Erwin Huber [mailto:erwin.huber@ergon.ch]
Sent: Wednesday, February 06, 2013 7:17 PM
To: Ido Breger
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] review of "Integrated Related Features"
Hi Ido
Thank you for your valuable feedback.
Cookie protection and SSL management: I agree with your arguments - and have added the point to the draft.
IP reputation:
When I have a look at the discussion in http://lnkd.in/GKcGsC - Marc Shinbrood says:
" A WaF just works at Layer 7 not at layer 3..."
This is the reason why ths isn't a core WAF feature. We can discuss whether IP checks (reputation or others) are a meaningful completion of WAF. In my eyes there is no WAF installed without a network firewall in front of it. IP reputation filtering would be done in the firewall. There is no need of allowing the traffic to pass that hurdle if we already know it's coming from bad sources. The argumentation "a WAF behind a proxy" could inspect IP addresses (in X-Frowarded-For Headers) is more complex. There are three layouts: organizational proxy, public proxy, reverse proxy. A reverse proxy in front if a WAF would probably have also a network firewall in front. A public proxy would probably already be in a class of "bad reputation". It breaks certificate checks, allows MitM, ... An organizational proxy (for a company) "is" the reputated client. Its IP has the reputation of the organization.
Are there other voices that advise to include the IP reputation?
Support:
I agree, that a ISO 9001:2008 Certification for the support organization is something that might be of interest. But why do you focus in the support organization? Isn't it evident that also the product development or the knowledge of teh developers/supporters is certified? hats why I added the point "Does the company hold any certification?"
Maybe there is a TüV certification or a vendor certification (e.g. from Microsoft) that has even a higer importance in the concrete use case.
I think I included your input - but opened it to not only focus on support and on ISO 9001.
best regards
erwin
----- Original Message -----
From: "Ido Breger" < I.Breger@F5.com >
To: wasc-wafec@lists.webappsec.org
Sent: Wednesday, January 30, 2013 11:03:18 AM
Subject: [WASC-WAFEC] review of "Integrated Related Features"
Hi Erwin,
My feedback below
Cookie protection: Another way to secure cookies from manipulation is to sign them, the advantage of signing cookies is to allow client side code to read the cookie data (Some apps need this capability to operate), encrypting the cookies is a good way to secure sensitive data which also sometimes being stored in a cookie, however if you encrypt the cookie and the app need to read the content of the cookie the application will break.
SSL management: Can the WAF check client side certs? Can the WAF check revocation lists? If yes, How? Which SSL ciphers are supported?
Single Sign on: Can the WAF integrate with web access management suites, if yes, with which ?
IP reputation: This feature isn’t just a network firewall feature, the benefit of using a WAF with this feature is that a WAF can use this feature even behind proxies (leveraging the true client Source IP).
Support: Does the support organization hold an ISO 9001:2008 certification?
Ido Breger | Sr. Product Manager, Security
24B Habarzel St. Tel Aviv, Israel
M +972544891177
M2 +1.206.272.8264
cid:1978DF4F-4FF6-4F12-AFC5-1CE6B4FFAFDDcid:90A58AB9-7894-4C5A-BF6C-9F2C36E8684F
Security_Access_icon
Secure the Future, Today .
Visit F5 booth # 1354
RSA Conference, Feb. 25- Mar. 1
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
Keep in mind that based on the discussion and the reasons for inclusion it may need to go to the “techniques” chapter and not to the “related features” chapter.
~ Ofer
From: wasc-wafec [mailto:wasc-wafec-bounces@lists.webappsec.org] On Behalf Of Erwin Huber
Sent: Thursday, February 07, 2013 9:32 AM
To: Ido Breger
Cc: wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] review of "Integrated Related Features"
Hi Ido
Ok, I agree. Geolocation is very similiar to IP reputation. I have removed my comment about IP reputation in the draft. Let's have IP reputation in.
erwin
From: "Ido Breger" <I.Breger@F5.com mailto:I.Breger@F5.com >
To: "Erwin Huber" <erwin.huber@ergon.ch mailto:erwin.huber@ergon.ch >
Cc: wasc-wafec@lists.webappsec.org mailto:wasc-wafec@lists.webappsec.org
Sent: Wednesday, February 6, 2013 6:52:35 PM
Subject: RE: [WASC-WAFEC] review of "Integrated Related Features"
Hi Erwin,
I think that looking at a WAF and decide what it should only through the “OSI layer glasses” is a mistake.
We should be looking at what a WAF can / should / required to do from the customer eyes and the value a certain feature can bring to these customers.
IP reputation is becoming extremely useful to reduce the sources of attacks, to get better visibility to an incident , to have a better understanding of a risk that request which violated the WAF policy may have. So while a network FW can have that feature as well it doesn’t mean in my opinion that this feature is exclusive to network firewalls, there is definitely value for WAF customers.
The use case where IP reputation really shines is for WAFs which are deployed behind a CDN (think Akamai), in that scenario, the WAF can accurately extract the true client IP and act based on it , firewalls are simply not useful because all they see is the source IP of the CDN proxies in front of them.
BTW – geolocation information is very similar to IP reputation, again , Network FW can have this feature but there is a lot of value to have that feature on the WAF as well.
To add to the above, the WAF admins don’t always have access to the FW logs, or even the SIEM, so seeing this info on the WAF is very useful.
Agree that ISO certification should be extended to the dev org as well.
Cheers,
Ido
From: Erwin Huber [mailto:erwin.huber@ergon.ch]
Sent: Wednesday, February 06, 2013 7:17 PM
To: Ido Breger
Cc: wasc-wafec@lists.webappsec.org mailto:wasc-wafec@lists.webappsec.org
Subject: Re: [WASC-WAFEC] review of "Integrated Related Features"
Hi Ido
Thank you for your valuable feedback.
Cookie protection and SSL management: I agree with your arguments - and have added the point to the draft.
IP reputation:
When I have a look at the discussion in http://lnkd.in/GKcGsC - Marc Shinbrood says:
"A WaF just works at Layer 7 not at layer 3..."
This is the reason why ths isn't a core WAF feature. We can discuss whether IP checks (reputation or others) are a meaningful completion of WAF. In my eyes there is no WAF installed without a network firewall in front of it. IP reputation filtering would be done in the firewall. There is no need of allowing the traffic to pass that hurdle if we already know it's coming from bad sources. The argumentation "a WAF behind a proxy" could inspect IP addresses (in X-Frowarded-For Headers) is more complex. There are three layouts: organizational proxy, public proxy, reverse proxy. A reverse proxy in front if a WAF would probably have also a network firewall in front. A public proxy would probably already be in a class of "bad reputation". It breaks certificate checks, allows MitM, ... An organizational proxy (for a company) "is" the reputated client. Its IP has the reputation of the organization.
Are there other voices that advise to include the IP reputation?
Support:
I agree, that a ISO 9001:2008 Certification for the support organization is something that might be of interest. But why do you focus in the support organization? Isn't it evident that also the product development or the knowledge of teh developers/supporters is certified? hats why I added the point "Does the company hold any certification?"
Maybe there is a TüV certification or a vendor certification (e.g. from Microsoft) that has even a higer importance in the concrete use case.
I think I included your input - but opened it to not only focus on support and on ISO 9001.
best regards
erwin
From: "Ido Breger" <I.Breger@F5.com mailto:I.Breger@F5.com >
To: wasc-wafec@lists.webappsec.org mailto:wasc-wafec@lists.webappsec.org
Sent: Wednesday, January 30, 2013 11:03:18 AM
Subject: [WASC-WAFEC] review of "Integrated Related Features"
Hi Erwin,
My feedback below
Cookie protection: Another way to secure cookies from manipulation is to sign them, the advantage of signing cookies is to allow client side code to read the cookie data (Some apps need this capability to operate), encrypting the cookies is a good way to secure sensitive data which also sometimes being stored in a cookie, however if you encrypt the cookie and the app need to read the content of the cookie the application will break.
SSL management: Can the WAF check client side certs? Can the WAF check revocation lists? If yes, How? Which SSL ciphers are supported?
Single Sign on: Can the WAF integrate with web access management suites, if yes, with which ?
IP reputation: This feature isn’t just a network firewall feature, the benefit of using a WAF with this feature is that a WAF can use this feature even behind proxies (leveraging the true client Source IP).
Support: Does the support organization hold an ISO 9001:2008 certification?
Ido Breger| Sr. Product Manager, Security
24B Habarzel St. Tel Aviv, Israel
M +972544891177
M2 +1.206.272.8264
http://www.f5.com/it-management/topics/security/ Secure the Future, Today.
Visit F5 booth # 1354
RSA Conference, Feb. 25- Mar. 1
wasc-wafec mailing list
wasc-wafec@lists.webappsec.org mailto:wasc-wafec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
